- Overview
- Standard configuration
- Autodiscover Linux
- Autodiscover Windows
- Configurations & Defaults
- Multiline logs
Overview
You can use a Helm chart to ship k8s logs to Logz.io via Filebeat from Linux and Windows nodes.
Helm is a tool for managing packages of pre-configured Kubernetes resources using Charts. Logzio-k8s-logs allows you to ship logs from your Kubernetes cluster to Logz.io. You can either deploy this Daemonset with the standard Filebeat configuration or with Filebeat Autodiscover. (Learn more about Filebeat Autodiscover from Elastic.)
Filebeat’s basic configuration tends to split longer, multiline logs into multiple logs - 1 log per line. See the relevant tab for details and options for controlling this setting.
Helm 2 reached EOL on November 2020. This document follows the command syntax recommended for Helm 3, but the Chart will work with both Helm 2 and Helm 3.
For troubleshooting this solution, see our user guide.
Sending logs from nodes with taints
If you want to ship logs from any of the nodes that have a taint, make sure that the taint key values are listed in your in your daemonset/deployment configuration as follows:
tolerations:
- key:
operator:
value:
effect:
To determine if a node uses taints as well as to display the taint keys, run:
kubectl get nodes -o json | jq ".items[]|{name:.metadata.name, taints:.spec.taints}"
You need to use Helm client with version v3.9.0 or above.
Standard configuration
Before you begin, you’ll need:
- Helm CLI installed
- Outgoing traffic to destination port 5015 allowed
Add logzio-k8s-logs repo to your helm repo list
helm repo add logzio-helm https://logzio.github.io/logzio-helm
helm repo update
Deploy
Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
Replace <<LISTENER-REGION>> with your region’s code (for example, eu). For more information on finding your account’s region, see Account region.
Replace <<CLUSTER-NAME>> with your cluster’s name.
helm install --namespace=kube-system \
--set secrets.logzioShippingToken='<<LOG-SHIPPING-TOKEN>>' \
--set secrets.logzioRegion='<<LISTENER-REGION>>' \
--set secrets.clusterName='<<CLUSTER-NAME>>' \
logzio-k8s-logs logzio-helm/logzio-k8s-logs
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Logz.io.
Autodiscover configuration
Autodiscover allows you to adapt settings as changes happen. By defining configuration templates, the autodiscover subsystem can monitor services as they start running.
Add logzio-k8s-logs repo to your helm repo list
helm repo add logzio-helm https://logzio.github.io/logzio-helm
helm repo update
Deploy
In the following commands, make the following changes:
-
Replace
<<LOG-SHIPPING-TOKEN>>with the token of the account you want to ship to. -
Replace
<<LISTENER-REGION>>with your region’s code (for example,eu). For more information on finding your account’s region, see Account region. -
Replace
<<CLUSTER-NAME>>with your cluster’s name. -
Use
--set configType='<<TYPE>>'for linux based filebeat and/or--set filebeatWindowsConfigType='<<TYPE>>'for windows based filebeat.
This Daemonset’s default autodiscover configuration is hints based. If you wish to deploy it use:
helm install --namespace=kube-system \
--set configType='autodiscover' \
--set secrets.logzioShippingToken='<<LOG-SHIPPING-TOKEN>>' \
--set secrets.logzioRegion='<<LISTENER-REGION>>' \
--set secrets.clusterName='<<CLUSTER-NAME>>' \
logzio-k8s-logs logzio-helm/logzio-k8s-logs
If you have a custom configuration, deploy with:
helm install --namespace=kube-system \
--set configType='auto-custom' \
--set secrets.logzioShippingToken='<<LOG-SHIPPING-TOKEN>>' \
--set secrets.logzioRegion='<<LISTENER-REGION>>' \
--set secrets.clusterName='<<CLUSTER-NAME>>' \
--set-file filebeatConfig.autoCustomConfig=/path/to/your/config.yaml \
logzio-k8s-logs logzio-helm/logzio-k8s-logs
If you’re using a custom config, please make sure that you’re using a .yaml file with the following structure:
Filebeat requires a file extension specified for the log input.
filebeat.yml: |-
filebeat.autodiscover:
#....
