hostAliases: - ip: "10.1.0.30" hostnames: - "node-0.example.com" serviceAccount: name: "file-d-test" # do not run elk pods elasticsearch: enabled: false input: type: k8s watching_dir: /var/log/containers # useless unless you make it survive the containers offsets_file: /tmp/file-d-test-offsets.yaml file_config: persistence_mode: async filename_pattern: "*_default_*.log" #filename_pattern: "*_ingress-nginx_*.log" actions: # vs. keep_fields #- type: remove_fields # fields: [time] #- type: discard # match_fields: # k8s_namespace: [kube-system] # match_mode: or # 1st pass before decoding log # get rid of all k8s fields containing a dot - type: keep_fields fields: - stream - log - k8s_namespace - k8s_pod - k8s_container - k8s_node - type: json_decode field: log match_fields: k8s_container: [filed, etcd] stream: [stdout] match_mode: or log_json_parse_error_mode: withnode - type: remove_fields fields: # from file.d logs - ts - type: set_time field: "@timestamp" - type: add_file_name field: file_name - type: modify sensor: file.d@minikube output: type: elasticsearch endpoints: ["https://node-0.example.com:9200"] ca_cert: | -----BEGIN CERTIFICATE----- ...( paste root-ca.pem from opensearch coordinator node )... -----END CERTIFICATE----- index_format: "test-file-d-k8s" username: admin password: PASSWORD connection_timeout: 1s workers_count: 3 batch_op_type: create fatal_on_failed_insert: true volumeMounts: - name: k8s-containers mountPath: "/var/log/containers" readOnly: true - name: k8s-pods mountPath: "/var/log/pods" readOnly: true - name: docker-containers mountPath: "/var/lib/docker/containers" readOnly: true volumes: - hostPath: path: /var/log/containers name: k8s-containers - hostPath: path: /var/log/pods/ name: k8s-pods - hostPath: path: /var/lib/docker/containers name: docker-containers