Closed binc75 closed 8 months ago
Hey @binc75,
as you correctly noted changing INPUT tag from containers.*
to kube.*
will result in a broken collection, more info can be found in the explanation for the issue #1563
Is there anything interesting in the Fluentd logs?
I don't see anything suspicious in your config, the metadata enrichment should work - let us take a look and get back to you.
Hi @perk-sumo , I didn't notice any unusual fluentd log, on that side everything looks good. Thank you for having a look.
Cheers Nicola.
@binc75 from the cursory look at your logs, you're using incorrect parser. It seems your logs are in Docker format, but you're using containerd
parser in your Fluent Bit config.
@astencel-sumo actually the logs are parsed and send to SUMO, just without the k8s enrichment. If I well remember with the Docker parser no logs where sent. I will anyway give another try with the Docker parser and let you know
@astencel-sumo I tried the Docker filter, but at the end of the day the situation remain pretty much the same: no k8s enrichment.
Hey @binc75 could you check one thing - are the fields created in your account?
Could you check some of them like statefulset
, daemonset
or namespace
?
You can do it like that:
Hi @perk-sumo,
I've namespace
but no statefulset
, daemonset
Ok, so now it all makes sense. The metadata is being added and sent to Sumo but because there are no fields they cannot be used for search.
That's because in the values.yaml
file I can see the following configuration key:
sumologic:
## If enabled, a pre-install hook will create Collector and Sources in Sumo Logic
setupEnabled: false
When the setup job is enabled it's responsible for all the configuration on the Sumo collection side. Among others it adds default k8s fields so that data can be searched by its metadata (like statefulset
or daemonset
) and dashboards are populated correctly.
Can the setup
be enabled? It's idempotent, can be run multiple times with same effect so there is no need to keep it disabled - unless some custom changes on the Sumo collection side are needed.
Alternatively all the fields can be added by hand in the UI, they should be available in the Dropped Fields
list:
I am also seeing similar issues with our eks setup (no enrichment) EKS: 1.21 sumologic: 2.6.0
I have setupEnabled as true. However, I dont see statefulset and daemonset in the fields. I also added all the fields in the dropped fields list by hand.
I followed this to change the config to scrape from /var/log/pods: https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/main/deploy/docs/Best_Practices.md#collecting-logs-from-varlogpods.
This is my config (everything else is default):
fluentd:
logs:
containers:
excludePodRegex: "(oauth2-proxy.*|nexus.*|lighthouse.*|jx-preview-gc.*|)"
excludeNamespaceRegex: "(sumologic|kuberhealthy|kube-public|default|jx-git-operator|kube-system|nginx|secret-infra|jx-vault)"
k8sMetadataFilter:
## uses docker_id as alias for uid as it's being used in plugin's code directly
tagToMetadataRegexp: .+?\.pods\.(?<namespace>[^_]+)_(?<pod_name>[^_]+)_(?<docker_id>(?<uid>[a-f0-9\-]{36}))\.(?<container_name>[^\._]+)\.(?<run_id>\d+)\.log$
metrics:
extraFilterPluginConf: |-
<filter **>
@type grep
<exclude>
key namespace
pattern /(^sumologic$|^jx-git-operator$|^tekton-pipelines$|^kuberhealthy$|^kube-system$|^nginx$)/
</exclude>
<exclude>
key pod
pattern /(^oauth2-proxy|^nexus|^lighthouse-gc|^jx-preview-gc)/
</exclude>
</filter>
fluent-bit:
config:
inputs: |
[INPUT]
Name tail
