## CLO GENERATED CONFIGURATION ### # This file is a copy of the fluentd configuration entrypoint # which should normally be supplied in a configmap. log_level "#{ENV['LOG_LEVEL'] || 'warn'}" # Prometheus Monitoring @type prometheus bind "#{ENV['PROM_BIND_IP']}" cert_path /etc/collector/metrics/tls.crt private_key_path /etc/collector/metrics/tls.key @type prometheus_monitor hostname ${hostname} # excluding prometheus_tail_monitor # since it leaks namespace/pod info # via file paths # tail_monitor plugin which publishes log_collected_bytes_total @type collected_tail_monitor hostname ${hostname} # This is considered experimental by the repo @type prometheus_output_monitor hostname ${hostname} # Logs from linux journal @type systemd @id systemd-input @label @INGRESS path '/var/log/journal' @type local persistent true # NOTE: if this does not end in .json, fluentd will think it # is the name of a directory - see fluentd storage_local.rb path '/var/lib/fluentd/pos/journal_pos.json' matches "#{ENV['JOURNAL_FILTERS_JSON'] || '[]'}" tag journal read_from_head "#{if (val = ENV.fetch('JOURNAL_READ_FROM_HEAD','')) && (val.length > 0); val; else 'false'; end}" # Logs from containers (including openshift containers) @type tail @id container-input path "/var/log/pods/*/*/*.log" exclude_path ["/var/log/pods/openshift-logging_collector-*/*/*.log", "/var/log/pods/openshift-logging_elasticsearch-*/*/*.log", "/var/log/pods/openshift-logging_kibana-*/*/*.log", "/var/log/pods/openshift-logging_*/loki*/*.log", "/var/log/pods/openshift-logging_*/gateway/*.log", "/var/log/pods/openshift-logging_*/opa/*.log", "/var/log/pods/*/*/*.gz", "/var/log/pods/*/*/*.tmp"] pos_file "/var/lib/fluentd/pos/es-containers.log.pos" follow_inodes true refresh_interval 5 rotate_wait 5 tag kubernetes.* read_from_head "true" skip_refresh_on_startup true @label @CONCAT @type regexp expression /^(?<@timestamp>[^\s]+) (?stdout|stderr) (?[F|P]) (?.*)$/ time_key '@timestamp' keep_time_key true # linux audit logs @type tail @id audit-input @label @INGRESS path "/var/log/audit/audit.log" pos_file "/var/lib/fluentd/pos/audit.log.pos" follow_inodes true tag linux-audit.log @type viaq_host_audit # k8s audit logs @type tail @id k8s-audit-input @label @INGRESS path "/var/log/kube-apiserver/audit.log" pos_file "/var/lib/fluentd/pos/kube-apiserver.audit.log.pos" follow_inodes true tag k8s-audit.log @type json time_key requestReceivedTimestamp # In case folks want to parse based on the requestReceivedTimestamp key keep_time_key true time_format %Y-%m-%dT%H:%M:%S.%N%z # Openshift audit logs @type tail @id openshift-audit-input @label @INGRESS path /var/log/oauth-apiserver/audit.log,/var/log/openshift-apiserver/audit.log,/var/log/oauth-server/audit.log pos_file /var/lib/fluentd/pos/oauth-apiserver.audit.log follow_inodes true tag openshift-audit.log @type json time_key requestReceivedTimestamp # In case folks want to parse based on the requestReceivedTimestamp key keep_time_key true time_format %Y-%m-%dT%H:%M:%S.%N%z # Openshift Virtual Network (OVN) audit logs @type tail @id ovn-audit-input @label @INGRESS path "/var/log/ovn/acl-audit-log.log" pos_file "/var/lib/fluentd/pos/acl-audit-log.pos" follow_inodes true tag ovn-audit.log refresh_interval 5 rotate_wait 5 read_from_head true @type none # Concat log lines of container logs, and send to INGRESS pipeline @type concat key message partial_key logtag partial_value P separator '' @type relabel @label @INGRESS # Ingress pipeline # Filter out PRIORITY from journal logs @type grep key PRIORITY pattern ^7$ # Process OVN logs @type record_modifier @timestamp ${DateTime.parse(record['message'].split('|')[0]).rfc3339(6)} level ${record['message'].split('|')[3].downcase} # Process Kube and OpenShift Audit logs @type record_modifier @timestamp ${record['requestReceivedTimestamp']} # Retag Journal logs to specific tags @type rewrite_tag_filter # skip to @INGRESS label section @label @INGRESS # see if this is a kibana container for special log handling # looks like this: # k8s_kibana.a67f366_logging-kibana-1-d90e3_logging_26c51a61-2835-11e6-ad29-fa163e4944d5_f0db49a2 # we filter these logs through the kibana_transform.conf filter key CONTAINER_NAME pattern ^k8s_kibana\. tag kubernetes.journal.container.kibana key CONTAINER_NAME pattern ^k8s_[^_]+_logging-eventrouter-[^_]+_ tag kubernetes.journal.container._default_.kubernetes-event # mark logs from default namespace for processing as k8s logs but stored as system logs key CONTAINER_NAME pattern ^k8s_[^_]+_[^_]+_default_ tag kubernetes.journal.container._default_ # mark logs from kube-* namespaces for processing as k8s logs but stored as system logs key CONTAINER_NAME pattern ^k8s_[^_]+_[^_]+_kube-(.+)_ tag kubernetes.journal.container._kube-$1_ # mark logs from openshift-* namespaces for processing as k8s logs but stored as system logs key CONTAINER_NAME pattern ^k8s_[^_]+_[^_]+_openshift-(.+)_ tag kubernetes.journal.container._openshift-$1_ # mark logs from openshift namespace for processing as k8s logs but stored as system logs key CONTAINER_NAME pattern ^k8s_[^_]+_[^_]+_openshift_ tag kubernetes.journal.container._openshift_ # mark fluentd container logs key CONTAINER_NAME pattern ^k8s_.*fluentd tag kubernetes.journal.container.fluentd # this is a kubernetes container key CONTAINER_NAME pattern ^k8s_ tag kubernetes.journal.container # not kubernetes - assume a system log or system container log key _TRANSPORT pattern .+ tag journal.system # Invoke kubernetes apiserver to get kubernetes metadata @id kubernetes-metadata @type kubernetes_metadata kubernetes_url 'https://kubernetes.default.svc' annotation_match ["^containerType\.logging\.openshift\.io\/.*$"] allow_orphans false cache_size '1000' ssl_partial_chain 'true' # Parse Json fields for container, journal and eventrouter logs @type parse_json_field merge_json_log true preserve_json_log true json_fields 'message' # Fix level field in audit logs @type record_modifier k8s_audit_level ${record['level']} @type record_modifier openshift_audit_level ${record['level']} # Viaq Data Model @type viaq_data_model enable_flatten_labels true enable_prune_empty_fields false default_keep_fields CEE,time,@timestamp,aushape,ci_job,collectd,docker,fedora-ci,file,foreman,geoip,hostname,ipaddr4,ipaddr6,kubernetes,level,message,namespace_name,namespace_uuid,offset,openstack,ovirt,pid,pipeline_metadata,rsyslog,service,systemd,tags,testcase,tlog,viaq_msg_id keep_empty_fields 'message' rename_time true pipeline_type 'collector' process_kubernetes_events false name warn match 'Warning|WARN|^W[0-9]+|level=warn|Value:warn|"level":"warn"' name info match 'Info|INFO|^I[0-9]+|level=info|Value:info|"level":"info"' name error match 'Error|ERROR|^E[0-9]+|level=error|Value:error|"level":"error"' name critical match 'Critical|CRITICAL|^C[0-9]+|level=critical|Value:critical|"level":"critical"' name debug match 'Debug|DEBUG|^D[0-9]+|level=debug|Value:debug|"level":"debug"' tag "journal.system**" type sys_journal remove_keys log,stream,MESSAGE,_SOURCE_REALTIME_TIMESTAMP,__REALTIME_TIMESTAMP,CONTAINER_ID,CONTAINER_ID_FULL,CONTAINER_NAME,PRIORITY,_BOOT_ID,_CAP_EFFECTIVE,_CMDLINE,_COMM,_EXE,_GID,_HOSTNAME,_MACHINE_ID,_PID,_SELINUX_CONTEXT,_SYSTEMD_CGROUP,_SYSTEMD_SLICE,_SYSTEMD_UNIT,_TRANSPORT,_UID,_AUDIT_LOGINUID,_AUDIT_SESSION,_SYSTEMD_OWNER_UID,_SYSTEMD_SESSION,_SYSTEMD_USER_UNIT,CODE_FILE,CODE_FUNCTION,CODE_LINE,ERRNO,MESSAGE_ID,RESULT,UNIT,_KERNEL_DEVICE,_KERNEL_SUBSYSTEM,_UDEV_SYSNAME,_UDEV_DEVNODE,_UDEV_DEVLINK,SYSLOG_FACILITY,SYSLOG_IDENTIFIER,SYSLOG_PID tag "kubernetes.var.log.pods.