Collectord configuration
Download
Link
collectorforkubernetes-elasticsearch.yaml
CURL
1curl -O https://www.outcoldsolutions.com/docs/elasticsearch-kubernetes/collectorforkubernetes-elasticsearch.yaml
WGET
1wget https://www.outcoldsolutions.com/docs/elasticsearch-kubernetes/collectorforkubernetes-elasticsearch.yaml
collectorforkubernetes.yaml
1apiVersion: v1
2kind: Namespace
3metadata:
4 labels:
5 app: collectorforkubernetes
6 name: collectorforkubernetes
7---
8apiVersion: apiextensions.k8s.io/v1
9kind: CustomResourceDefinition
10metadata:
11 name: configurations.collectord.io
12spec:
13 group: collectord.io
14 versions:
15 - name: v1
16 served: true
17 storage: true
18 schema:
19 openAPIV3Schema:
20 type: object
21 properties:
22 spec:
23 type: object
24 additionalProperties: true
25 force:
26 type: boolean
27 scope: Cluster
28 names:
29 plural: configurations
30 singular: configuration
31 kind: Configuration
32---
33apiVersion: v1
34kind: ServiceAccount
35metadata:
36 labels:
37 app: collectorforkubernetes
38 name: collectorforkubernetes
39 namespace: collectorforkubernetes
40---
41apiVersion: scheduling.k8s.io/v1
42kind: PriorityClass
43metadata:
44 name: collectorforkubernetes-critical
45value: 1000000000
46---
47apiVersion: rbac.authorization.k8s.io/v1
48kind: ClusterRole
49metadata:
50 labels:
51 app: collectorforkubernetes
52 name: collectorforkubernetes
53rules:
54- apiGroups: ['extensions']
55 resources: ['podsecuritypolicies']
56 verbs: ['use']
57 resourceNames:
58 - privileged
59- apiGroups:
60 - ""
61 - apps
62 - batch
63 - extensions
64 - rbac.authorization.k8s.io
65 - collectord.io
66 resources:
67 - alertmanagers
68 - cronjobs
69 - daemonsets
70 - deployments
71 - endpoints
72 - events
73 - jobs
74 - namespaces
75 - nodes
76 - nodes/metrics
77 - nodes/proxy
78 - pods
79 - replicasets
80 - replicationcontrollers
81 - scheduledjobs
82 - services
83 - statefulsets
84 - persistentvolumeclaims
85 - configurations
86 - resourcequotas
87 - clusterroles
88 - secrets
89 - configmaps
90 verbs:
91 - get
92 - list
93 - watch
94- nonResourceURLs:
95 - /metrics
96 verbs:
97 - get
98 apiGroups: []
99 resources: []
100---
101apiVersion: rbac.authorization.k8s.io/v1
102kind: ClusterRoleBinding
103metadata:
104 labels:
105 app: collectorforkubernetes
106 name: collectorforkubernetes
107 namespace: collectorforkubernetes
108roleRef:
109 apiGroup: rbac.authorization.k8s.io
110 kind: ClusterRole
111 name: collectorforkubernetes
112subjects:
113 - kind: ServiceAccount
114 name: collectorforkubernetes
115 namespace: collectorforkubernetes
116---
117apiVersion: v1
118kind: ConfigMap
119metadata:
120 name: collectorforkubernetes-elasticsearch
121 namespace: collectorforkubernetes
122 labels:
123 app: collectorforkubernetes-elasticsearch
124data:
125 001-general.conf: |
126 # The general configuration is used for all deployments
127 #
128 # Run collectord with the flag -conf and specify location of the configuration files.
129 #
130 # You can override all the values using environment variables with the format like
131 # COLLECTOR__<ANYNAME>=<section>__<key>=<value>
132 # As an example you can set dataPath in [general] section as
133 # COLLECTOR__DATAPATH=general__dataPath=C:\\some\\path\\data.db
134 # This parameter can be configured using -env-override, set it to empty string to disable this feature
135
136 [general]
137 # Please review license https://www.outcoldsolutions.com/docs/license-agreement/
138 # and accept license by changing the value to *true*
139 acceptLicense = false
140
141 # Location for the database
142 # Collectord stores positions of the files and internal state
143 dataPath = ./data/
144
145 # log level (accepted values are trace, debug, info, warn, error, fatal)
146 logLevel = info
147
148 # http server gives access to two endpoints
149 # /healthz
150 # /metrics/json
151 # /metrics/prometheus
152 httpServerBinding =
153
154 # telemetry report endpoint, set it to empty string to disable telemetry
155 telemetryEndpoint = https://license.outcold.solutions/telemetry/
156
157 # license check endpoint
158 licenseEndpoint = https://license.outcold.solutions/license/
159
160 # license server through proxy
161 licenseServerProxyUrl =
162
163 # authentication with basic authorization (user:password)
164 licenseServerProxyBasicAuth =
165
166 # license key
167 license =
168
169 # Environment variable $KUBERNETES_NODENAME is used by default to setup hostname
170 # Use value below to override specific name
171 # hostname = ${KUBERNETES_NODENAME}.second
172
173 # Default output for events, logs and metrics
174 # valid values: elasticsearch and devnull
175 # Use devnull by default if you don't want to redirect data
176 defaultOutput = elasticsearch
177
178 # Default buffer size for file input
179 fileInputBufferSize = 256b
180
181 # Maximum size of one line the file reader can read
182 fileInputLineMaxSize = 1mb
183
184 # Include custom fields to attach to every event, in example below every event sent to elasticsearch will have
185 # indexed field my_environment=dev. Fields names should match to ^[a-z][_a-z0-9\.]*$
186 # Better way to configure that is to specify labels for Kubernetes Nodes.
