Fluentd is an open source data collector and a great option because of its flexibility. This implementation uses a Fluentd DaemonSet to collect Kubernetes logs and send them to Logz.io. The Kubernetes DaemonSet ensures that some or all nodes run a copy of a pod.
The image used in this integration comes pre-configured for Fluentd to gather all logs from the Kubernetes node environment and append the proper metadata to the logs. If you prefer to customize your Fluentd configuration, you can edit it before it’s deployed.
The latest version pulls the image from logzio/logzio-fluentd. Previous versions pulled the image from logzio/logzio-k8s.
Fluentd will fetch all existing logs, as it is not able to ignore older logs.
For troubleshooting this solution, see our user guide.
Sending logs from nodes with taints
If you want to ship logs from any of the nodes that have a taint, make sure that the taint key values are listed in your in your daemonset/deployment configuration as follows:
tolerations:
- key:
operator:
value:
effect:
To determine if a node uses taints as well as to display the taint keys, run:
kubectl get nodes -o json | jq ".items[]|{name:.metadata.name, taints:.spec.taints}"
You need to use Helm client with version v3.9.0 or above.
K8S version compatibility
-
K8S 1.16 or earlier - If you’re running K8S 1.16 or earlier, you may need to manually change the API version in your DaemonSet to
apiVersion: rbac.authorization.k8s.io/v1beta1.The API versions of
ClusterRoleandClusterRoleBindingare found inlogzio-daemonset-rbac.yamlandlogzio-daemonset-containerd.yaml.If you are running K8S 1.17 or later, the DaemonSet is set to use
apiVersion: rbac.authorization.k8s.io/v1by default. No change is needed.
Multiline logs
Fluentd’s basic configuration may cause longer, multiline logs to split into multiple logs - 1 log per line. You can use the Fluentd multiline parser plugin to control this behavior.
See the next tab for details about using the Fluentd multiline parser plugin.
For most environments, deploying logzio-k8s with the default configuration is recommended. If your environment requires a custom configuration, follow the steps for deploying a custom configuration.
To deploy logzio-k8s
Create a monitoring namespace
Your DaemonSet will be deployed under the namespace monitoring.
kubectl create namespace monitoring
Store your Logz.io credentials
Save your Logz.io shipping credentials as a Kubernetes secret.
kubectl create secret generic logzio-logs-secret \
--from-literal=logzio-log-shipping-token='<<LOG-SHIPPING-TOKEN>>' \
--from-literal=logzio-log-listener='https://<<LISTENER-HOST>>:8071' \
-n monitoring
Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>):
-
Replace
<<LOG-SHIPPING-TOKEN>>with the token of the account you want to ship to. -
Replace
<<LISTENER-HOST>>with the host for your region. For example,listener.logz.ioif your account is hosted on AWS US East, orlistener-nl.logz.ioif hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
Deploy the DaemonSet
Run:
kubectl apply -f https://raw.githubusercontent.com/logzio/logzio-k8s/master/logzio-daemonset-containerd.yaml -f https://raw.githubusercontent.com/logzio/logzio-k8s/master/configmap.yaml
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards.
If you still don’t see your logs, see Kubernetes log shipping troubleshooting.
You can customize the configuration of your Fluentd container by editing either your DaemonSet or your Configmap.
To deploy logzio-k8s
Create a monitoring namespace
Your DaemonSet will be deployed under the namespace monitoring.
kubectl create namespace monitoring
Store your Logz.io credentials
Save your Logz.io shipping credentials as a Kubernetes secret.
kubectl create secret generic logzio-logs-secret \
--from-literal=logzio-log-shipping-token='<<LOG-SHIPPING-TOKEN>>' \
--from-literal=logzio-log-listener='https://<<LISTENER-HOST>>:8071' \
-n monitoring
Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>):
-
Replace
<<LOG-SHIPPING-TOKEN>>with the token of the account you want to ship to. -
Replace
<<LISTENER-HOST>>with the host for your region. For example,listener.logz.ioif your account is hosted on AWS US East, orlistener-nl.logz.ioif hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
Configure Fluentd
Download Logz.io’s Containerd DaemonSet and open it in your text editor to edit it.
If you wish to make advanced changes in your Fluentd configuration, you can download and edit the configmap yaml file.
