$ oc adm new-project logging --node-selector="" $ oc project logging
As an OKD cluster administrator, you can deploy the eFK stack to aggregate logs for a range of OKD services. Application developers can view the logs of the projects for which they have view access. The eFK stack aggregates logs from hosts and applications, whether coming from multiple containers or even deleted pods.
The eFK stack is a modified version of the eLK stack and is comprised of:
elasticsearch (eS): An object store where all logs are stored.
Fluentd: Gathers logs from nodes and feeds them to elasticsearch.
Kibana: A web UI for elasticsearch.
Curator: Removes old logs from elasticsearch.
After deployment in a cluster, the stack aggregates logs from all nodes and projects into elasticsearch, and provides a Kibana UI to view any logs. Cluster administrators can view all logs, but application developers can only view logs for projects they have permission to view. The stack components communicate securely.
Managing
Docker Container Logs discusses the use of |
An Ansible playbook is available to deploy and upgrade aggregated logging. You should familiarize yourself with the advanced installation and configuration section. This provides information for preparing to use Ansible and includes information about configuration. Parameters are added to the Ansible inventory file to configure various areas of the eFK stack.
Review the sizing guidelines to determine how best to configure your deployment.
ensure that you have deployed a router for the cluster.
ensure that you have the necessary storage for elasticsearch. Note that each elasticsearch replica requires its own storage volume. See elasticsearch for more information.
Determine if you need highly-available elasticsearch. A highly-available environment requires
multiple replicas of each shard. By default, OKD creates one shard for each index and
zero replicas of those shards. To create high availability, set the openshift_logging_es_number_of_replicas
Ansible variable
to a value higher than 1
. High availability also requires at least three elasticsearch nodes,
each on a different host. See elasticsearch for more information.
Choose a project. Once deployed, the eFK stack collects logs for every
project within your OKD cluster. The examples in this section use the
default project logging. The Ansible playbook creates the project for you
if it does not already exist. You will only need to create a project if you want
to specify a node-selector on it. Otherwise, the openshift-logging
role will
create a project.
$ oc adm new-project logging --node-selector="" $ oc project logging
Specifying an empty node selector on the project is recommended, as Fluentd should be deployed throughout the cluster and any selector would restrict where it is deployed. To control component placement, specify node selectors per component to be applied to their deployment configurations. |
Parameters for the eFK deployment may be specified to the inventory host file to override the default parameter values. Read the elasticsearch and the Fluentd sections before choosing parameters:
By default the elasticsearch service uses port 9300 for TCP communication between nodes in a cluster. |
Parameter | Description | ||
---|---|---|---|
|
The prefix for logging component images. For example, setting the prefix to openshift/origin- creates openshift/origin-logging-fluentd:v1.5. |
||
|
The version for logging component images. For example, setting the version to v1.5 creates openshift/origin-logging-fluentd:v1.5. |
||
|
If set to |
||
|
The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. For example, https://<PRIVATe-MASTeR-URL>:8443. |
||
|
The public facing URL for the Kubernetes master. This is used for Authentication redirection by the Kibana proxy. For example, https://<CONSOLe-PUBLIC-URL-MASTeR>:8443. |
||
|
The namespace where Aggregated Logging is deployed. |
||
|
Set to |
||
|
The common uninstall keeps PVC to prevent unwanted data loss during
reinstalls. To ensure that the Ansible playbook completely and irreversibly
removes all logging persistent data including PVC, set
|
||
|
Coupled with |
||
|
The prefix for the eventrouter logging image. The default is set to
|
||
|
The image version for the logging eventrouter. The default is set to 'openshift_logging_image_version'. |
||
|
Select a sink for eventrouter, supported |
||
|
A map of labels, such as |
||
|
The default is set to '1'. |
||
|
The minimum amount of CPU to allocate to eventrouter. The default is set to '100m'. |
||
|
The memory limit for eventrouter pods. The default is set to '128Mi'. |
||
|
The project where eventrouter is deployed. The default is set to 'default'.
|
||
|
Specify the name of an existing pull secret to be used for pulling component images from an authenticated registry. |
||
|
The default minimum age (in days) Curator uses for deleting log records. |
||
|
The hour of the day Curator will run. |
||
|
The minute of the hour Curator will run. |
||
|
The timezone Curator uses for figuring out its run time. Provide the
timezone as a string in the tzselect(8) or timedatectl(1) "Region/Locality"
format, for example |
||
|
The script log level for Curator. |
||
|
The log level for the Curator process. |
||
|
The amount of CPU to allocate to Curator. |
||
|
The amount of memory to allocate to Curator. |
||
|
A node selector that specifies which nodes are eligible targets for deploying Curator instances. |
||
|
equivalent to |
||
|
equivalent to |
||
|
The external host name for web clients to reach Kibana. |
||
|
The amount of CPU to allocate to Kibana. |
||
|
The amount of memory to allocate to Kibana. |
||
|
When |
||
|
The amount of CPU to allocate to Kibana proxy. |
||
|
The amount of memory to allocate to Kibana proxy. |
||
|
The number of replicas to which Kibana should be scaled up. |
||
|
A node selector that specifies which nodes are eligible targets for deploying Kibana instances. |
||
|
A map of environment variables to add to the Kibana deployment configuration. For example, {"eLASTICSeARCH_ReQUeSTTIMeOUT":"30000"}. |
||
|
The public facing key to use when creating the Kibana route. |
||
|
The cert that matches the key when creating the Kibana route. |
||
|
Optional. The CA to goes with the key and cert used when creating the Kibana route. |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
Set to |
||
|
The external-facing hostname to use for the route and the TLS server
certificate. The default is set to For example, if |
||
|
The location of the certificate elasticsearch uses for the external TLS server cert. The default is a generated cert. |
||
|
The location of the key elasticsearch uses for the external TLS server cert. The default is a generated key. |
||
|
The location of the CA cert elasticsearch uses for the external TLS server cert. The default is the internal CA. |
||
|
Set to |
||
|
The external-facing hostname to use for the route and the TLS server certificate.
The default is set to For example, if |
||
|
The location of the certificate elasticsearch uses for the external TLS server cert. The default is a generated cert. |
||
|
The location of the key elasticsearch uses for the external TLS server cert. The default is a generated key. |
||
|
The location of the CA cert elasticsearch uses for the external TLS server cert. The default is the internal CA. |
||
|
A node selector that specifies which nodes are eligible targets for deploying Fluentd instances. Any node where Fluentd should run (typically, all) must have this label before Fluentd is able to run and collect logs. When scaling up the Aggregated Logging cluster after installation,
the As part of the installation, it is recommended that you add the Fluentd node selector label to the list of persisted node labels. |
||
|
The CPU limit for Fluentd pods. |
||
|
The memory limit for Fluentd pods. |
||
|
Set to |
||
|
List of nodes that should be labeled for Fluentd to be deployed. The default is
to label all nodes with ['--all']. The null value is
|
||
|
When |
||
|
Location of audit log file. The default is |
||
|
Location of the Fluentd |
||
|
The name of the elasticsearch service where Fluentd should send logs. |
||
|
The port for the elasticsearch service where Fluentd should send logs. |
||
|
The location of the CA Fluentd uses to communicate with |
||
|
The location of the client certificate Fluentd uses for |
||
|
The location of the client key Fluentd uses for |
||
|
elasticsearch nodes to deploy. High availability requires at least three or more. |
||
|
The amount of CPU limit for the elasticsearch cluster. |
||
|
Amount of RAM to reserve per elasticsearch instance. It must be at least 512M. Possible suffixes are G,g,M,m. |
||
|
The number of replicas per primary shard for each new index. Defaults to '0'. A minimum of |
||
|
The number of primary shards for every new index created in eS. Defaults to '1'. |
||
|
A key/value map added to a PVC in order to select specific PVs. |
||
|
To dynamically provision the backing storage, set the parameter value to |
||
|
To use a non-default storage class, specify the storage class name, such as
|
||
|
Size of the persistent volume claim to
create per elasticsearch instance. For example, 100G. If omitted, no PVCs are
created and ephemeral volumes are used instead. If you set this parameter, the logging installer sets |
||
|
Sets the elasticsearch storage type. If you are using Persistent elasticsearch Storage, the logging installer sets this to |
||
|
Prefix for the names of persistent volume claims to be used as storage for
elasticsearch nodes. A number is appended per node, such as
logging-es-1. If they do not already exist, they are created with size
When
|
||
|
The amount of time elasticsearch will wait before it tries to recover. |
||
|
Number of a supplemental group ID for access to elasticsearch storage volumes. Backing volumes should allow access by this group ID. |
||
|
A node selector specified as a map that determines which nodes are eligible targets
for deploying elasticsearch nodes. Use this map to place these instances on nodes that are reserved or optimized for running them.
For example, the selector could be |
||
|
Set to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
equivalent to |
||
|
A node selector that specifies which nodes are eligible targets
for deploying elasticsearch nodes. This can be used to place
these instances on nodes reserved or optimized for running them.