# your autodiscover config
# ...
processors:
- add_cloud_metadata: ~
fields:
logzio_codec: ${LOGZIO_CODEC}
token: ${LOGZIO_LOGS_SHIPPING_TOKEN}
cluster: ${CLUSTER_NAME}
type: ${LOGZIO_TYPE}
fields_under_root: ${FIELDS_UNDER_ROOT}
ignore_older: ${IGNORE_OLDER}
output:
logstash:
hosts: ["${LOGZIO_LOGS_LISTENER_HOST}:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/SectigoRSADomainValidationSecureServerCA.crt']
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards.
If you still don’t see your logs, see Kubernetes log shipping troubleshooting.
Uninstalling the Chart
The command removes all the k8s components associated with the chart and deletes the release.
To uninstall the logzio-k8s-logs deployment:
helm uninstall --namespace=kube-system logzio-k8s-logs
Autodiscover configuration
Autodiscover allows you to adapt settings as changes happen. By defining configuration templates, the autodiscover subsystem can monitor services as they start running.
Add logzio-k8s-logs repo to your helm repo list
helm repo add logzio-helm https://logzio.github.io/logzio-helm
helm repo update
Deploy
In the following commands, make the following changes:
-
Replace
<<LOG-SHIPPING-TOKEN>>with the token of the account you want to ship to. -
Replace
<<LISTENER-REGION>>with your region’s code (for example,eu). For more information on finding your account’s region, see Account region. -
Replace
<<CLUSTER-NAME>>with your cluster’s name. -
Use
--set configType='<<TYPE>>'for linux based filebeat and/or--set filebeatWindowsConfigType='<<TYPE>>'for windows based filebeat.
This Daemonset’s default autodiscover configuration is hints based. If you wish to deploy it use:
helm install --namespace=kube-system \
--set configType='autodiscover' \
--set secrets.logzioShippingToken='<<LOG-SHIPPING-TOKEN>>' \
--set secrets.logzioRegion='<<LISTENER-REGION>>' \
--set secrets.clusterName='<<CLUSTER-NAME>>' \
logzio-k8s-logs logzio-helm/logzio-k8s-logs
If you have a custom configuration, deploy with:
helm install --namespace=kube-system \
--set configType='auto-custom' \
--set secrets.logzioShippingToken='<<LOG-SHIPPING-TOKEN>>' \
--set secrets.logzioRegion='<<LISTENER-REGION>>' \
--set secrets.clusterName='<<CLUSTER-NAME>>' \
--set-file filebeatConfig.autoCustomConfig=/path/to/your/config.yaml \
logzio-k8s-logs logzio-helm/logzio-k8s-logs
If you’re using a custom config, please make sure that you’re using a .yaml file with the following structure:
filebeat.yml: |-
filebeat.autodiscover:
#....
# your autodiscover config
# ...
processors:
- add_cloud_metadata: ~
fields:
logzio_codec: ${LOGZIO_CODEC}
token: ${LOGZIO_LOGS_SHIPPING_TOKEN}
cluster: ${CLUSTER_NAME}
type: ${LOGZIO_TYPE}
fields_under_root: ${FIELDS_UNDER_ROOT}
ignore_older: ${IGNORE_OLDER}
output:
logstash:
hosts: ["${LOGZIO_LOGS_LISTENER_HOST}:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/SectigoRSADomainValidationSecureServerCA.crt']
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards.
If you still don’t see your logs, see Kubernetes log shipping troubleshooting.
Uninstalling the Chart
The command removes all the k8s components associated with the chart and deletes the release.
