parse ingress logs towards opensearch
assuming opensearch
this manifest deploys as daemonset so every node gets one
nmap -p 9200 10.1.0.30 # opensearch nmap -p 9200 10.1.0.36 # elastic v7
get into the node that holds the ingress and check what files you wanna grab
docker exec -ti minikube bash
cd /var/log/containers/
ls -lF *ingress*
tail ingress-nginx-controller*log
^D
git clone https://github.com/fluent/helm-charts.git cd helm-charts/charts/fluent-bit/ vi values.yaml
tune a few things
– note we switched to debug image
– note we grab only ingress logs
– note the parser name has inverted nginx - ingress naming
– note the index target matches template hence will be created on-the-fly
– note we have a containerd runtime hence using cri input parser
repository: cr.fluentbit.io/fluent/fluent-bit
tag: latest-debug
[INPUT]
name tail
path /var/log/containers/ingress-nginx-controller*log
#parser docker
parser cri
tag kube
mem_buf_limit 5MB
skip_long_lines on
[FILTER]
name parser
match kube
#key_name log
key_name message
parser k8s-nginx-ingress
reserve_data true
[OUTPUT]
name stdout
match kube
see flb-k8s-ingress for splitting stdout and stderr
for opensearch we would have
[OUTPUT]
Name opensearch
Match kube.*
Host 10.1.0.30
port 9200
tls on
tls.verify off
tls.debug 3
http_user admin
http_passwd PASSWORD
index logs-dev-ingress
suppress_type_name on
#replace_dots on
as for elasticsearch we would have
[FILTER]
name modify
match kube.*
rename host vhost
[OUTPUT]
Name es
Match kube.*
Host 10.1.0.36
#tls on
#tls.verify off
logstash_format off
index logs-dev-ingress
suppress_type_name on
trace_error on
deploy
#helm uninstall fluent-bit helm template fluent-bit . | grep image: helm template fluent-bit . | less # check indentation helm template fluent-bit . | grep namespace helm template fluent-bit . --debug | less helm install --dry-run fluent-bit . helm install fluent-bit . # --namespace ingress... kubectl get ds #kubectl describe ds fluent-bit | less
see k8s-ingress-logs-acceptance
object mapping for [host] tried to parse field [host] as object, but found a concrete value
==> rename field host to something else – apparently it’s already in use somehow
https://docs.fluentbit.io/manual/installation/kubernetes
https://fluentbit.io/blog/2020/12/29/5-minute-guide-to-deploying-fluent-bit-on-kubernetes/
https://docs.fluentbit.io/manual/pipeline/inputs
https://docs.fluentbit.io/manual/pipeline/parsers
https://github.com/fluent/fluent-bit/blob/master/conf/parsers.conf
https://docs.fluentbit.io/manual/pipeline/parsers/regular-expression
https://docs.fluentbit.io/manual/pipeline/filters
https://docs.fluentbit.io/manual/pipeline/filters/parser
https://docs.fluentbit.io/manual/pipeline/filters/modify
https://docs.fluentbit.io/manual/pipeline/outputs
https://docs.fluentbit.io/manual/pipeline/outputs/opensearch
https://docs.fluentbit.io/manual/pipeline/outputs/elasticsearch
https://docs.fluentbit.io/manual/administration/scheduling-and-retries
==> Retry_Limit
https://stackoverflow.com/questions/40686151/kubernetes-pod-gets-recreated-when-deleted
https://discuss.elastic.co/t/where-is-the-object-mapping-for-host-defined/281541
https://hub.docker.com/r/fluent/fluent-bit/
https://devopscube.com/setup-efk-stack-on-kubernetes/
https://github.com/scriptcamp/kubernetes-efk
https://github.com/scriptcamp/kubernetes-efk/tree/main/fluentd
https://stackoverflow.com/questions/74443276/fluentbit-where-does-field-in-logs-for-pod-come-from
https://stackoverflow.com/questions/36649113/what-does-the-type-mean-in-elasticsearch
https://www.elastic.co/guide/en/elasticsearch/reference/7.17/mapping-type-field.html
https://docs.fluentbit.io/manual/pipeline/inputs/systemd