For example, the selector could be |
||
|
The default value, You may also set the value |
||
|
Adjusts the time that the Ansible playbook waits for the elasticsearch cluster to enter a green state after upgrading a given elasticsearch node.
Large shards, 50 GB or more, can take more than 60 minutes to initialize, causing the Ansible playbook to abort the upgrade procedure.
The default is |
||
|
A node selector that specifies which nodes are eligible targets for deploying Kibana instances. |
||
|
A node selector that specifies which nodes are eligible targets for deploying Curator instances. |
Custom Certificates
You can specify custom certificates using the following inventory variables instead of relying on those generated during the deployment process. These certificates are used to encrypt and secure communication between a user’s browser and Kibana. The security-related files will be generated if they are not supplied.
File Name | Description |
---|---|
|
A browser-facing certificate for the Kibana server. |
|
A key to be used with the browser-facing Kibana certificate. |
|
The absolute path on the control node to the CA file to use for the browser facing Kibana certs. |
|
A browser-facing certificate for the Ops Kibana server. |
|
A key to be used with the browser-facing Ops Kibana certificate. |
|
The absolute path on the control node to the CA file to use for the browser facing ops Kibana certs. |
If you need to redeploy these certificates, see Redeploy eFK Certificates.
The eFK stack is deployed using an Ansible playbook to the eFK components. Run the playbook from the default OpenShift Ansible location using the default inventory file.
$ ansible-playbook playbooks/openshift-logging/config.yml
Running the playbook deploys all resources needed to support the stack; such as Secrets, ServiceAccounts, and DeploymentConfigs. The playbook waits to deploy the component pods until the stack is running. If the wait steps fail, the deployment could still be successful; it may be retrieving the component images from the registry which can take up to a few minutes. You can watch the process with:
$ oc get pods -w logging-curator-1541129400-l5h77 0/1 Running 0 11h (1) logging-es-data-master-ecu30lr4-1-deploy 0/1 Running 0 11h (2) logging-fluentd-2lgwn 1/1 Running 0 11h (3) logging-fluentd-lmvms 1/1 Running 0 11h logging-fluentd-p9nd7 1/1 Running 0 11h logging-kibana-1-zk94k 2/2 Running 0 11h (4)
1 | The Curator pod. Only one pod is needed for Curator. |
2 | The elasticsearch pod on this host. |
3 | The Fliuentd pods. There is one pod for each node in the cluster. |
4 | The Kibana pods. |
You can use the `oc get pods -o wide command to see the nodes where the Fluentd pod are deployed:
oc get pods -o wide NAMe ReADY STATUS ReSTARTS AGe IP NODe NOMINATeD NODe logging-es-data-master-5av030lk-1-2x494 2/2 Running 0 38m 154.128.0.80 ip-153-12-8-6.wef.internal <none> logging-fluentd-lqdxg 1/1 Running 0 2m 154.128.0.85 ip-153-12-8-6.wef.internal <none> logging-kibana-1-gj5kc 2/2 Running 0 39m 154.128.0.77 ip-153-12-8-6.wef.internal <none>
They will eventually enter Running status. For additional details about the status of the pods during deployment by retrieving associated events:
$ oc describe pods/<pod_name>
Check the logs if the pods do not run successfully:
$ oc logs -f <pod_name>
This section describes adjustments that you can make to deployed components.
The logs for the default, openshift, and openshift-infra projects are automatically aggregated and grouped into the .operations item in the Kibana interface. The project where you have deployed the eFK stack (logging, as documented here) is not aggregated into .operations and is found under its ID. |
If you set openshift_logging_use_ops
to true in your inventory file, Fluentd is
configured to split logs between the main elasticsearch cluster and another
cluster reserved for operations logs, which are defined as node system logs and
the projects default, openshift, and openshift-infra. Therefore, a
separate elasticsearch cluster, a separate Kibana, and a separate Curator are
deployed to index, access, and manage operations logs. These deployments are set
apart with names that include -ops
. Keep these separate deployments in mind if
you enable this option. Most of the following discussion also applies to the
operations cluster if present, just with the names changed to include -ops
.
elasticsearch (eS) is an object store where all logs are stored.
elasticsearch organizes the log data into datastores, each called an index. elasticsearch subdivides each index into multiple pieces called shards, which it spreads across a set of elasticsearch nodes in your cluster. You can configure elasticsearch to make copies of the shards, called replicas. elasticsearch also spreads replicas across the elactisearch nodes. The combination of shards and replicas is intended to provide redundancy and resilience to failure. For example, if you configure three shards for the index with one replica, elasticsearch generates a total of six shards for that index: three primary shards and three replicas as a backup.
The OKD logging installer ensures each elasticsearch node is deployed using a unique deployment configuration that includes its own storage volume.
You can create an additional deployment configuration for each elasticsearch node you add to the logging system.
During installation, you can use the openshift_logging_es_cluster_size
Ansible variable to specify the number of elasticsearch nodes.
Alternatively, you can scale up your existing cluster by modifying the
openshift_logging_es_cluster_size
in the inventory file and re-running the
logging playbook. Additional clustering parameters can be modified and are
described in Specifying Logging Ansible Variables.
Refer to elastic’s documentation for considerations involved in choosing storage and network location as directed below.
A highly-available elasticsearch environment requires at least three elasticsearch nodes,
each on a different host, and setting the |
Viewing all elasticsearch Deployments
To view all current elasticsearch deployments:
$ oc get dc --selector logging-infra=elasticsearch
Configuring elasticsearch for High Availability
A highly-available elasticsearch environment requires at least three elasticsearch nodes,
each on a different host, and setting the openshift_logging_es_number_of_replicas
Ansible variable
to a value of 1
or higher to create replicas.
Use the following scenarios as a guide for an OKD cluster with three elasticsearch nodes:
If you can tolerate one elasticsearch node going down,
set openshift_logging_es_number_of_replicas
to 1
. This ensures
that two nodes have a copy of all of the elasticsearch data in the cluster.
If you must tolerate two elasticsearch nodes going down,
set openshift_logging_es_number_of_replicas
to 2
. This ensures that
every node has a copy of all of the elasticsearch data in the cluster.
Note that there is a trade-off between high availability and performance.
For example, having openshift_logging_es_number_of_replicas=2
and
openshift_logging_es_number_of_shards=3
requires elasticsearch to spend
significant resources replicating the shard data among the nodes in the cluster.
Also, using a higher number of replicas requires doubling or tripling the data storage
requirements on each node, so you must take that into account when planning
persistent storage for elasticsearch.
Considerations when Configuring the Number of Shards
For the openshift_logging_es_number_of_shards
parameter, consider:
For higher performance, increase the number of shards. For example, in a three
node cluster, set openshift_logging_es_number_of_shards=3
. This will cause
each index to be split into three parts (shards), and the load for processing the
index will be spread out over all 3 nodes.
If you have a large number of projects, you might see performance degradation if you have more than a few thousand shards in the cluster. either reduce the number of shards or reduce the curation time.
If you have a small number of very large indices, you might want to configure
openshift_logging_es_number_of_shards=3
or higher. elasticsearch recommends
using a maximum shard size of less than 50 GB.
Node Selector
Because elasticsearch can use a lot of resources, all members of a cluster should have low latency network connections to each other and to any remote storage. ensure this by directing the instances to dedicated nodes, or a dedicated region within your cluster, using a node selector.
To configure a node selector, specify the openshift_logging_es_nodeselector
configuration option in the inventory file. This applies to all elasticsearch
deployments; if you need to individualize the node selectors, you must manually
edit each deployment configuration after deployment. The node selector is
specified as a python compatible dict. For example, {"node-type":"infra",
"region":"east"}
.
By default, the openshift_logging
Ansible role creates an ephemeral
deployment in which all data in a pod is lost upon pod restart.
For production environments, each elasticsearch deployment configuration requires a persistent storage volume. You can specify an existing persistent volume claim or allow OKD to create one.
Use existing PVCs. If you create your own PVCs for the deployment, OKD uses those PVCs.
Name the PVCs to match the openshift_logging_es_pvc_prefix
setting, which defaults to
logging-es
. Assign each PVC a name with a sequence number added to it: logging-es-0
,
logging-es-1
, logging-es-2
, and so on.
Allow OKD to create a PVC. If a PVC for elsaticsearch does not exist, OKD creates the PVC based on parameters in the Ansible inventory file.
Parameter | Description | ||
---|---|---|---|
|
Specify the size of the PVC request. |
||
|
Specify the storage type as
|
||
|
Optionally, specify a custom prefix for the PVC. |
For example:
openshift_logging_elasticsearch_storage_type=pvc
openshift_logging_es_pvc_size=104802308Ki
openshift_logging_es_pvc_prefix=es-logging
If using dynamically provisioned PVs, the OKD logging installer creates PVCs that use the default storage class or the PVC specified with the openshift_logging_elasticsearch_pvc_storage_class_name
parameter.