**_eventrouter-** k8s-audit.log** openshift-audit.log** ovn-audit.log**" type k8s_json_file remove_keys stream process_kubernetes_events 'true' tag "kubernetes.var.log.pods**" type k8s_json_file remove_keys stream # Generate elasticsearch id @type elasticsearch_genid_ext hash_id_key viaq_msg_id alt_key kubernetes.event.metadata.uid alt_tags 'kubernetes.var.log.pods.**_eventrouter-*.** kubernetes.journal.container._default_.kubernetes-event' # Include Infrastructure logs @type relabel @label @_INFRASTRUCTURE # Include Application logs @type relabel @label @_APPLICATION # Include Audit logs @type relabel @label @_AUDIT # Send any remaining unmatched tags to stdout @type stdout # Sending application source type to pipeline @type record_modifier log_type application @type relabel @label @ALL_LOGS_TO_LOKISTACK_1 # Sending infrastructure source type to pipeline @type record_modifier log_type infrastructure @type relabel @label @ALL_LOGS_TO_LOKISTACK # Sending audit source type to pipeline @type record_modifier log_type audit @type relabel @label @ALL_LOGS_TO_LOKISTACK_2 # Copying pipeline all-logs-to-lokistack to outputs @type relabel @label @DEFAULT_LOKI_INFRA # Copying pipeline all-logs-to-lokistack-1 to outputs @type relabel @label @DEFAULT_LOKI_APPS # Copying pipeline all-logs-to-lokistack-2 to outputs @type relabel @label @DEFAULT_LOKI_AUDIT # Ship logs to specific outputs #dedot namespace_labels and rebuild message field if present @type record_modifier _dummy_ ${if m=record.dig("kubernetes","namespace_labels");record["kubernetes"]["namespace_labels"]={}.tap{|n|m.each{|k,v|n[k.gsub(/[.\/]/,'_')]=v}};end} _dummy2_ ${if m=record.dig("kubernetes","labels");record["kubernetes"]["labels"]={}.tap{|n|m.each{|k,v|n[k.gsub(/[.\/]/,'_')]=v}};end} _dummy3_ ${if m=record.dig("kubernetes","flat_labels");record["kubernetes"]["flat_labels"]=[].tap{|n|m.each_with_index{|s, i|n[i] = s.gsub(/[.\/]/,'_')}};end} remove_keys _dummy_, _dummy2_, _dummy3_ @type record_modifier _kubernetes_container_name ${record.dig("kubernetes","container_name")} _kubernetes_host "#{ENV['NODE_NAME']}" _kubernetes_namespace_name ${record.dig("kubernetes","namespace_name")} _kubernetes_pod_name ${record.dig("kubernetes","pod_name")} _log_type ${record.dig("log_type")} @type loki @id default_loki_apps line_format json url https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application ca_cert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt bearer_token_file /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_container_name _kubernetes_container_name kubernetes_host _kubernetes_host kubernetes_namespace_name _kubernetes_namespace_name kubernetes_pod_name _kubernetes_pod_name log_type _log_type @type file path '/var/lib/fluentd/default_loki_apps' flush_mode interval flush_interval 1s flush_thread_count 2 retry_type exponential_backoff retry_wait 1s retry_max_interval 60s retry_timeout 60m queued_chunks_limit_size "#{ENV['BUFFER_QUEUE_LIMIT'] || '32'}" total_limit_size "#{ENV['TOTAL_LIMIT_SIZE_PER_BUFFER'] || '8589934592'}" chunk_limit_size "#{ENV['BUFFER_SIZE_LIMIT'] || '8m'}" overflow_action block disable_chunk_backup true #dedot namespace_labels and rebuild message field if present @type record_modifier _dummy_ ${if m=record.dig("kubernetes","namespace_labels");record["kubernetes"]["namespace_labels"]={}.tap{|n|m.each{|k,v|n[k.gsub(/[.