---
apiVersion: v1
kind: ConfigMap
metadata:
name: fluentd-config
namespace: monitoring
labels:
k8s-app: fluentd-logzio
data:
fluent.conf: |
@include "#{ENV['FLUENTD_SYSTEMD_CONF'] || 'systemd'}.conf"
@include "#{ENV['FLUENTD_PROMETHEUS_CONF'] || 'prometheus'}.conf"
@include kubernetes.conf
@include system.conf
@include conf.d/*.conf
@type logzio_buffered
@id out_logzio
endpoint_url "#{ENV['LOGZIO_LOG_LISTENER']}?token=#{ENV['LOGZIO_LOG_SHIPPING_TOKEN']}"
output_include_time true
output_include_tags true
# Set the buffer type to file to improve the reliability and reduce the memory consumption
@type "#{ENV['LOGZIO_BUFFER_TYPE']}"
path "#{ENV['LOGZIO_BUFFER_PATH']}"
# Set queue_full action to block because we want to pause gracefully
# in case of the off-the-limits load instead of throwing an exception
overflow_action "#{ENV['LOGZIO_OVERFLOW_ACTION']}"
# Set the chunk limit conservatively to avoid exceeding the GCL limit
# of 10MiB per write request.
chunk_limit_size "#{ENV['LOGZIO_CHUNK_LIMIT_SIZE']}"
# Cap the combined memory usage of this buffer and the one below to
# 2MiB/chunk * (6 + 2) chunks = 16 MiB
queue_limit_length "#{ENV['LOGZIO_QUEUE_LIMIT_LENGTH']}"
# Never wait more than 5 seconds before flushing logs in the non-error case.
flush_interval "#{ENV['LOGZIO_FLUSH_INTERVAL']}"
# Never wait longer than 30 seconds between retries.
retry_max_interval "#{ENV['LOGZIO_RETRY_MAX_INTERVAL']}"
# Disable the limit on the number of retries (retry forever).
retry_forever "#{ENV['LOGZIO_RETRY_FOREVER']}"
# Use multiple threads for processing.
flush_thread_count "#{ENV['LOGZIO_FLUSH_THREAD_COUNT']}"
kubernetes.conf: |
@type tail
@id in_tail_container_logs
path /var/log/containers/*.log
pos_file /var/log/fluentd-containers.log.pos
exclude_path /var/log/containers/fluentd*.log
tag logzio.kubernetes.*
read_from_head true
@type multi_format
# for docker cri
format json
time_key time
time_format %Y-%m-%dT%H:%M:%S.%NZ
keep_time_key true
# for containerd cri
# format /^(?
@type tail
@id in_tail_minion
path /var/log/salt/minion
pos_file /var/log/fluentd-salt.pos
tag logzio.salt
@type regexp
expression /^(?
@type tail
@id in_tail_startupscript
path /var/log/startupscript.log
pos_file /var/log/fluentd-startupscript.log.pos
tag logzio.startupscript
@type syslog
@type tail
@id in_tail_docker
path /var/log/docker.log
pos_file /var/log/fluentd-docker.log.pos
tag logzio.docker
@type regexp
expression /^time="(?
@type tail
@id in_tail_etcd
path /var/log/etcd.log
pos_file /var/log/fluentd-etcd.log.pos
tag logzio.etcd
@type none
@type tail
@id in_tail_kubelet
multiline_flush_interval 5s
path /var/log/kubelet.log
pos_file /var/log/fluentd-kubelet.log.pos
tag logzio.kubelet
@type kubernetes
@type tail
@id in_tail_kube_proxy
multiline_flush_interval 5s
path /var/log/kube-proxy.log
pos_file /var/log/fluentd-kube-proxy.log.pos
tag logzio.kube-proxy
@type kubernetes
@type tail
@id in_tail_kube_apiserver
multiline_flush_interval 5s
path /var/log/kube-apiserver.log
pos_file /var/log/fluentd-kube-apiserver.log.pos
tag logzio.kube-apiserver
@type kubernetes
@type tail
@id in_tail_kube_controller_manager
multiline_flush_interval 5s
path /var/log/kube-controller-manager.log
pos_file /var/log/fluentd-kube-controller-manager.log.pos
tag logzio.kube-controller-manager
@type kubernetes
@type tail
@id in_tail_kube_scheduler
multiline_flush_interval 5s
path /var/log/kube-scheduler.log
pos_file /var/log/fluentd-kube-scheduler.log.pos
tag logzio.kube-scheduler
@type kubernetes
@type tail
@id in_tail_rescheduler
multiline_flush_interval 5s
path /var/log/rescheduler.log
pos_file /var/log/fluentd-rescheduler.log.pos
tag logzio.rescheduler
@type kubernetes
@type tail
@id in_tail_glbc