If using NFS storage, the OKD installer creates the persistent volumes, based on the openshift_logging_storage_*
parameters
and the OKD logging installer creates PVCs, using the openshift_logging_es_pvc_*
paramters.
Make sure you specify the correct parameters in order to use persistent volumes with eFK.
Also set the openshift_enable_unsupported_configurations=true
parameter in the Ansible inventory file, as the logging installer blocks the installation of NFS with core infrastructure by default.
Using NFS storage as a volume or a persistent volume, or using NAS such as Gluster, is not supported for elasticsearch storage, as Lucene relies on file system behavior that NFS does not supply. Data corruption and other problems can occur. |
If your environment requires NFS storage, use one of the following methods:
You can deploy NFS as an automatically provisioned persistent volume or using a predefined NFS volume.
For more information, see Sharing an NFS mount across two persistent volume claims to leverage shared storage for use by two separate containers.
Using automatically provisioned NFS
To use NFS as a persistent volume where NFS is automatically provisioned:
Add the following lines to the Ansible inventory file to create an NFS auto-provisioned storage class and dynamically provision the backing storage:
openshift_logging_es_pvc_storage_class_name=$nfsclass openshift_logging_es_pvc_dynamic=true
Use the following command to deploy the NFS volume using the logging playbook:
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml
Use the following steps to create a PVC:
edit the Ansible inventory file to set the PVC size:
openshift_logging_es_pvc_size=50Gi
The logging playbook selects a volume based on size and might use an unexpected volume if any other persistent volume has same size. |
Use the following command to rerun the Ansible deploy_cluster.yml playbook:
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml
The installer playbook creates the NFS volume based on the openshift_logging_storage
variables.
Using a predefined NFS volume
To deploy logging alongside the OKD cluster using an existing NFS volume:
edit the Ansible inventory file to configure the NFS volume and set the PVC size:
openshift_logging_storage_kind=nfs openshift_enable_unsupported_configurations=true openshift_logging_storage_access_modes=["ReadWriteOnce"] openshift_logging_storage_nfs_directory=/srv/nfs openshift_logging_storage_nfs_options=*(rw,root_squash) openshift_logging_storage_volume_name=logging openshift_logging_storage_volume_size=100Gi openshift_logging_storage_labels={:storage=>"logging"} openshift_logging_install_logging=true
Use the following command to redeploy the eFK stack:
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml
You can allocate a large file on an NFS server and mount the file to the nodes. You can then use the file as a host path device.
$ mount -F nfs nfserver:/nfs/storage/elasticsearch-1 /usr/local/es-storage $ chown 1000:1000 /usr/local/es-storage
Then, use /usr/local/es-storage as a host-mount as described below. Use a different backing file as storage for each elasticsearch replica.
This loopback must be maintained manually outside of OKD, on the node. You must not maintain it from inside a container.
It is possible to use a local disk volume (if available) on each node host as storage for an elasticsearch replica. Doing so requires some preparation as follows.
The relevant service account must be given the privilege to mount and edit a local volume:
$ oc adm policy add-scc-to-user privileged \ system:serviceaccount:logging:aggregated-logging-elasticsearch (1)
1 | Use the project you created earlier (for example, logging) when running the logging playbook. |
each elasticsearch replica definition must be patched to claim that privilege, for example (change to --selector component=es-ops
for Ops cluster):
$ for dc in $(oc get deploymentconfig --selector component=es -o name); do oc scale $dc --replicas=0 oc patch $dc \ -p '{"spec":{"template":{"spec":{"containers":[{"name":"elasticsearch","securityContext":{"privileged": true}}]}}}}' done
The elasticsearch replicas must be located on the correct nodes to use the local storage, and should not move around even if those nodes are taken down for a period of time. This requires giving each elasticsearch replica a node selector that is unique to a node where an administrator has allocated storage for it. To configure a node selector, edit each elasticsearch deployment configuration and add or edit the nodeSelector section to specify a unique label that you have applied for each desired node:
apiVersion: v1 kind: DeploymentConfig spec: template: spec: nodeSelector: logging-es-node: "1" (1)
1 | This label should uniquely identify a replica with a single node that bears that
label, in this case logging-es-node=1 . Use the oc label command to apply
labels to nodes as needed. |
To automate applying the node selector you can instead use the oc patch
command:
$ oc patch dc/logging-es-<suffix> \ -p '{"spec":{"template":{"spec":{"nodeSelector":{"logging-es-node":"1"}}}}}'
Once these steps are taken, a local host mount can be applied to each replica as in this example
(where we assume storage is mounted at the same path on each node) (change to --selector component=es-ops
for Ops cluster):
$ for dc in $(oc get deploymentconfig --selector component=es -o name); do oc set volume $dc \ --add --overwrite --name=elasticsearch-storage \ --type=hostPath --path=/usr/local/es-storage oc rollout latest $dc oc scale $dc --replicas=1 done
If you need to scale up the number of elasticsearch nodes in your cluster, you can create a deployment configuration for each elasticsearch node you want to add.
Due to the nature of persistent volumes and how elasticsearch is configured to store its data and recover the cluster, you cannot simply increase the replicas in an elasticsearch deployment configuration.
The simplest way to change the scale of elasticsearch is to modify the inventory host file and re-run the logging playbook as described previously. If you have supplied persistent storage for the deployment, this should not be disruptive.
Resizing an elasticsearch cluster using the logging playbook is only possible when
the new |
By default, elasticsearch deployed with OpenShift aggregated logging is not accessible from outside the logging cluster. You can enable a route for external access to elasticsearch for those tools that want to access its data.
You have access to elasticsearch using your OpenShift token, and you can provide the external elasticsearch and elasticsearch Ops hostnames when creating the server certificate (similar to Kibana).
To access elasticsearch as a reencrypt route, define the following variables:
openshift_logging_es_allow_external=True openshift_logging_es_hostname=elasticsearch.example.com
Run the following Ansible playbook:
$ ansible-playbook [-i </path/to/inventory>] \ /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml
To log in to elasticsearch remotely, the request must contain three HTTP headers:
Authorization: Bearer $token X-Proxy-Remote-User: $username X-Forwarded-For: $ip_address
You must have access to the project in order to be able to access to the logs. For example:
$ oc login <user1> $ oc new-project <user1project> $ oc new-app <httpd-example>
You need to get the token of this ServiceAccount to be used in the request:
$ token=$(oc whoami -t)
Using the token previously configured, you should be able access elasticsearch through the exposed route:
$ curl -k -H "Authorization: Bearer $token" -H "X-Proxy-Remote-User: $(oc whoami)" -H "X-Forwarded-For: 127.0.0.1" https://es.example.test/project.my-project.*/_search?q=level:err | python -mjson.tool
Fluentd is deployed as a DaemonSet that deploys replicas according to a node
label selector, which you can specify with the inventory parameter
openshift_logging_fluentd_nodeselector
and the default is logging-infra-fluentd
.
As part of the OpenShift cluster installation, it is recommended that you add the
Fluentd node selector to the list of persisted
node labels.
Fluentd uses journald
as the system log source. These are log messages from
the operating system, the container runtime, and OpenShift.
Clean installations of OKD 3.9 use json-file
as the default log
driver, but environments upgraded from OKD 3.7 will maintain their
existing journald
log driver configuration. It is recommended to use the
json-file
log driver. See Changing the Aggregated
Logging Driver for instructions to change your existing log driver
configuration to json-file
.
Viewing Fluentd Logs
How you view logs depends upon the LOGGING_FILe_PATH
setting.
If LOGGING_FILe_PATH
points to a file, use the logs utility to print out the contents of Fluentd log files:
oc exec <pod> logs (1)
1 | Specify the name of the Fluentd pod. |
For example:
oc exec logging-fluentd-lmvms logs
The contents of log files are printed out, starting with the oldest log. Use -f
option to follow what is being written into the logs.
If you are using LOGGING_FILe_PATH=console
, fluentd to write logs to STDOUT. You can retrieve the logs with the oc logs -f <pod_name>
command.
For example
oc logs -f /var/log/fluentd/fluentd.log
Configuring Fluentd Log Location
Fluentd writes logs to a specified file, by default /var/log/fluentd/fluentd.log
, or to the console, based on the LOGGING_FILe_PATH
environment variable.
To change the default output location for the Fluentd logs, use the LOGGING_FILe_PATH
parameter
in the default inventory file.
You can specify a particular file or to STDOUT:
LOGGING_FILe_PATH=console (1) LOGGING_FILe_PATH=<path-to-log/fluentd.log> (2)
1 | Sends the log output to STDOUT. |
2 | Sends the log output to the specified file. |
After changing these parameters, re-run the logging installer playbook:
$ cd /usr/share/ansible/openshift-ansible $ ansible-playbook [-i </path/to/inventory>] \ playbooks/openshift-logging/config.yml
How you view log data depends on the |
Configuring Fluentd Log Rotation
When the current Fluentd log file reaches a specified size, OKD automatically renames the fluentd.log log file so that new logging data can be collected. Log rotation is enabled by default.