\/]/,'_')]=v}};end} _dummy2_ ${if m=record.dig("kubernetes","labels");record["kubernetes"]["labels"]={}.tap{|n|m.each{|k,v|n[k.gsub(/[.\/]/,'_')]=v}};end} _dummy3_ ${if m=record.dig("kubernetes","flat_labels");record["kubernetes"]["flat_labels"]=[].tap{|n|m.each_with_index{|s, i|n[i] = s.gsub(/[.\/]/,'_')}};end} remove_keys _dummy_, _dummy2_, _dummy3_ @type record_modifier _kubernetes_container_name ${record.dig("kubernetes","container_name")} _kubernetes_host "#{ENV['NODE_NAME']}" _kubernetes_namespace_name ${record.dig("kubernetes","namespace_name")} _kubernetes_pod_name ${record.dig("kubernetes","pod_name")} _log_type ${record.dig("log_type")} @type loki @id default_loki_audit line_format json url https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit ca_cert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt bearer_token_file /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_container_name _kubernetes_container_name kubernetes_host _kubernetes_host kubernetes_namespace_name _kubernetes_namespace_name kubernetes_pod_name _kubernetes_pod_name log_type _log_type @type file path '/var/lib/fluentd/default_loki_audit' flush_mode interval flush_interval 1s flush_thread_count 2 retry_type exponential_backoff retry_wait 1s retry_max_interval 60s retry_timeout 60m queued_chunks_limit_size "#{ENV['BUFFER_QUEUE_LIMIT'] || '32'}" total_limit_size "#{ENV['TOTAL_LIMIT_SIZE_PER_BUFFER'] || '8589934592'}" chunk_limit_size "#{ENV['BUFFER_SIZE_LIMIT'] || '8m'}" overflow_action block disable_chunk_backup true #dedot namespace_labels and rebuild message field if present @type record_modifier _dummy_ ${if m=record.dig("kubernetes","namespace_labels");record["kubernetes"]["namespace_labels"]={}.tap{|n|m.each{|k,v|n[k.gsub(/[.\/]/,'_')]=v}};end} _dummy2_ ${if m=record.dig("kubernetes","labels");record["kubernetes"]["labels"]={}.tap{|n|m.each{|k,v|n[k.gsub(/[.\/]/,'_')]=v}};end} _dummy3_ ${if m=record.dig("kubernetes","flat_labels");record["kubernetes"]["flat_labels"]=[].tap{|n|m.each_with_index{|s, i|n[i] = s.gsub(/[.\/]/,'_')}};end} remove_keys _dummy_, _dummy2_, _dummy3_ @type record_modifier _kubernetes_container_name ${record.dig("kubernetes","container_name")} _kubernetes_host "#{ENV['NODE_NAME']}" _kubernetes_namespace_name ${record.dig("kubernetes","namespace_name")} _kubernetes_pod_name ${record.dig("kubernetes","pod_name")} _log_type ${record.dig("log_type")} @type loki @id default_loki_infra line_format json url https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure ca_cert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt bearer_token_file /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_container_name _kubernetes_container_name kubernetes_host _kubernetes_host kubernetes_namespace_name _kubernetes_namespace_name kubernetes_pod_name _kubernetes_pod_name log_type _log_type @type file path '/var/lib/fluentd/default_loki_infra' flush_mode interval flush_interval 1s flush_thread_count 2 retry_type exponential_backoff retry_wait 1s retry_max_interval 60s retry_timeout 60m queued_chunks_limit_size "#{ENV['BUFFER_QUEUE_LIMIT'] || '32'}" total_limit_size "#{ENV['TOTAL_LIMIT_SIZE_PER_BUFFER'] || '8589934592'}" chunk_limit_size "#{ENV['BUFFER_SIZE_LIMIT'] || '8m'}" overflow_action block disable_chunk_backup true