search

oracle-quickstart / oci-kubernetes-monitoring

Kubernetes Monitoring with OCI Observability & Management Platform
https://www.oracle.com/manageability/logging-analytics/
Universal Permissive License v1.0
42 stars 32 forks source link

Concatenate records split because of the size into only one record #10

Closed edinardo closed 1 year ago

edinardo commented 1 year ago

Logging records above a certain size (8k using CRI-O for instance) get split and "partial" records, that ultimately fail to be parsed once sent to the "Log Source" since it contains just part of the "full" record.

Using the CRI-O case as an example, the use of the already existing concat filter is recommended to concatenate the records in one single entry.

Please update the logging ConfigMaps accordingly to support this feature.

santhoshkvuda commented 1 year ago

hi @edinardo,

Thanks for reaching out to us. Could you explain in detail what context of log(s) you are referring to ? For the Oracle defined configuration (for various Kubernetes System/Service logs) we are already using Concat plugin where applicable except for "Generic Container Logs". We can not use Concat plugin here as we will not be having context of log pattern (single line vs multi line, multi line start expression etc.,).

However, we have given the control to the users to modify/customise the configuration according to their needs using customLogs section. Please refer this section of README for details.

edinardo commented 1 year ago

Let's use containers running on CRI-O as an example. If you have a single record with more than 8192 bytes, CRI-O will split the record into more than one line in the file. Once that file/record is read by Fluentd, the cri parser will split into multiple records like:

time: 2020-10-10 09:10:00.333333333Z
record: {"stream":"stdout","logtag":"P","message":"This is first record contains 8192 bytes ...","time":"2020-10-10T00:10:00.333333333Z"}

time: 2020-10-10 09:11:00.333333333Z
record: {"stream":"stdout","logtag":"F","message":"... this is the record with the content after 8192 bytes","time":"2020-10-10T00:11:00.333333333Z"}

These records need to be concatenated into one record before getting processed by another filter down in the pipeline. This can be achieved using @type concat filter plugin with use_partial_cri_logtag parameter.

santhoshkvuda commented 1 year ago

Got it. We are talking about only for the part of handling partial log messages here. We will fix it.

santhoshkvuda commented 1 year ago

This is fixed in the recent version released couple of months back.