The following example shows logs in a cluster where the maximum log size is 1Mb and four logs should be retained. When the fluentd.log reaches 1Mb, OKD deletes the current fluentd.log.4, renames the each of the Fluentd logs in turn, and creates a new fluentd.log.
fluentd.log 0b fluentd.log.1 1Mb fluentd.log.2 1Mb fluentd.log.3 1Mb fluentd.log.4 1Mb
You can control the size of the Fluentd log files and how many of the renamed files that OKD retains using environment variables.
Parameter | Description |
---|---|
|
The maximum size of a single Fluentd log file in Bytes. If the size of the flientd.log file exceeds this value, OKD renames the fluentd.log.* files and creates a new fluentd.log. The default is 1024000 (1MB). |
|
The number of logs that Fluentd retains before deleting. The default value is |
For example:
$ oc set env ds/logging-fluentd LOGGING_FILe_AGe=30 LOGGING_FILe_SIZe=1024000"
Turn off log rotation by setting LOGGING_FILe_PATH=console.
This causes Fluentd to write logs to STDOUT where they can be retrieved using the oc logs -f <pod_name>
command.
Disabling JSON parsing of logs with MeRGe_JSON_LOG
By default, Fluentd determines if a log message is in JSON format and merges the message into the JSON payload document posted to elasticsearch.
When using JSON parsing you might experience:
log loss due to elasticsearch rejecting documents due to inconsistent type mappings;
buffer storage leaks caused by rejected message cycling;
overwritten data for fields with same names.
For information on how to mitigate some of these problems, see Configuring how the log collector normalizes logs.
You can disable JSON parsing to avoid these problems or if you do not need to parse JSON from your logs.
To disable JSON parsing:
Run the following command:
oc set env ds/logging-fluentd MeRGe_JSON_LOG=false (1)
1 | Set this to false to disable this feature or true to enable this feature. |
To ensure this setting is applied each time you run Ansible, add openshift_logging_fluentd_merge_json_log="false"
to your Ansible inventory.
Configuring how the log collector normalizes logs
Cluster Logging uses a specific data model, like a database schema, to store log records and their metadata in the logging store. There are some restrictions on the data:
There must be a "message"
field containing the actual log message.
There must be a "@timestamp"
field containing the log record timestamp in RFC 3339 format, preferably millisecond or better resolution.
There must be a "level"
field with the log level, such as err
, info
, unknown
, and so forth.
For more information on the data model, see exported Fields. |
Because of these requirements, conflicts and inconsistencies can arise with log data collected from different subsystems.
For example, if you use the MeRGe_JSON_LOG
feature (MeRGe_JSON_LOG=true
), it can be extremely useful to have your applications log their output in JSON, and have the log collector automatically parse and index the data in elasticsearch. However, this leads to several problems, including:
field names can be empty, or contain characters that are illegal in elasticsearch;
different applications in the same namespace might output the same field name with a different value data type;
applications might emit too many fields;
fields may conflict with the cluster logging built-in fields.
You can configure how cluster logging treats fields from disparate sources by editing the Fluentd log collector daemonset and setting environment variables in the table below.
Undefined fields. Fields unknown to the ViaQ data model are called undefined. Log data from disparate systems can contain undefined fields. The data model requires all top-level fields to be defined and described.
Use the parameters to configure how OKD moves any undefined fields under a top-level field called undefined
to avoid conflicting with the well known
top-level fields. You can add undefined fields to the top-level fields and move others to an undefined
container.
You can also replace special characters in undefined fields and convert undefined fields to their JSON string representation. Converting to JSON string preserves the structure of the value, so that you can retrieve the value later and convert it back to a map or an array.
Simple scalar values like numbers and booleans are changed to a quoted string. For example: 10
becomes "10"
, 3.1415
becomes "3.1415"
, false
becomes "false"
.
Map/dict values and array values are converted to their JSON string representation: "mapfield":{"key":"value"}
becomes "mapfield":"{\"key\":\"value\"}"
and "arrayfield":[1,2,"three"]
becomes "arrayfield":"[1,2,\"three\"]"
.
Defined fields. Defined fields appear in the top levels of the logs. You can configure which fields are considered defined fields.
The default top-level fields, defined through the CDM_DeFAULT_KeeP_FIeLDS
parameter, are Cee
, time
, @timestamp
, aushape
, ci_job
, collectd
, docker
, fedora-ci
,
file
, foreman
, geoip
, hostname
, ipaddr4
, ipaddr6
, kubernetes
, level
, message
, namespace_name
, namespace_uuid
,
offset
, openstack
, ovirt
, pid
, pipeline_metadata
, service
, systemd
, tags
, testcase
, tlog
, viaq_msg_id
.
Any fields not included in ${CDM_DeFAULT_KeeP_FIeLDS}
or ${CDM_eXTRA_KeeP_FIeLDS}
are moved to ${CDM_UNDeFINeD_NAMe}
if CDM_USe_UNDeFINeD
is true
. See the table below for more information on these parameters.
The |
empty fields. empty fields have no data. You can determine which empty fields to retain from logs.
Parameters | Definition | example |
---|---|---|
|
Specify an extra set of defined fields to be kept at the top level of the logs in addition to the |
|
|
Specify fields to retain in CSV format even if empty. empty defined fields not specified are dropped. The default is "message", keep empty messages. |
|
|
Set to |
|
|
Specify a name for the undefined top level field if using |
|
|
If the number of undefined fields is greater than this number, all undefined fields are converted to their JSON string representation
and stored in the NOTe: This parameter is honored even if |
|
|
Set to |
|
|
Specify a character to use in place of a dot character '.' in an undefined field. |
|
If you set the When the log collector rolls over the indices, it creates a brand new index. The field definitions are updated and you will not get the 400 error. For more information, see Setting MeRGe_JSON_LOG and CDM_UNDeFINeD_TO_STRING. |
To configure undefined and empty field processing, edit the logging-fluentd
daemonset:
Configure how to process fields, as needed:
Specify the fields to move using CDM_eXTRA_KeeP_FIeLDS
.
Specify any empty fields to retain in the CDM_KeeP_eMPTY_FIeLDS
parameter in CSV format.
Configure how to process undefined fields, as needed:
Set CDM_USe_UNDeFINeD
to true
to move undefined fields to the top-level undefined
field:
Specify a name for the undefined fields using the CDM_UNDeFINeD_NAMe
parameter.
Set CDM_UNDeFINeD_MAX_NUM_FIeLDS
to a value other than the default -1
, to set an upper bound on the number of undefined fields
in a single record.
Specify CDM_UNDeFINeD_DOT_RePLACe_CHAR
to change any dot .
characters in an undefined field name to another character.
For example, if CDM_UNDeFINeD_DOT_RePLACe_CHAR=@@@
and there is a field named foo.bar.baz
the field is transformed into foo@@@bar@@@baz
.
Set UNDeFINeD_TO_STRING
to true
to convert undefined fields to their JSON string representation.
If you configure the For example, when |
Setting MeRGe_JSON_LOG and CDM_UNDeFINeD_TO_STRING
If you set the MeRGe_JSON_LOG
and CDM_UNDeFINeD_TO_STRING
enviroment variables to true
, you might receive an elasticsearch 400 error. When MeRGe_JSON_LOG=true
, the log collector adds fields with data types other than string. If you set CDM_UNDeFINeD_TO_STRING=true
, Fluentd attempts to add those fields as a string value resulting in the elasticsearch 400 error. The error clears when the indices roll over for the next day.
When Fluentd rolls over the indices for the next day’s logs, it will create a brand new index. The field definitions are updated and you will not get the 400 error.
Records that have hard errors, such as schema violations, corrupted data, and so forth, cannot be retried. The log collector sends the records for error handling. If you add a
<label @eRROR>
section to your Fluentd config, as the last <label>
, you can handle these records as needed.
For example:
data: fluent.conf: .... <label @eRROR> <match **> @type file path /var/log/fluent/dlq time_slice_format %Y%m%d time_slice_wait 10m time_format %Y%m%dT%H%M%S%z compress gzip </match> </label>
This section writes error records to the elasticsearch dead letter queue (DLQ) file. See the fluentd documentation for more information about the file output.
Then you can edit the file to clean up the records manually, edit the file to use with the elasticsearch /_bulk index
API and use cURL to add those records. For more information on elasticsearch Bulk API, see the elasticsearch documentation.
Configuring Fluentd to Send Logs to an external Log Aggregator
You can configure Fluentd to send a copy of its logs to an external log
aggregator, and not the default elasticsearch, using the secure-forward
plug-in. From there, you can further process log records after the locally
hosted Fluentd has processed them.
The secure-forward
plug-in is provided with the Fluentd image as of v1.4.0.
