# Logs from containers (including openshift containers) [sources.raw_container_logs] type = "kubernetes_logs" auto_partial_merge = true exclude_paths_glob_patterns = ["/var/log/pods/openshift-logging_collector-*/*/*.log", "/var/log/pods/openshift-logging_elasticsearch-*/*/*.log", "/var/log/pods/openshift-logging_kibana-*/*/*.log"] [sources.raw_journal_logs] type = "journald" # Logs from host audit [sources.host_audit_logs] type = "file" ignore_older_secs = 600 include = ["/var/log/audit/audit.log"] # Logs from kubernetes audit [sources.k8s_audit_logs] type = "file" ignore_older_secs = 600 include = ["/var/log/kube-apiserver/audit.log"] # Logs from openshift audit [sources.openshift_audit_logs] type = "file" ignore_older_secs = 600 include = ["/var/log/oauth-apiserver.audit.log"] [sources.internal_metrics] type = "internal_metrics" [transforms.container_logs] type = "remap" inputs = ["raw_container_logs"] source = """ level = "unknown" if match!(.message,r'(Warning|WARN|W[0-9]+|level=warn|Value:warn|"level":"warn")'){ level = "warn" } else if match!(.message, r'Info|INFO|I[0-9]+|level=info|Value:info|"level":"info"'){ level = "info" } else if match!(.message, r'Error|ERROR|E[0-9]+|level=error|Value:error|"level":"error"'){ level = "error" } else if match!(.message, r'Debug|DEBUG|D[0-9]+|level=debug|Value:debug|"level":"debug"'){ level = "debug" } .level = level namespace_name = .kubernetes.pod_namespace del(.kubernetes.pod_namespace) .kubernetes.namespace_name = namespace_name del(.file) del(.source_type) del(.stream) del(.kubernetes.pod_ips) """ [transforms.journal_logs] type = "remap" inputs = ["raw_journal_logs"] source = """ . """ [transforms.route_container_logs] type = "route" inputs = ["container_logs"] route.app = '!((starts_with!(.kubernetes.namespace_name,"kube")) || (starts_with!(.kubernetes.namespace_name,"openshift")) || (.kubernetes.namespace_name == "default"))' route.infra = '(starts_with!(.kubernetes.namespace_name,"kube")) || (starts_with!(.kubernetes.namespace_name,"openshift")) || (.kubernetes.namespace_name == "default")' # Rename log stream to "application" [transforms.application] type = "remap" inputs = ["route_container_logs.app"] source = """ .log_type = "application" """ # Rename log stream to "infrastructure" [transforms.infrastructure] type = "remap" inputs = ["route_container_logs.infra","journal_logs"] source = """ .log_type = "infrastructure" """ # Rename log stream to "audit" [transforms.audit] type = "remap" inputs = ["host_audit_logs","k8s_audit_logs","openshift_audit_logs"] source = """ .log_type = "audit" """ [transforms.send-app-logs] type = "remap" inputs = ["application"] source = """ . """ [transforms.send-infra-logs] type = "remap" inputs = ["infrastructure"] source = """ . """ [transforms.send-audit-logs] type = "remap" inputs = ["audit"] source = """ . """ [sinks.loki_app] type = "loki" inputs = ["send-app-logs"] endpoint = "http://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/" [sinks.loki_app.encoding] codec = "json" [sinks.loki_app.labels] kubernetes_container_name = "{{kubernetes.container_name}}" kubernetes_host = "${VECTOR_SELF_NODE_NAME}" kubernetes_namespace_name = "{{kubernetes.namespace_name}}" kubernetes_pod_name = "{{kubernetes.pod_name}}" log_type = "{{log_type}}" # Bearer Auth Config [sinks.loki_app.auth] strategy = "bearer" token = "eyJhbGciOiJSUzI1NiIsImtpZCI6IjA1NGZYTEYyRGFETUVjZlVlSE9RRW51M193cVhOUDFZZHlBcWtwckczcjQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtbG9nZ2luZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJsb2djb2xsZWN0b3ItdG9rZW4teHQybnciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibG9nY29sbGVjdG9yIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTNlOThkOTMtYzE2NC00M2JkLWI3NzMtNzkwMWIwMjMyZGJiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Om9wZW5zaGlmdC1sb2dnaW5nOmxvZ2NvbGxlY3RvciJ9.GpLKenZFDbBvjj3LK4LVNRQO-M478dAaQBqpCUO4nPMaSDp51voNdjjrYJaueApTZXwIu9SvPJrm0EGSM4gstiROF8nKjzT_8P-MhZQHiOFOz8brOb86nKWA5_QFydqOKZZeOvZXwas0Eqdywn9Cdqf_XhkEqNoa74mNLQUETKO2PtPQ_WjhpRRGvuGmic5Aw5Hol4RLUneVYW8AyTFu5zdf5QtSF-BR7TsezLJtUA8tKIbwbHQ_nYnXTtWKkSMSjyLHIt6jRDArufTdlCvEpHqs3SYaH4-9uTDfQBdVB_wvpeUEHkF_juFi-5vc1Q6iY1UIAjT5t8lpZ60snMoYhx1jxzEmvNIpx7UAG_7z7pMe2r8MpIOJXIRhFi6aW8dMPrMleCFj8Fz6wuNXfops9NSWB2EVGI1bOGkVUf2p84w16THKep-d3sdwtWWe3m_YRvYBrSNg8rSogMVBx4YKBuoDSl9CLeZk4hgaTTKAYl-6rW-Z0NRzmRYKUFLPBxbO4mWXnJ-DePW_l0wELvVPk3oZt9pbyWct_M1u0McemNK3ZiFzmLnfYxL0s0fD3-D8rsgBInVo_NKabpJ-DHX3TaAXZr2_fRJAbzGE7nShxiLmpIY-Ham8ghSMDiSUVG7nXJ0tWwuWIRy8HjMawNdgwDxcPiyWtkd-K6QF4l29DjI" [sinks.loki_infra] type = "loki" inputs = ["send-infra-logs"] endpoint = "http://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/" [sinks.loki_infra.encoding] codec = "json" [sinks.loki_infra.labels] kubernetes_container_name = "{{kubernetes.container_name}}" kubernetes_host = "${VECTOR_SELF_NODE_NAME}" kubernetes_namespace_name = "{{kubernetes.namespace_name}}" kubernetes_pod_name = "{{kubernetes.pod_name}}" log_type = "{{log_type}}" # Bearer Auth Config [sinks.loki_infra.auth] strategy = "bearer" token = "eyJhbGciOiJSUzI1NiIsImtpZCI6IjA1NGZYTEYyRGFETUVjZlVlSE9RRW51M193cVhOUDFZZHlBcWtwckczcjQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtbG9nZ2luZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJsb2djb2xsZWN0b3ItdG9rZW4teHQybnciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibG9nY29sbGVjdG9yIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTNlOThkOTMtYzE2NC00M2JkLWI3NzMtNzkwMWIwMjMyZGJiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Om9wZW5zaGlmdC1sb2dnaW5nOmxvZ2NvbGxlY3RvciJ9.GpLKenZFDbBvjj3LK4LVNRQO-M478dAaQBqpCUO4nPMaSDp51voNdjjrYJaueApTZXwIu9SvPJrm0EGSM4gstiROF8nKjzT_8P-MhZQHiOFOz8brOb86nKWA5_QFydqOKZZeOvZXwas0Eqdywn9Cdqf_XhkEqNoa74mNLQUETKO2PtPQ_WjhpRRGvuGmic5Aw5Hol4RLUneVYW8AyTFu5zdf5QtSF-BR7TsezLJtUA8tKIbwbHQ_nYnXTtWKkSMSjyLHIt6jRDArufTdlCvEpHqs3SYaH4-9uTDfQBdVB_wvpeUEHkF_juFi-5vc1Q6iY1UIAjT5t8lpZ60snMoYhx1jxzEmvNIpx7UAG_7z7pMe2r8MpIOJXIRhFi6aW8dMPrMleCFj8Fz6wuNXfops9NSWB2EVGI1bOGkVUf2p84w16THKep-d3sdwtWWe3m_YRvYBrSNg8rSogMVBx4YKBuoDSl9CLeZk4hgaTTKAYl-6rW-Z0NRzmRYKUFLPBxbO4mWXnJ-DePW_l0wELvVPk3oZt9pbyWct_M1u0McemNK3ZiFzmLnfYxL0s0fD3-D8rsgBInVo_NKabpJ-DHX3TaAXZr2_fRJAbzGE7nShxiLmpIY-Ham8ghSMDiSUVG7nXJ0tWwuWIRy8HjMawNdgwDxcPiyWtkd-K6QF4l29DjI" [sinks.loki_audit] type = "loki" inputs = ["send-audit-logs"] endpoint = "http://lokistack-instance-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/" [sinks.loki_audit.encoding] codec = "json" [sinks.loki_audit.labels] kubernetes_container_name = "{{kubernetes.container_name}}" kubernetes_host = "${VECTOR_SELF_NODE_NAME}" kubernetes_namespace_name = "{{kubernetes.namespace_name}}" kubernetes_pod_name = "{{kubernetes.pod_name}}" log_type = "{{log_type}}" # Bearer Auth Config [sinks.loki_audit.auth] strategy = "bearer" token = "eyJhbGciOiJSUzI1NiIsImtpZCI6IjA1NGZYTEYyRGFETUVjZlVlSE9RRW51M193cVhOUDFZZHlBcWtwckczcjQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvcGVuc2hpZnQtbG9nZ2luZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJsb2djb2xsZWN0b3ItdG9rZW4teHQybnciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibG9nY29sbGVjdG9yIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTNlOThkOTMtYzE2NC00M2JkLWI3NzMtNzkwMWIwMjMyZGJiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Om9wZW5zaGlmdC1sb2dnaW5nOmxvZ2NvbGxlY3RvciJ9.GpLKenZFDbBvjj3LK4LVNRQO-M478dAaQBqpCUO4nPMaSDp51voNdjjrYJaueApTZXwIu9SvPJrm0EGSM4gstiROF8nKjzT_8P-MhZQHiOFOz8brOb86nKWA5_QFydqOKZZeOvZXwas0Eqdywn9Cdqf_XhkEqNoa74mNLQUETKO2PtPQ_WjhpRRGvuGmic5Aw5Hol4RLUneVYW8AyTFu5zdf5QtSF-BR7TsezLJtUA8tKIbwbHQ_nYnXTtWKkSMSjyLHIt6jRDArufTdlCvEpHqs3SYaH4-9uTDfQBdVB_wvpeUEHkF_juFi-5vc1Q6iY1UIAjT5t8lpZ60snMoYhx1jxzEmvNIpx7UAG_7z7pMe2r8MpIOJXIRhFi6aW8dMPrMleCFj8Fz6wuNXfops9NSWB2EVGI1bOGkVUf2p84w16THKep-d3sdwtWWe3m_YRvYBrSNg8rSogMVBx4YKBuoDSl9CLeZk4hgaTTKAYl-6rW-Z0NRzmRYKUFLPBxbO4mWXnJ-DePW_l0wELvVPk3oZt9pbyWct_M1u0McemNK3ZiFzmLnfYxL0s0fD3-D8rsgBInVo_NKabpJ-DHX3TaAXZr2_fRJAbzGE7nShxiLmpIY-Ham8ghSMDiSUVG7nXJ0tWwuWIRy8HjMawNdgwDxcPiyWtkd-K6QF4l29DjI" [sinks.prometheus_output] type = "prometheus_exporter" inputs = ["internal_metrics"] address = "0.0.0.0:24231" default_namespace = "collector"