Use case

As a user I want to

• configure inputs by major log type [application, infrastructure, audit] and receive all logs of that type.
• configure inputs with separte sub-categories of log type, for example: audit.k8s, audit.openshift, infrastructure.container

As implementer of Loki forwarding  I need labels sets that identify individual log streams (files or containers)  to avoid out-of-order timestamps.

• For container logs I can already do this via namespace+pod+container IDs.
• For node logs I need to distinguish each separate stream, for example:  audit.k8s vs audit.openshift.

Changes

Add a log_type field of type string to the root of the log record data model.

Implement log_type with the following values:

• application: all application (non-infrastructure) containers.
• infrastructure: Includes all infrastructure sub-categories
  • infrastructure.container: logs from containers in default, kube, openshift and openshift-* namespaces
  • infrastructure.node: system logs from the node.
• audit: All audit logs
  • audit.linux: Linux audit log, per node.
  • audit.kubernetes: Kubernetes audit log, per node.
  • audit.openshift: Openshift audit log, per node..

Note: currently infrastructure.node means the systemd journal of the node. If we need to include more node logs in future, we can further subdivide, e.g. infrastructure.node.journal infrastructure.node.syslog or whatever.