The logging deployment provides a secure-forward.conf
section in the Fluentd configmap
for configuring the external aggregator:
<store> @type secure_forward self_hostname pod-${HOSTNAMe} shared_key thisisasharedkey secure yes enable_strict_verification yes ca_cert_path /etc/fluent/keys/your_ca_cert ca_private_key_path /etc/fluent/keys/your_private_key ca_private_key_passphrase passphrase <server> host ose1.example.com port 24284 </server> <server> host ose2.example.com port 24284 standby </server> <server> host ose3.example.com port 24284 standby </server> </store>
This can be updated using the oc edit
command:
$ oc edit configmap/logging-fluentd
Certificates to be used in secure-forward.conf
can be added to the existing
secret that is mounted on the Fluentd pods. The your_ca_cert
and
your_private_key
values must match what is specified in secure-forward.conf
in configmap/logging-fluentd
:
$ oc patch secrets/logging-fluentd --type=json \ --patch "[{'op':'add','path':'/data/your_ca_cert','value':'$(base64 /path/to/your_ca_cert.pem)'}]" $ oc patch secrets/logging-fluentd --type=json \ --patch "[{'op':'add','path':'/data/your_private_key','value':'$(base64 /path/to/your_private_key.pem)'}]"
Replace |
When configuring the external aggregator, it must be able to accept messages securely from Fluentd.
If the external aggregator is another Fluentd server, it must have the
fluent-plugin-secure-forward
plug-in installed and make use of the input
plug-in it provides:
<source> @type secure_forward self_hostname ${HOSTNAMe} bind 0.0.0.0 port 24284 shared_key thisisasharedkey secure yes cert_path /path/for/certificate/cert.pem private_key_path /path/for/certificate/key.pem private_key_passphrase secret_foo_bar_baz </source>
Further explanation of how to set up the fluent-plugin-secure-forward
plug-in
can be found
here.
Reducing the Number of Connections from Fluentd to the API Server
|
mux
is a Secure Forward listener service.
Parameter | Description |
---|---|
|
The default is set to |
|
Values for |
|
The default is set to |
|
The default is |
|
24284 |
|
500M |
|
1Gi |
|
The default is |
|
The default value is empty, allowing for additional namespaces to create for
external |
Throttling logs in Fluentd
For projects that are especially verbose, an administrator can throttle down the rate at which the logs are read in by Fluentd before being processed.
Throttling can contribute to log aggregation falling behind for the configured projects; log entries can be lost if a pod is deleted before Fluentd catches up. |
Throttling does not work when using the systemd journal as the log source. The throttling implementation depends on being able to throttle the reading of the individual log files for each project. When reading from the journal, there is only a single log source, no log files, so no file-based throttling is available. There is not a method of restricting the log entries that are read into the Fluentd process. |
To tell Fluentd which projects it should be restricting, edit the throttle configuration in its ConfigMap after deployment:
$ oc edit configmap/logging-fluentd
The format of the throttle-config.yaml key is a YAML file that contains project names and the desired rate at which logs are read in on each node. The default is 1000 lines at a time per node. For example:
Projects
project-name: read_lines_limit: 50 second-project-name: read_lines_limit: 100
Logging
logging: read_lines_limit: 500 test-project: read_lines_limit: 10 .operations: read_lines_limit: 100
When you make changes to any part of the eFK stack, specifically elasticsearch or Fluentd, you should first scale elasticsearch down to zero and scale Fluentd so it does not match any other nodes. Then, make the changes and scale elasticsearch and Fluentd back.
To scale elasticsearch to zero:
$ oc scale --replicas=0 dc/<eLASTICSeARCH_DC>
Change nodeSelector in the daemonset configuration to match zero:
$ oc get ds logging-fluentd -o yaml |grep -A 1 Selector nodeSelector: logging-infra-fluentd: "true"
oc patch
command to modify the daemonset nodeSelector:$ oc patch ds logging-fluentd -p '{"spec":{"template":{"spec":{"nodeSelector":{"nonexistlabel":"true"}}}}}'
$ oc get ds logging-fluentd -o yaml |grep -A 1 Selector nodeSelector: "nonexistlabel: "true"
Scale elasticsearch back up from zero:
$ oc scale --replicas=# dc/<eLASTICSeARCH_DC>
Change nodeSelector in the daemonset configuration back to logging-infra-fluentd: "true".
Use the oc patch
command to modify the daemonset nodeSelector:
oc patch ds logging-fluentd -p '{"spec":{"template":{"spec":{"nodeSelector":{"logging-infra-fluentd":"true"}}}}}'
To access the Kibana console from the OKD web console, add the
loggingPublicURL
parameter in the
master
webconsole-config configmap file, with the URL of the Kibana console (the
kibana-hostname
parameter). The value must be an HTTPS URL:
... clusterInfo: ... loggingPublicURL: "https://kibana.example.com" ...
Setting the loggingPublicURL
parameter creates a View Archive button on the
OKD web console under the Browse → Pods → <pod_name> →
Logs tab. This links to the Kibana console.
You can scale the Kibana deployment as usual for redundancy:
$ oc scale dc/logging-kibana --replicas=2
To ensure the scale persists across multiple executions of the logging playbook,
make sure to update the |
You can see the user interface by visiting the site specified by the
openshift_logging_kibana_hostname
variable.
See the Kibana documentation for more information on Kibana.
Kibana Visualize
Kibana Visualize enables you to create visualizations and dashboards for
monitoring container and pod logs allows administrator users (cluster-admin
or
cluster-reader
) to view logs by deployment, namespace, pod, and container.
Kibana Visualize exists inside the elasticsearch and eS-OPS pod, and must be run inside those pods. To load dashboards and other Kibana UI objects, you must first log into Kibana as the user you want to add the dashboards to, then log out. This will create the necessary per-user configuration that the next step relies on. Then, run:
$ oc exec <$espod> -- es_load_kibana_ui_objects <user-name>
Where $espod
is the name of any one of your elasticsearch pods.
Curator allows administrators to configure scheduled elasticsearch maintenance operations to be performed automatically on a per-project basis. It is scheduled to perform actions daily based on its configuration. Only one Curator pod is recommended per elasticsearch cluster. Curator is configured via a YAML configuration file with the following structure:
$PROJeCT_NAMe: $ACTION: $UNIT: $VALUe $PROJeCT_NAMe: $ACTION: $UNIT: $VALUe ...
The available parameters are:
Variable Name | Description |
---|---|
|
The actual name of a project, such as myapp-devel. For OKD operations
logs, use the name |
|
The action to take, currently only |
|
One of |
|
An integer for the number of units. |
|
Use |
|
(Number) the hour of the day in 24-hour format at which to run the Curator jobs. For
use with |
|
(Number) the minute of the hour at which to run the Curator jobs. For use with |
|
(String) the tring in tzselect(8) or timedatectl(1) format. The default timezone is UTC. |
|
The list of regular expressions that match project names. |
|
The valid and properly escaped regular expression pattern enclosed by single quotation marks. |
For example, to configure Curator to:
delete indices in the myapp-dev project older than 1 day
delete indices in the myapp-qe project older than 1 week
delete operations logs older than 8 weeks
delete all other projects indices after they are 31 days
old
run the Curator jobs at midnight every day
Use:
config.yaml: | # uncomment and use this to override the defaults from env vars #.defaults: (1) # delete: # days: 31 # runhour: 0 # runminute: 0 myapp-dev: (2) delete: days: 1 myapp-qe: (3) delete: weeks: 1 .operations: (4) delete: weeks: 8 .defaults: (5) delete: days: 31 runhour: 0 runminute: 0 timezone: America/New_York .regex: - pattern: '^project\..+\-dev\..*$' (6) delete: days: 1 - pattern: '^project\..+\-test\..*$' (7) delete: days: 2
1 | Optionally, change the default number of days between run and the run hour and run minute. |
2 | Delete indices in the myapp-dev project older than 1 day |
3 | Delete indices in the myapp-qe project older than 1 week |
4 | Delete operations logs older than 8 weeks |
5 | Delete all other projects indices after they are 31 days old |
6 | Delete indices older than 1 day that are matched by the '^project\..+\-dev.*$' regex |
7 | Delete indices older than 2 days that are matched by the '^project\..+\-test.*$' regex |
When you use |
The openshift_logging
Ansible role provides a ConfigMap from which Curator
reads its configuration. You may edit or replace this ConfigMap to reconfigure
Curator. Currently the logging-curator
ConfigMap is used to configure both
your ops and non-ops Curator instances. Any .operations
configurations are
in the same location as your application logs configurations.
To edit the provided ConfigMap to configure your Curator instances:
$ oc edit configmap/logging-curator
To replace the provided ConfigMap instead:
$ create /path/to/mycuratorconfig.yaml $ oc create configmap logging-curator -o yaml \ --from-file=config.yaml=/path/to/mycuratorconfig.yaml | \ oc replace -f -
After you make your changes, redeploy Curator:
$ oc rollout latest dc/logging-curator $ oc rollout latest dc/logging-curator-ops
Remove everything generated during the deployment.
