Pivotal Knowledge Base

Follow

Unable to access Pivotal Cloud Foundry logs in AWS

Environment

Product Version
Pivotal Cloud Foundry® (PCF) 1.5.x, 1.6.x and 1.7.x
IaaS AWS

Purpose 

The following issue arises when trying to access the PCF logs via the CF CLI utility in AWS environments:

Error dialing traffic controller server: websocket: bad handshake

This article explains how to alleviate this issue when accessing PCF logs via the CF CLI.

Cause 

When running "cf logs", you are connecting to the application logging subsystem called Loggregator. The error shown above occurs when this connection fails.

Background

The Loggregator is responsible for streaming logs and metrics from all user apps and system components from Elastic Runtime.

These logs are made available via the Loggregator's primary transport mechanism called Doppler. Logs are streamed from the Loggregator's traffic controller using the HTTP WebSocket Protocol (WSS).  

Procedure

In order to see what your Doppler logging endpoint is set to currently, please run the following command.

$ cf curl /v2/info | jq .doppler_logging_endpoint
 wss://doppler.192.0.2.34.xip.io:4443

By default, in AWS the Loggregator is listening on TCP port 4443. In order to connect to this port and retrieve logs, you will need to allow the ingress of traffic on TCP port 4443 to your PCF environment.

In the EC2 Dashboard, select Security Groups, check if the security group PCF_ELB_SecurityGroup exists and has the following rule in place (4.); if not please add it as follows.

Log into your AWS console and add the following security group:

  1. On the EC2 Dashboard, select Security Groups > Create Security Group.
  2. Enter a security group name and description: PCF_ELB_SecurityGroup.
  3. Select the VPC to which to deploy the ELB.
  4. Click the Inbound tab and add rules to allow traffic to port 4443 from 0.0.0.0/0

This allows you access to connect to Loggregator via the WebSocket Protocol which provides access to the logs.  

Additional Information 

Security Groups: You can change the 0.0.0.0/0 to be more restrictive if you want finer control over what can reach the Elastic Runtime. This security group governs external access to the Elastic Runtime from applications such as the CF CLI and application URLs. 

Loggregator: The Loggregator port can be set via the Elastic Runtime Tile under the Networking tab.  

 

 

Comments

Powered by Zendesk