To uninstall the logzio-k8s-logs deployment:
helm uninstall --namespace=kube-system logzio-k8s-logs
Changing a default
If you wish to change the default values, specify each parameter using the --set key=value argument to helm install. For example,
helm install --namespace=kube-system logzio-k8s-logs logzio-helm/logzio-k8s-logs \
--set imageTag=7.7.0 \
--set terminationGracePeriodSeconds=30
Configurations & defaults
| Parameter | Description | Default |
|---|---|---|
image |
The linux based Filebeat docker image. | docker.elastic.co/beats/filebeat |
imageTag |
The linux based Filebeat docker image tag. | 7.8.1 |
filebeatWindowsImage |
The windows based Filebeat docker image. | docker.io/logzio/logzio-filebeat-win |
filebeatWindowsImageTag |
The windows based Filebeat docker image tag. | 0.0.1 |
winglogbeatImage |
The winlogbeat docker image. | docker.io/logzio/logzio-winlogbeat |
winglogbeatImageTag |
The winlogbeat docker image tag. | 0.0.1 |
nameOverride |
Overrides the Chart name for resources. | "" |
fullnameOverride |
Overrides the full name of the resources. | filebeat |
namespaceOverride |
Overrides the namespace of the resources. | "" |
apiVersions.configMap |
ConfigMap API version. | v1 |
apiVersions.daemonset |
Daemonset API version. | apps/v1 |
apiVersions.clusterRoleBinding |
ClusterRoleBinding API version. | rbac.authorization.k8s.io/v1 |
apiVersions.clusterRole |
ClusterRole API version. | rbac.authorization.k8s.io/v1 |
apiVersions.serviceAccount |
ServiceAccount API version. | v1 |
apiVersions.secret |
Secret API version. | v1 |
managedServiceAccount |
Specifies whether the serviceAccount should be managed by this Helm Chart. Set this to false to manage your own service account and related roles. |
true |
clusterRoleRules |
Configurable cluster role rules that Filebeat uses to access Kubernetes resources. | See values.yaml |
logzioCert |
Logzio public SSL certificate. | See values.yaml |
configType |
Specifies which configuration to use for Filebeat. Set to autodiscover to use autodiscover (available only for filebeat). |
standard |
filebeatConfig.standardConfig |
Standard linux based Filebeat configuration, using filebeat.input. |
See values.yaml |
filebeatConfig.autodiscoverConfig |
Autodiscover linux based Filebeat configuration, using filebeat.autodiscover. |
See values.yaml |
filebeatConfig.autoCustomConfig |
Autodiscover linux based Filebeat custom configuration, using filebeat.autodiscover. Should be used if you want to use your customized autodiscover config |
{} |
filebeatWindowsConfig.standardConfig |
Standard windows based Filebeat configuration, using filebeat.input. |
See values.yaml |
filebeatConfig.autodiscoverConfig |
Autodiscover windows based Filebeat configuration, using filebeat.autodiscover. |
See values.yaml |
filebeatConfig.autoCustomConfig |
Autodiscover windows based Filebeat custom configuration, using filebeat.autodiscover. Should be used if you want to use your customized autodiscover config |
{} |
winlogbeatConfig.standardConfig |
Standard Winlogbeat configuration, using winlogbeat.event_logs. (Currently this is the only available option) |
See values.yaml |
serviceAccount.create |
Specifies whether a service account should be created. | true |
serviceAccount.name |
Name of the service account. | filebeat |
terminationGracePeriod |
Termination period (in seconds) to wait before killing Filebeat pod process on pod shutdown. | 30 |
hostNetwork |
Controls whether the pod may use the node network namespace. | true |
windowsHostNetwork |
Controls whether the pod may use the Windows node network namespace. | false |
dnsPolicy |
Specifies pod-specific DNS policies. | ClusterFirstWithHostNet |
daemonset.ignoreOlder |
Logs older than this will be ignored. (linux based Filebeat) | 3h |
daemonset.logzioCodec |
Set to json if shipping JSON logs. Otherwise, set to plain. (linux based Filebeat) |
json |
daemonset.logzioType |
The log type you’ll use with this Daemonset. This is shown in your logs under the type field in Open Search Dashboards. Logz.io applies parsing based on type. (linux based Filebeat) |
filebeat |
daemonset.fieldsUnderRoot |
If this option is set to true, the custom fields are stored as top-level fields in the output document instead of being grouped under a fields sub-dictionary. (linux based Filebeat) |