$ ansible-playbook playbooks/openshift-logging/config.yml \ -e openshift_logging_install_logging=False
Using the Kibana console with OKD can cause problems that are easily solved, but are not accompanied with useful error messages. Check the following troubleshooting sections if you are experiencing any problems when deploying Kibana on OKD:
Login Loop
The OAuth2 proxy on the Kibana console must share a secret with the master host’s OAuth2 server. If the secret is not identical on both servers, it can cause a login loop where you are continuously redirected back to the Kibana login page.
To fix this issue, delete the current OAuthClient, and use openshift-ansible
to re-run the openshift_logging
role:
$ oc delete oauthclient/kibana-proxy $ ansible-playbook [-i </path/to/inventory>] \ /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml
Cryptic error When Viewing the Console
When attempting to visit the Kibana console, you may receive a browser error instead:
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed."}
This can be caused by a mismatch between the OAuth2 client and server. The return address for the client must be in a whitelist so the server can securely redirect back after logging in.
Fix this issue by replacing the OAuthClient entry:
$ oc delete oauthclient/kibana-proxy $ ansible-playbook [-i </path/to/inventory>] \ /usr/share/ansible/openshift-ansible/playbooks/openshift-logging/config.yml
If the problem persists, check that you are accessing Kibana at a URL listed in the OAuth client. This issue can be caused by accessing the URL at a forwarded port, such as 1443 instead of the standard 443 HTTPS port. You can adjust the server whitelist by editing the OAuth client:
$ oc edit oauthclient/kibana-proxy
503 error When Viewing the Console
If you receive a proxy error when viewing the Kibana console, it could be caused by one of two issues.
First, Kibana may not be recognizing pods. If elasticsearch is slow in starting up, Kibana may timeout trying to reach it. Check whether the relevant service has any endpoints:
$ oc describe service logging-kibana Name: logging-kibana [...] endpoints: <none>
If any Kibana pods are live, endpoints are listed. If they are not, check the state of the Kibana pods and deployment. You may need to scale the deployment down and back up again.
The second possible issue may be caused if the route for accessing the Kibana service is masked. This can happen if you perform a test deployment in one project, then deploy in a different project without completely removing the first deployment. When multiple routes are sent to the same destination, the default router will only route to the first created. Check the problematic route to see if it is defined in multiple places:
$ oc get route --all-namespaces --selector logging-infra=support
F-5 Load Balancer and X-Forwarded-For enabled
If you are attempting to use a F-5 load balancer in front of Kibana with
X-Forwarded-For
enabled, this can cause an issue in which the elasticsearch
Searchguard
plug-in is unable to correctly accept connections from Kibana.
Kibana: Unknown error while connecting to elasticsearch error: Unknown error while connecting to elasticsearch error: UnknownHostexception[No trusted proxies]
To configure Searchguard to ignore the extra header:
Scale down all Fluentd pods.
Scale down elasticsearch after the Fluentd pods have terminated.
Add searchguard.http.xforwardedfor.header: DUMMY
to the elasticsearch
configuration section.
$ oc edit configmap/logging-elasticsearch (1)
1 | This approach requires that elasticsearch’s configurations are within a ConfigMap. |
Scale elasticsearch back up.
Scale up all Fluentd pods.
Fluentd sends logs to the value of the eS_HOST
, eS_PORT
, OPS_HOST
,
and OPS_PORT
environment variables of the elasticsearch deployment
configuration. The application logs are directed to the eS_HOST
destination,
and operations logs to OPS_HOST
.
Sending logs directly to an AWS elasticsearch instance is not supported. Use
Fluentd Secure Forward to direct logs to
an instance of Fluentd that you control and that is configured with the
|
To direct logs to a specific elasticsearch instance, edit the deployment configuration and replace the value of the above variables with the desired instance:
$ oc edit ds/<daemon_set>
For an external elasticsearch instance to contain both application and
operations logs, you can set eS_HOST
and OPS_HOST
to the same destination,
while ensuring that eS_PORT
and OPS_PORT
also have the same value.
If your externally hosted elasticsearch instance does not use TLS, update the
_CLIeNT_CeRT
, _CLIeNT_KeY
, and _CA
variables to be empty. If it does
use TLS, but not mutual TLS, update the _CLIeNT_CeRT
and _CLIeNT_KeY
variables to be empty and patch or recreate the logging-fluentd secret with
the appropriate _CA
value for communicating with your elasticsearch instance.
If it uses Mutual TLS as the provided elasticsearch instance does, patch or
recreate the logging-fluentd secret with your client key, client cert, and CA.
If you are not using the provided Kibana and elasticsearch images, you will not have the same multi-tenant capabilities and your data will not be restricted by user access to a particular project. |
Use the fluent-plugin-remote-syslog
plug-in on the host to send logs to an
external syslog server.
Set environment variables in the logging-fluentd
or logging-mux
deployment
configurations:
- name: ReMOTe_SYSLOG_HOST (1)
value: host1
- name: ReMOTe_SYSLOG_HOST_BACKUP
value: host2
- name: ReMOTe_SYSLOG_PORT_BACKUP
value: 5555
1 | The desired remote syslog host. Required for each host. |
This will build two destinations. The syslog server on host1
will be
receiving messages on the default port of 514
, while host2
will be receiving
the same messages on port 5555
.
Alternatively, you can configure your own custom fluent.conf in the
logging-fluentd
or logging-mux
ConfigMaps.
Fluentd environment Variables
Parameter | Description |
---|---|
|
Defaults to |
|
(Required) Hostname or IP address of the remote syslog server. |
|
Port number to connect on. Defaults to |
|
Set the syslog severity level. Defaults to |
|
Set the syslog facility. Defaults to |
|
Defaults to |
|
Removes the prefix from the tag, defaults to |
|
If specified, uses this field as the key to look on the record, to set the tag on the syslog message. |
|
If specified, uses this field as the key to look on the record, to set the payload on the syslog message. |
This implementation is insecure, and should only be used in environments where you can guarantee no snooping on the connection. |
Fluentd Logging Ansible Variables
Parameter | Description |
---|---|
|
The default is set to |
|
Hostname or IP address of the remote syslog server, this is mandatory. |
|
Port number to connect on, defaults to |
|
Set the syslog severity level, defaults to |
|
Set the syslog facility, defaults to |
|
The default is set to |
|
Removes the prefix from the tag, defaults to |
|
If string is specified, uses this field as the key to look on the record, to set the tag on the syslog message. |
|
If string is specified, uses this field as the key to look on the record, to set the payload on the syslog message. |
Mux Logging Ansible Variables
Parameter | Description |
---|---|
|
The default is set to |
|
Hostname or IP address of the remote syslog server, this is mandatory. |
|
Port number to connect on, defaults to |
|
Set the syslog severity level, defaults to |
|
Set the syslog facility, defaults to |
|
The default is set to |
|
Removes the prefix from the tag, defaults to |
|
If string is specified, uses this field as the key to look on the record, to set the tag on the syslog message. |
|
If string is specified, uses this field as the key to look on the record, to set the payload on the syslog message. |
As of logging version 1.2.0, an administrator certificate, key, and CA that can be used to communicate with and perform administrative operations on elasticsearch are provided within the logging-elasticsearch secret.
To confirm whether or not your eFK installation provides these, run: $ oc describe secret logging-elasticsearch |
If they are not available, refer to Manual Upgrades to ensure you are on the latest version first.
Connect to an elasticsearch pod that is in the cluster on which you are attempting to perform maintenance.
To find a pod in a cluster use either:
$ oc get pods -l component=es -o name | head -1 $ oc get pods -l component=es-ops -o name | head -1
Connect to a pod:
$ oc rsh <your_elasticsearch_pod>
Once connected to an elasticsearch container, you can use the certificates mounted from the secret to communicate with elasticsearch per its Indices APIs documentation.
Fluentd sends its logs to elasticsearch using the index format project.{project_name}.{project_uuid}.YYYY.MM.DD where YYYY.MM.DD is the date of the log record.
For example, to delete all logs for the logging project with uuid 3b3594fa-2ccd-11e6-acb7-0eb6b35eaee3 from June 15, 2016, we can run:
$ curl --key /etc/elasticsearch/secret/admin-key \ --cert /etc/elasticsearch/secret/admin-cert \ --cacert /etc/elasticsearch/secret/admin-ca -XDeLeTe \ "https://localhost:9200/project.logging.3b3594fa-2ccd-11e6-acb7-0eb6b35eaee3.2016.06.15"
You can redeploy eFK certificates, if needed.
To redeploy eFK certificates:
Run the following command to delete the all certificate files:
$ rm -r /etc/origin/logging
Verify that the Custom Certificate parameters are set in your inventory host file.