Path /var/log/pods/*/*/*.log
Docker_Mode On
Docker_Mode_Parser multi_line
Tag containers.*
Refresh_Interval 1
Rotate_Wait 60
Mem_Buf_Limit 5MB
Skip_Long_Lines On
DB /tail-db/tail-containers-state-sumo.db
DB.Sync Normal
[INPUT]
Name systemd
Tag host.*
DB /tail-db/systemd-state-sumo.db
Systemd_Filter _SYSTEMD_UNIT=addon-config.service
Systemd_Filter _SYSTEMD_UNIT=addon-run.service
Systemd_Filter _SYSTEMD_UNIT=cfn-etcd-environment.service
Systemd_Filter _SYSTEMD_UNIT=cfn-signal.service
Systemd_Filter _SYSTEMD_UNIT=clean-ca-certificates.service
Systemd_Filter _SYSTEMD_UNIT=containerd.service
Systemd_Filter _SYSTEMD_UNIT=coreos-metadata.service
Systemd_Filter _SYSTEMD_UNIT=coreos-setup-environment.service
Systemd_Filter _SYSTEMD_UNIT=coreos-tmpfiles.service
Systemd_Filter _SYSTEMD_UNIT=dbus.service
Systemd_Filter _SYSTEMD_UNIT=docker.service
Systemd_Filter _SYSTEMD_UNIT=efs.service
Systemd_Filter _SYSTEMD_UNIT=etcd-member.service
Systemd_Filter _SYSTEMD_UNIT=etcd.service
Systemd_Filter _SYSTEMD_UNIT=etcd2.service
Systemd_Filter _SYSTEMD_UNIT=etcd3.service
Systemd_Filter _SYSTEMD_UNIT=etcdadm-check.service
Systemd_Filter _SYSTEMD_UNIT=etcdadm-reconfigure.service
Systemd_Filter _SYSTEMD_UNIT=etcdadm-save.service
Systemd_Filter _SYSTEMD_UNIT=etcdadm-update-status.service
Systemd_Filter _SYSTEMD_UNIT=flanneld.service
Systemd_Filter _SYSTEMD_UNIT=format-etcd2-volume.service
Systemd_Filter _SYSTEMD_UNIT=kube-node-taint-and-uncordon.service
Systemd_Filter _SYSTEMD_UNIT=kubelet.service
Systemd_Filter _SYSTEMD_UNIT=ldconfig.service
Systemd_Filter _SYSTEMD_UNIT=locksmithd.service
Systemd_Filter _SYSTEMD_UNIT=logrotate.service
Systemd_Filter _SYSTEMD_UNIT=lvm2-monitor.service
Systemd_Filter _SYSTEMD_UNIT=mdmon.service
Systemd_Filter _SYSTEMD_UNIT=nfs-idmapd.service
Systemd_Filter _SYSTEMD_UNIT=nfs-mountd.service
Systemd_Filter _SYSTEMD_UNIT=nfs-server.service
Systemd_Filter _SYSTEMD_UNIT=nfs-utils.service
Systemd_Filter _SYSTEMD_UNIT=node-problem-detector.service
Systemd_Filter _SYSTEMD_UNIT=ntp.service
Systemd_Filter _SYSTEMD_UNIT=oem-cloudinit.service
Systemd_Filter _SYSTEMD_UNIT=rkt-gc.service
Systemd_Filter _SYSTEMD_UNIT=rkt-metadata.service
Systemd_Filter _SYSTEMD_UNIT=rpc-idmapd.service
Systemd_Filter _SYSTEMD_UNIT=rpc-mountd.service
Systemd_Filter _SYSTEMD_UNIT=rpc-statd.service
Systemd_Filter _SYSTEMD_UNIT=rpcbind.service
Systemd_Filter _SYSTEMD_UNIT=set-aws-environment.service
Systemd_Filter _SYSTEMD_UNIT=system-cloudinit.service
Systemd_Filter _SYSTEMD_UNIT=systemd-timesyncd.service
Systemd_Filter _SYSTEMD_UNIT=update-ca-certificates.service
Systemd_Filter _SYSTEMD_UNIT=user-cloudinit.service
Systemd_Filter _SYSTEMD_UNIT=var-lib-etcd2.service
Max_Entries 1000
Read_From_Tail true
The logs are in docker format, so I am using docker_mode
and Docker_Mode_Parser
is there something I am missing?
Environment:
Description: I'm trying to enrich containers logs sent to sumologic with kubernetes metadata information. I see the containers logs but no additional information about kubernetes metadata.
Here an example of what I get:
My
values.yaml
it's pretty simple, I only care about logs and not metrics and so on:The
sumologic-sumologic-fluentd-logs
configmap looks like thisI'm a little bit lost because I thought this would have worked out of the box but I clearly miss something.
Note: I was able to get the k8s metadata using fluent-bit changing the tail INPUT Tag to
kube.*
to match the fluent-bit filter, but I suppose this is not the right way since this screwed up the filtering in fluentd.Thank you!