"true" |
daemonset.securityContext |
Configurable securityContext for Filebeat DaemonSet pod execution environment. (linux based Filebeat) | See values.yaml |
daemonset.resources |
Allows you to set the resources for Filebeat Daemonset. | See values.yaml (linux based Filebeat) |
daemonset.tolerations |
Set tolerations for all DaemonSet pods. (linux based Filebeat) | {} |
daemonset.volumes |
Templatable string of additional volumes to be passed to the DaemonSet. |
See values.yaml (linux based Filebeat) |
daemonset.volumeMounts |
Templatable string of additional volumeMounts to be passed to the DaemonSet. |
See values.yaml (linux based Filebeat) |
daemonset.priorityClassName |
Set priorityClassName for all DaemonSet pods. | "" |
winlogbeatDaemonset.ignoreOlder |
Logs older than this will be ignored. (Winlogbeat) | 3h |
winlogbeatDaemonset.logzioCodec |
Set to json if shipping JSON logs. Otherwise, set to plain. (Winlogbeat) |
json |
winlogbeatDaemonset.logzioType |
The log type you’ll use with this Daemonset. This is shown in your logs under the type field in Open Search Dashboards. Logz.io applies parsing based on type. (Winlogbeat) |
winlogbeat |
winlogbeatDaemonset.fieldsUnderRoot |
If this option is set to true, the custom fields are stored as top-level fields in the output document instead of being grouped under a fields sub-dictionary. (Winlogbeat) |
"true" |
winlogbeatDaemonset.securityContext |
Configurable securityContext for Filebeat DaemonSet pod execution environment. (Winlogbeat) | See values.yaml |
winlogbeatDaemonset.resources |
Allows you to set the resources for Filebeat Daemonset. | See values.yaml (Winlogbeat) |
winlogbeatDaemonset.tolerations |
Set tolerations for all DaemonSet pods. (Winlogbeat) | {} |
winlogbeatDaemonset.volumes |
Templatable string of additional volumes to be passed to the DaemonSet. |
See values.yaml (Winlogbeat) |
winlogbeatDaemonset.volumeMounts |
Templatable string of additional volumeMounts to be passed to the DaemonSet. |
See values.yaml (Winlogbeat) |
windowsDaemonset.priorityClassName |
Set priorityClassName for all DaemonSet pods. (windows) | "" |
filebeatWindowsDaemonset.ignoreOlder |
Logs older than this will be ignored. (Windows based Filebeat) | 3h |
filebeatWindowsDaemonset.logzioCodec |
Set to json if shipping JSON logs. Otherwise, set to plain. (Windows based Filebeat) |
json |
filebeatWindowsDaemonset.logzioType |
The log type you’ll use with this Daemonset. This is shown in your logs under the type field in Open Search Dashboards. Logz.io applies parsing based on type. (Windows based Filebeat) |
filebeat-win |
filebeatWindowsDaemonset.fieldsUnderRoot |
If this option is set to true, the custom fields are stored as top-level fields in the output document instead of being grouped under a fields sub-dictionary. (Windows based Filebeat) |
"true" |
filebeatWindowsDaemonset.securityContext |
Configurable securityContext for Filebeat DaemonSet pod execution environment. (Windows based Filebeat) | See values.yaml |
filebeatWindowsDaemonset.resources |
Allows you to set the resources for Filebeat Daemonset. | See values.yaml (Windows based Filebeat) |
filebeatWindowsDaemonset.tolerations |
Set tolerations for all DaemonSet pods. (Windows based Filebeat) | {} |
filebeatWindowsDaemonset.volumes |
Templatable string of additional volumes to be passed to the DaemonSet. |
See values.yaml (Windows based Filebeat) |
filebeatWindowsDaemonset.volumeMounts |
Templatable string of additional volumeMounts to be passed to the DaemonSet. |
See values.yaml (Windows based Filebeat) |
secrets.create |
Boolean to toggle secrets creation. Set to false to disable secrets generation. | true |
secrets.logzioShippingToken |
Secret with your logzio shipping token. | "" |
secrets.logzioRegion |
Secret with your logzio region. Defaults to US East. | " " |
secrets.clusterName |
Secret with your cluster name. | "" |
Some values, such as daemonset.tolerations, should be set as follows:
--set daemonset.tolerations[0].key='value' \
--set daemonset.tolerations[0].operator='Equal' \
Configuring Filebeat to concatenate multiline logs
Filebeat splits multiline logs by default. If your original logs span multiple lines, you may find that they arrive in your Logz.io account split into several partial logs.