Use the Ansible playbook to redeploy the eFK stack:
$ cd /usr/share/ansible/openshift-ansible $ ansible-playbook [-i </path/to/inventory>] \ playbooks/openshift-logging/config.yml
The command fails with an error message similar to the following:
RUNNING HANDLeR [openshift_logging_elasticsearch : Checking current health for {{ _es_node }} cluster] *** Friday 14 December 2018 07:53:44 +0000 (0:00:01.571) 0:05:01.710 ******* [WARNING]: Consider using the get_url or uri module rather than running curl. If you need to use command because get_url or uri is insufficient you can add warn=False to this command task or set command_warnings=False in ansible.cfg to get rid of this message. fatal: [ec2-34-207-171-49.compute-1.amazonaws.com]: FAILeD! => {"changed": true, "cmd": ["curl", "-s", "-k", "--cert", "/tmp/openshift-logging-ansible-3v1NOI/admin-cert", "--key", "/tmp/openshift-logging-ansible-3v1NOI/admin-key", "https://logging-es.openshift-logging.svc:9200/_cluster/health?pretty"], "delta": "0:00:01.024054", "end": "2018-12-14 02:53:33.467642", "msg": "non-zero return code", "rc": 7, "start": "2018-12-14 02:53:32.443588", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []} RUNNING HANDLeR [openshift_logging_elasticsearch : Set Logging message to manually restart] *** Friday 14 December 2018 07:53:46 +0000 (0:00:01.557) 0:05:03.268 *******
Run the following command to delete all pods to refresh the secret:
$ oc delete pod --all -n openshift-logging
For aggregated logging, it is recommended to use the json-file
log driver.
When using the |
Fluentd determines the driver Docker is using by checking the /etc/docker/daemon.json and /etc/sysconfig/docker files.
You can determine which driver Docker is using with the docker info
command:
# docker info | grep Logging Logging Driver: journald
To change to json-file
:
Modify either the /etc/sysconfig/docker or /etc/docker/daemon.json files.
For example:
# cat /etc/sysconfig/docker
OPTIONS=' --selinux-enabled --log-driver=json-file --log-opt max-size=1M --log-opt max-file=3 --signature-verification=False'
cat /etc/docker/daemon.json
{
"log-driver": "json-file",
"log-opts": {
"max-size": "1M",
"max-file": "1"
}
}
Restart the Docker service:
systemctl restart docker
Restart Fluentd.
Restarting Fluentd on more than a dozen nodes at once will create a large load on the Kubernetes scheduler. exercise caution when using the following the directions to restart Fluentd. |
There are two methods for restarting Fluentd. You can restart the Fluentd on one node or a set of nodes, or on all nodes.
The following steps demonstrate how to restart Fluentd on one node or a set of nodes.
List the nodes where Fluentd is running:
$ oc get nodes -l logging-infra-fluentd=true
For each node, remove the label and turn off Fluentd:
$ oc label node $node logging-infra-fluentd-
Verify Fluentd is off:
$ oc get pods -l component=fluentd
For each node, restart Fluentd:
$ oc label node $node logging-infra-fluentd=true
The following steps demonstrate how to restart the Fluentd all nodes.
Turn off Fluentd on all nodes:
$ oc label node -l logging-infra-fluentd=true --overwrite logging-infra-fluentd=false
Verify Fluentd is off:
$ oc get pods -l component=fluentd
Restart Fluentd on all nodes:
$ oc label node -l logging-infra-fluentd=false --overwrite logging-infra-fluentd=true
Verify Fluentd is on:
$ oc get pods -l component=fluentd
These are the fields exported by the logging system and available for searching
from elasticsearch and Kibana. Use the full, dotted field name when searching.
For example, for an elasticsearch /_search URL, to look for a Kubernetes pod name,
use /_search/q=kubernetes.pod_name:name-of-my-pod
.
The following sections describe fields that may not be present in your logging store.
Not all of these fields are present in every record.
The fields are grouped in the following categories:
exported-fields-Default
exported-fields-rsyslog
exported-fields-systemd
exported-fields-kubernetes
exported-fields-docker
exported-fields-pipeline_metadata
exported-fields-ovirt
exported-fields-aushape
exported-fields-tlog
The top level fields are common to every application, and may be present in
every record. For the elasticsearch template, top level fields populate the actual
mappings of default
in the template’s mapping section.
Parameter | Description |
---|---|
|
The UTC value marking when the log payload was created, or when the log payload
was first collected if the creation time is not known. This is the log
processing pipeline’s best effort determination of when the log payload was
generated. Add the |
|
This is geo-ip of the machine. |
|
The |
|
The IP address V4 of the source server, which can be an array. |
|
The IP address V6 of the source server, if available. |
|
The logging level as provided by . You should only use Numeric values from Log levels and priorities from other logging systems should be mapped to the nearest match. See python logging for an example. |
|
A typical log entry message, or payload. It can be stripped of metadata pulled out of it by the collector or normalizer, that is UTF-8 encoded. |
|
This is the process ID of the logging entity, if available. |
|
The name of the service associated with the logging entity, if available. For
example, the |
|
Optionally provided operator defined list of tags placed on each log by the collector or normalizer. The payload can be a string with whitespace-delimited string tokens, or a JSON list of string tokens. |
|
Optional path to the file containing the log entry local to the collector |
|
The offset value can represent bytes to the start of the log line in the file (zero or one based), or log line numbers (zero or one based), as long as the values are strictly monotonically increasing in the context of a single log file. The values are allowed to wrap, representing a new version of the log file (rotation). |
|
Associate this record with the |
|
This is the |
collectd
FieldsThe following fields represent namespace metrics metadata.
Parameter | Description |
---|---|
|
type: float The |
|
type: string The |
|
type: string The |
|
type: string The |
|
type: string The |
|
type: string The |
collectd.processes
FieldsThe following field corresponds to the collectd
processes plug-in.
Parameter | Description |
---|---|
|
type: integer
The |
collectd.processes.ps_disk_ops
FieldsThe collectd
ps_disk_ops
type of processes plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
collectd.processes.ps_cputime
FieldsThe collectd
ps_cputime
type of processes plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.processes.ps_count
FieldsThe collectd
ps_count
type of processes plug-in.
Parameter | Description |
---|---|
|
type: integer
|
|
type: integer
|
collectd.processes.ps_pagefaults
FieldsThe collectd
ps_pagefaults
type of processes plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.processes.ps_disk_octets
FieldsThe collectd ps_disk_octets
type of processes plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
|
type: float The |
collectd.disk
FieldsCorresponds to collectd
disk plug-in.
collectd.disk.disk_merged
FieldsThe collectd
disk_merged
type of disk plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.disk.disk_octets
FieldsThe collectd
disk_octets
type of disk plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.disk.disk_time
FieldsThe collectd
disk_time
type of disk plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.disk.disk_ops
FieldsThe collectd
disk_ops
type of disk plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
|
type: integer The |
collectd.disk.disk_io_time
FieldsThe collectd disk_io_time
type of disk plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.interface
FieldsCorresponds to the collectd
interface plug-in.
collectd.interface.if_octets
FieldsThe collectd
if_octets
type of interface plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.interface.if_packets
FieldsThe collectd
if_packets
type of interface plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.interface.if_errors
FieldsThe collectd
if_errors
type of interface plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
The collectd
if_dropped
type of interface plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt
FieldsCorresponds to collectd
virt plug-in.
collectd.virt.if_octets
FieldsThe collectd if_octets
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt.if_packets
FieldsThe collectd
if_packets
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt.if_errors
FieldsThe collectd
if_errors
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt.if_dropped
FieldsThe collectd
if_dropped
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
collectd.virt.disk_ops
FieldsThe collectd
disk_ops
type of virt plug-in.
Parameter | Description |
---|---|
collectd.virt.disk_ops.read |
type: float
|
|
type: float
|
collectd.virt.disk_octets
FieldsThe collectd
disk_octets
type of virt plug-in.
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
|
type: float The |
|
type: float The |
|
type: float The |
collectd.CPU
FieldsCorresponds to the collectd
CPU plug-in.
Parameter | Description |
---|---|
|
type: float The |
Corresponds to the collectd
df
plug-in.
Parameter | Description |
---|---|
|
type: float The |
|
type: float The |
collectd.entropy
FieldsCorresponds to the collectd
entropy plug-in.
Parameter | Description |
---|---|
|
type: integer The |
collectd.nfs
FieldsCorresponds to the collectd
NFS plug-in.
Parameter | Description |
---|---|
|
type: integer The |
collectd.memory
FieldsCorresponds to the collectd
memory plug-in.
Parameter | Description |
---|---|
|
type: float The |
|
type: float The |
collectd.swap
FieldsCorresponds to the collectd
swap plug-in.
Parameter | Description |
---|---|
|
type: integer The |
|
type: integer The |
collectd.load
FieldsCorresponds to the collectd
load plug-in.
collectd.load.load
FieldsThe collectd
load type of load plug-in
Parameter | Description |
---|---|
|
type: float
|
|
type: float
|
|
type: float
|
collectd.aggregation
FieldsCorresponds to collectd
aggregation plug-in.
Parameter | Description |
---|---|
|
type: float
|
collectd.statsd
FieldsCorresponds to collectd
statsd
plug-in.