multiline_flush_interval 5s
path /var/log/glbc.log
pos_file /var/log/fluentd-glbc.log.pos
tag logzio.glbc
@type kubernetes
@type tail
@id in_tail_cluster_autoscaler
multiline_flush_interval 5s
path /var/log/cluster-autoscaler.log
pos_file /var/log/fluentd-cluster-autoscaler.log.pos
tag logzio.cluster-autoscaler
@type kubernetes
@include "#{ENV['AUDIT_LOG_FORMAT'] || 'audit'}.conf"
# This handles multiline exceptions automatically: https://github.com/GoogleCloudPlatform/fluent-plugin-detect-exceptions
@type detect_exceptions
remove_tag_prefix logzio
message log
languages all
multiline_flush_interval 0.1
@include "partial-#{ENV['CRI']}.conf"
# This adds type to the log && change key log to message
@type record_modifier
type k8s
message ${record["log"]}
remove_keys log
@type kubernetes_metadata
@id filter_kube_metadata
kubernetes_url "#{ENV['FLUENT_FILTER_KUBERNETES_URL'] || 'https://' + ENV.fetch('KUBERNETES_SERVICE_HOST') + ':' + ENV.fetch('KUBERNETES_SERVICE_PORT') + '/api'}"
verify_ssl "#{ENV['KUBERNETES_VERIFY_SSL'] || true}"
@type dedot
de_dot true
de_dot_separator _
de_dot_nested true
system.conf: |
log_level "#{ENV['LOGZIO_LOG_LEVEL']}"
systemd.conf: |
# Logs from systemd-journal for interesting services.
@type systemd
@id in_systemd_kubelet
filters [{ "_SYSTEMD_UNIT": "kubelet.service" }]
@type local
persistent true
path /var/log/fluentd-journald-kubelet-cursor.json
read_from_head true
tag kubelet
# Logs from docker-systemd
@type systemd
@id in_systemd_docker
filters [{ "_SYSTEMD_UNIT": "docker.service" }]
@type local
persistent true
path /var/log/fluentd-journald-docker-cursor.json
read_from_head true
tag docker.systemd
# Logs from systemd-journal for interesting services.
@type systemd
@id in_systemd_bootkube
filters [{ "_SYSTEMD_UNIT": "bootkube.service" }]
@type local
persistent true
path /var/log/fluentd-journald-bootkube-cursor.json
read_from_head true
tag bootkube
audit.conf: |
# Example:
# 2017-02-09T00:15:57.992775796Z AUDIT: id="90c73c7c-97d6-4b65-9461-f94606ff825f" ip="104.132.1.72" method="GET" user="kubecfg" as="" asgroups="" namespace="default" uri="/api/v1/namespaces/default/pods"
# 2017-02-09T00:15:57.993528822Z AUDIT: id="90c73c7c-97d6-4b65-9461-f94606ff825f" response="200"
@type tail
@id in_tail_kube_apiserver_audit
multiline_flush_interval 5s
path /var/log/kubernetes/kube-apiserver-audit.log
pos_file /var/log/kube-apiserver-audit.log.pos
tag logzio.kube-apiserver-audit
@type multiline
format_firstline /^\S+\s+AUDIT:/
# Fields must be explicitly captured by name to be parsed into the record.
# Fields may not always be present, and order may change, so this just looks
# for a list of key="\"quoted\" value" pairs separated by spaces.
# Unknown fields are ignored.
# Note: We can't separate query/response lines as format1/format2 because
# they don't always come one after the other for a given query.
format1 /^(?
audit-json.conf: |
@type tail
@id in_tail_kube_apiserver_audit
multiline_flush_interval 5s
path /var/log/kubernetes/kube-apiserver-audit.log
pos_file /var/log/kube-apiserver-audit.log.pos
tag logzio.kube-apiserver-audit
@type json
keep_time_key true
time_key timestamp
time_format %Y-%m-%dT%T.%L%Z
partial-docker.conf: |
# Concat docker cri partial log
# https://github.com/fluent-plugins-nursery/fluent-plugin-concat
# https://github.com/moby/moby/issues/34620#issuecomment-619369707
@type concat
key log
use_first_timestamp true
multiline_end_regexp /\n$/
separator ""
partial-containerd.conf: |
# Concat containerd cri partial log
# https://github.com/fluent/fluentd-kubernetes-daemonset/issues/412#issuecomment-636536767
@type concat
key log
use_first_timestamp true
partial_key logtag
partial_value P
separator ""