Filebeat offers configuration options that can be used to concatenate multiline logs. The configuration is managed differently, depending on your deployment method:
-
Standard configuration: If you are using a standard configuration (but not autodiscover), use an explicit configuration. Configuration options from Filebeat’s official documentation.
When using an explicit configuration, you will need to create a single regex expression that covers all of your pods. It also means that Filebeat will need to be reconfigured more often, with the introduction of every new use case.
-
Autodiscover configuration: If you are using autodiscover hints & annotations, add an annotation to your deployment. Configuration options from Filebeat’s official documentation.
Hints and annotations support the option to manage regex expressions separately for each component. This greatly simplifies the process, making it possible to add a dedicated regex expression to each pod, without needing to change anything on Filebeat itself.
Example
The following is an example of a multiline log sent from a deployment on a k8s cluster:
2021-02-08 09:37:51,031 - errorLogger - ERROR - Traceback (most recent call last):
File "./code.py", line 25, in my_func
1/0
ZeroDivisionError: division by zero
Filebeat’s default configuration will split the above log into 4 logs, 1 for each line of the original log. In other words, each line break (\n) causes a split.
You can overcome this behavior by configuring Filebeat to meet your needs.
Example of an explicit configuration for concatenating multiline logs
To add an explicit configuration to your Filebeat, edit your filebeat.yml file in a text editor and make the appropriate changes under the filebeat.input section.
For the above example, we could use the following regex expression to demarcate the start of our example log. This configuration example is set to identify the first log in a multiline log and concatenate the log lines that follow until it identifies the next log that matches the regex expression. In other words, there is no explicit regex expression to demarcate the end of a multiline log.
filebeat.inputs:
- type: container
paths:
- /var/log/containers/*.log
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
multiline.type: pattern
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
See Filebeat’s official documentation for additional configuration options.
Example for using hints & annotations to concatenate multiline logs
If you’re using Filebeat autodiscover hints, you can use annotations to identify multiline logs and concatenate them.
You will need to first configure Filebeat to enable the hints system, and add annotations to the relevant components when you deploy them to your cluster.
Enable Filebeat’s hints system
First, enable Filebeat’s hints system. In your filebeat.yml file, set hints.enabled: true under the filebeat.autodiscover section. For example:
filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints.enabled: true # This part enables the hints
hints.default_config:
type: container
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
Add multiline annotations to your deployment
Whenever you plan to deploy a component to your cluster and want the hints system to detect the multiline logs, you’ll need to add multiline annotations.
For the above log example, you can add the following annotations to your deployment:
annotations:
co.elastic.logs/multiline.type: 'pattern'
co.elastic.logs/multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
co.elastic.logs/multiline.negate: 'true'
co.elastic.logs/multiline.match: 'after'
The above configuration ensures that Filebeat will look for log lines that match the regex under multiline.pattern and concatenate all subsequent lines, until it reaches the next regex match.
See Filebeat’s official documentation for additional configuration options.