Parameter | Description |
---|---|
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The collectd` |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
collectd.postgresql Fields
Corresponds to collectd
postgresql
plug-in.
Parameter | Description |
---|---|
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
|
type: integer The |
rsyslog
FieldsThe following fields are RFC5424 based metadata.
Parameter | Description |
---|---|
|
See |
|
This is the |
|
See |
|
This is the |
|
If |
systemd
FieldsContains common fields specific to systemd
journal.
Applications
may write their own fields to the journal. These will be available under the
systemd.u
namespace. ReSULT
and UNIT
are two such fields.
systemd.k
FieldsThe following table contains systemd
kernel-specific metadata.
Parameter | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
systemd.t
Fieldssystemd.t Fields
are trusted journal fields, fields that are implicitly added
by the journal, and cannot be altered by client code.
Parameter | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
systemd.u
Fieldssystemd.u Fields
are directly passed from clients and stored in the journal.
Parameter | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
For private use only. |
|
For private use only. |
The namespace for Kubernetes-specific metadata. The kubernetes.pod_name
is the
name of the pod.
kubernetes.labels
FieldsLabels attached to the OpenShift object are kubernetes.labels
. each label name
is a subfield of labels field. each label name is de-dotted, meaning dots in the
name are replaced with underscores.
Parameter | Description |
---|---|
|
Kubernetes ID of the pod. |
|
The name of the namespace in Kubernetes. |
|
ID of the namespace in Kubernetes. |
|
Kubernetes node name. |
|
The name of the container in Kubernetes. |
|
|
The deployment associated with the Kubernetes object. |
|
The deploymentconfig associated with the Kubernetes object. |
|
The component associated with the Kubernetes object. |
|
kubernetes.annotations
FieldsAnnotations associated with the OpenShift object are kubernetes.annotations
fields.
Namespace for docker container-specific metadata. The docker.container_id
is
the Docker container ID.
pipeline_metadata
FieldsThis includes metadata related to ViaQ log collection pipeline. everything
related to log collector, normalizers, and mappings goes here. Data in this
subgroup is stored for troubleshooting and other purposes. The
pipeline_metadata.@version
field is the version of com.redhat.viaq
mapping
the document is intended to adhere by the normalizer. It must be set by the
normalizer. The value must correspond to the [_meta][version]. For example,
class
with the description TODO
, and region
with the description region
mapping.
pipeline_metadata.collector
FieldsThis section contains metadata specific to the collector.
Parameter | Description |
---|---|
|
FQDN of the collector. It might be different from the FQDN of the actual emitter of the logs. |
|
Name of the collector. |
|
Version of the collector. |
|
IP address v4 of the collector server, can be an array. |
|
IP address v6 of the collector server, can be an array. |
|
How the log message was received by the collector whether it was TCP/UDP, or imjournal/imfile. |
|
Time when the message was received by the collector. |
|
The original non-parsed log message, collected by the collector or as close to the source as possible. |
pipeline_metadata.normalizer
FieldsThis section contains metadata specific to the normalizer.
Parameter | Description |
---|---|
|
FQDN of the normalizer. |
|
Name of the normalizer. |
|
Version of the normalizer. |
|
IP address v4 of the normalizer server, can be an array. |
|
IP address v6 of the normalizer server, can be an array. |
|
how the log message was received by the normalizer whether it was TCP/UDP. |
|
Time when the message was received by the normalizer. |
|
The original non-parsed log message as it is received by the normalizer. |
|
The field records the trace of the message. each collector and normalizer appends information about itself and the date and time when the message was processed. |
Namespace for oVirt metadata.
Parameter | Description |
---|---|
|
The type of the data source, hosts, VMS, and engine. |
|
The oVirt host UUID. |
ovirt.engine
FieldsNamespace for oVirt engine related metadata. The FQDN of the oVirt engine is
ovirt.engine.fqdn
Audit events converted with Aushape. For more information, see Aushape.
Parameter | Description |
---|---|
|
Audit event serial number. |
|
Name of the host where the audit event occurred. |
|
The error aushape encountered while converting the event. |
|
An array of JSONPath expressions relative to the event object, specifying objects or arrays with the content removed as the result of event size limiting. An empty string means the event removed the content, and an empty array means the trimming occurred by unspecified objects and arrays. |
|
An array log record strings representing the original audit event. |
aushape.data
FieldsParsed audit event data related to Aushape.
Parameter | Description |
---|---|
|
type: nested |
|
type: string |
|
type: nested |
|
type: nested |
|
type: nested |
Tlog terminal I/O recording messages. For more information see Tlog.
Parameter | Description |
---|---|
|
Message format version number. |
|
Recorded user name. |
|
Terminal type name. |
|
Audit session ID of the recorded session. |
|
ID of the message within the session. |
|
Message position in the session, milliseconds. |
|
Distribution of this message’s events in time. |
|
Input text with invalid characters scrubbed. |
|
Scrubbed invalid input characters as bytes. |
|
Output text with invalid characters scrubbed. |
|
Scrubbed invalid output characters as bytes. |
As of OKD 3.7 the Aggregated Logging stack updated the elasticsearch
Deployment Config object so that it no longer has a Config Change Trigger, meaning
any changes to the dc
will not result in an automatic rollout. This was to prevent
unintended restarts happening in the elasticsearch cluster, which could create excessive shard
rebalancing as cluster members restart.
This section presents two restart procedures: rolling-restart and full-restart. Where a rolling restart applies appropriate changes to the elasticsearch cluster without down time (provided three masters are configured) and a full restart safely applies major changes without risk to existing data.
A rolling restart is recommended, when any of the following changes are made:
nodes on which elasticsearch pods run require a reboot
logging-elasticsearch configmap
logging-es-* deployment configuration
new image deployment, or upgrade
This will be the recommended restart policy going forward.
Any action you do for an elasticsearch cluster will need to be repeated for the ops cluster
if |
Prevent shard balancing when purposely bringing down nodes:
$ oc exec -c elasticsearch <any_es_pod_in_the_cluster> -- \ curl -s \ --cacert /etc/elasticsearch/secret/admin-ca \ --cert /etc/elasticsearch/secret/admin-cert \ --key /etc/elasticsearch/secret/admin-key \ -XPUT 'https://localhost:9200/_cluster/settings' \ -d '{ "transient": { "cluster.routing.allocation.enable" : "none" } }'
Once complete, for each dc
you have for an elasticsearch cluster, run oc rollout latest
to deploy the latest version of the dc
object:
$ oc rollout latest <dc_name>
You will see a new pod deployed. Once the pod has two ready containers, you can
move on to the next dc
.
Once all `dc`s for the cluster have been rolled out, re-enable shard balancing:
$ oc exec -c elasticsearch <any_es_pod_in_the_cluster> -- \ curl -s \ --cacert /etc/elasticsearch/secret/admin-ca \ --cert /etc/elasticsearch/secret/admin-cert \ --key /etc/elasticsearch/secret/admin-key \ -XPUT 'https://localhost:9200/_cluster/settings' \ -d '{ "transient": { "cluster.routing.allocation.enable" : "all" } }'
A full restart is recommended when changing major versions of elasticsearch or other changes which might put data integrity a risk during the change process.
Any action you do for an elasticsearch cluster will need to be repeated for the ops cluster
if |
When making changes to the |
Disable all external communications to the elasticsearch cluster while it is down. edit
your non-cluster logging service (for example, logging-es
, logging-es-ops
)
to no longer match the elasticsearch pods running:
$ oc patch svc/logging-es -p '{"spec":{"selector":{"component":"es-blocked","provider":"openshift"}}}'
Perform a shard synced flush to ensure there are no pending operations waiting to be written to disk prior to shutting down:
$ oc exec -c elasticsearch <any_es_pod_in_the_cluster> -- \ curl -s \ --cacert /etc/elasticsearch/secret/admin-ca \ --cert /etc/elasticsearch/secret/admin-cert \ --key /etc/elasticsearch/secret/admin-key \ -XPOST 'https://localhost:9200/_flush/synced'
Prevent shard balancing when purposely bringing down nodes:
$ oc exec -c elasticsearch <any_es_pod_in_the_cluster> -- \ curl -s \ --cacert /etc/elasticsearch/secret/admin-ca \ --cert /etc/elasticsearch/secret/admin-cert \ --key /etc/elasticsearch/secret/admin-key \ -XPUT 'https://localhost:9200/_cluster/settings' \ -d '{ "transient": { "cluster.routing.allocation.enable" : "none" } }'
Once complete, for each dc
you have for an eS cluster, run oc rollout latest
to deploy the latest version of the dc
object:
$ oc rollout latest <dc_name>
You will see a new pod deployed. Once the pod has two ready containers, you can
move on to the next dc
.
Once the scale up is complete, enable all external communications to the eS
cluster. edit your non-cluster logging service (for example, logging-es
,
logging-es-ops
) to match the elasticsearch pods running again:
$ oc patch svc/logging-es -p '{"spec":{"selector":{"component":"es","provider":"openshift"}}}'