Environment variables
The following environment variables can be edited directly from the DaemonSet without editing the Configmap.
| Parameter | Description | Default |
|---|---|---|
| output_include_time | To append a timestamp to your logs when they’re processed, true. Otherwise, false. |
true |
| buffer_type | Specifies which plugin to use as the backend | file |
| buffer_path | Path of the buffer | /var/log/Fluentd-buffers/stackdriver.buffer |
| buffer_queue_full_action | Controls the behavior when the queue becomes full | block |
| buffer_chunk_limit | Maximum size of a chunk allowed. | 2M |
| buffer_queue_limit | Maximum length of the output queue. | 6 |
| flush_interval | Interval, in seconds, to wait before invoking the next buffer flush. | 5s |
| max_retry_wait | Maximum interval, in seconds, to wait between retries. | 30s |
| num_threads | Number of threads to flush the buffer. | 2 |
| INCLUDE_NAMESPACE | Sends logs from all namespaces by default. To send logs from specific k8s namespaces, specify them in the following format, space delimited: kubernetes.var.log.containers.**_<<NAMESPACE-TO-INCLUDE>>_** kubernetes.var.log.containers.**_<<ANOTHER-NAMESPACE>>_**. |
"" |
| KUBERNETES_VERIFY_SSL | Enable to validate SSL certificates. | true |
| FLUENT_FILTER_KUBERNETES_URL | URL to the API server. This parameter isn’t part of the default Daemonset. You can set it to retrieve additional Kubernetes metadata for logs from the Kubernetes API server. | null |
| AUDIT_LOG_FORMAT | The format of your audit logs. If your audit logs are in json format, set to audit-json. |
audit |
| CRI | The CRI of the cluster. In logzio-daemonset & logzio-daemonset-rbac is set to docker, and in logzio-daemonset-containerd is set to containerd. The configmap uses this var to determin which includes it needs to make for the fluent.conf file, when configuration needs to be adjusted by the CRI. |
Deploy the DaemonSet
Run:
kubectl apply -f path/logzio-daemonset-containerd.yaml -f path/configmap.yaml
Replace path with the actual paths to your logzio-daemonset-containerd.yaml and configmap.yaml files.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards.
If you still don’t see your logs, see Kubernetes log shipping troubleshooting.
Disabling systemd input
To suppress Fluentd system messages, set the environment variable FLUENTD_SYSTEMD_CONF to disable in your Kubernetes environment.
Disabling Prometheus input plugins
By default, the latest images launch prometheus plugins to monitor Fluentd.
If you’d like to disable the Prometheus input plugin, set the environment variable FLUENTD_PROMETHEUS_CONF to disable in your Kubernetes configuration.
Exclude logs from certain namespaces
If you wish to exclude logs from certain namespaces, add the following to your Fluentd configuration:
<match kubernetes.var.log.containers.**_NAMESPACE_**>
@type null
</match>
Replace NAMESPACE with the name of the namespace you need to exclude logs from.
If you need to specify multiple namespaces, add another kubernetes.var.log.containers.**_NAMESPACE_** line to the above function as follows:
<match kubernetes.var.log.containers.**_NAMESPACE1_** kubernetes.var.log.containers.**_NAMESPACE2_**>
@type null
</match>
Configuring Fluentd to concatenate multiline logs using a plugin
Fluentd splits multiline logs by default. If your original logs span multiple lines, you may find that they arrive in your Logz.io account split into several partial logs.
The Logz.io Docker image comes with a pre-built Fluentd filter plug-in that can be used to concatenate multiline logs. The plug-in is named fluent-plugin-concat and you can view the full list of configuration options in the GitHub project.
Example
The following is an example of a multiline log sent from a deployment on a k8s cluster:
2021-02-08 09:37:51,031 - errorLogger - ERROR - Traceback (most recent call last):
File "./code.py", line 25, in my_func
1/0
ZeroDivisionError: division by zero
Fluentd’s default configuration will split the above log into 4 logs, 1 for each line of the original log. In other words, each line break (\n) causes a split.
To avoid this, you can use the fluent-plugin-concat and customize the configuration to meet your needs. The additional configuration is added to the values.yml file.
For the above example, we could use the following regex expressions to demarcate the start and end of our example log:
<filter **>
@type concat
key message # The key for part of multiline log
multiline_start_regexp /^[0-9]{4}-[0-9]{2}-[0-9]{2}/ # This regex expression identifies line starts.
</filter>