187 # ; fields.my_environment = dev
188 # Identify the cluster if you are planning to monitor multiple clusters
189 # For ElasticSearch look at the ECS (Elastic Common Schema) documentation https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html
190 fields.ecs.version = 8.0.0
191
192 fields.orchestrator.cluster.name = -
193 fields.orchestrator.type = kubernetes
194
195 fields.agent.type = collectord
196 fields.agent.version = ${COLLECTORD_VERSION}
197 fields.agent.ephemeral_id = ${COLLECTORD_INSTANCE_RUNTIME_ID}
198 fields.agent.id = ${COLLECTORD_INSTANCE_ID}
199 fields.agent.name = ${KUBERNETES_NODENAME}
200
201 fields.host.name = ${KUBERNETES_NODENAME}
202 fields.host.hostname = ${KUBERNETES_NODENAME}
203 fields.host.architecture = ${COLLECTORD_ARCH}
204
205 # Include EC2 Metadata (see list of possible fields https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)
206 # Should be in format ec2Metadata.{desired_field_name} = {url path to read the value}
207 # ec2Metadata.cloud.instance.id = /latest/meta-data/instance-id
208 # ec2Metadata.cloud.machine.type = /latest/meta-data/instance-type
209
210 # subdomain for the annotations added to the pods, workloads, namespaces or containers, like elasticsearch.collectord.io/..
211 annotationsSubdomain = elasticsearch
212
213 # configure global thruput per second for forwarded logs (metrics are not included)
214 # for example if you set `thruputPerSecond = 512Kb`, that will limit amount of logs forwarded
215 # from the single Collectord instance to 512Kb per second.
216 # You can configure thruput individually for the logs (including specific for container logs) below
217 thruputPerSecond =
218 ; thruputPerSecond = 512Kb
219
220 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
221 # older than 7 days
222 tooOldEvents =
223
224 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
225 tooNewEvents =
226
227 [license.client]
228 # point to the license located on the HTTP web server, or a hosted by the Collectord running as license server
229 url =
230 # basic authentication for the HTTP server
231 basicAuth =
232 # if SSL, ignore the certificate verification
233 insecure = false
234 # CA Path for the Server certificate
235 capath =
236 # CA Name fot the Server certificate
237 caname =
238 # license server through proxy
239 proxyUrl =
240 # authentication with basic authorization (user:password)
241 proxyBasicAuth =
242
243 # connection to kubernetes api
244 [general.kubernetes]
245
246 # Override service URL for Kubernetes (default is ${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT})
247 serviceURL =
248
249 # Environment variable $KUBERNETES_NODENAME is used by default to setup nodeName
250 # Use it only when you need to override it
251 nodeName =
252
253 # Configuration to access the API server,
254 # see https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
255 # for details
256 tokenPath = /var/run/secrets/kubernetes.io/serviceaccount/token
257 certPath = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
258
259 # Default timeout for http responses. The streaming/watch requests depend on this timeout.
260 timeout = 30m
261
262 # How long to keep the cache for the recent calls to API server (to limit number of calls when collectord discovers new pods)
263 metadataTTL = 30s
264
265 # path to the kubelet root location (use it to discover application logs for emptyDir)
266 # the expected format is `pods/{pod-id}/volumes/kubernetes.io~empty-dir/{volume-name}/_data/`
267 volumesRootDir = /rootfs/var/lib/kubelet/
268
269 # You can attach annotations as a metadata, using the format
270 # includeAnnotations.{key} = {regexp}
271 # For example if you want to include all annotations that starts with `prometheus.io` or `example.com` you can include
272 # the following format:
273 # includeAnnotations.1 = ^prometheus\.io.*
274 # includeAnnotations.2 = ^example\.com.*
275
276 # watch for changes (annotations) in the objects
277 watch.namespaces = v1/namespace
278 watch.deployments = apps/v1/deployment
279 watch.configurations = collectord.io/v1/configuration
280
281 # Collectord can review the assigned ClusterRole and traverse metadata for the Pods only for the Owner objects
282 # that are defined in the ClusterRole, ignoring anything else, it does not have access to.
283 # This way Collectord does not generate 403 requests on API Server
284 clusterRole = collectorforkubernetes
285
286 # Alternative of telling Collectord about the ClusterRole is to manually list the objects.
287 # You can define which objects Collectord should traverse when it sees Owners.
288 ; traverseOwnership.namespaces = v1/namespace
289
290
291 # ElasticSearch output
292 [output.elasticsearch]
293
294 # Default data stream name
295 dataStream = logs-collectord-{{agent.version}}
296 dataStreamFailedEvents = logs-collectord-failed-{{agent.version}}
297
298 # ElasticSearch Scheme Host and Port
299 host =
300
301 # You can specify multiple hosts with
302 #
303 # hosts.0 = https://es0:9200
304 # hosts.1 = https://es1:9200
305 # hosts.2 = https://es2:9200
306
307 # Specify how Hosts should be picked up (in case if multiple is used)
308 # * random - choose random url on first selection and after each failure (connection or HTTP status code >= 500)
309 # * round-robin - choose url starting from first one and bump on each failure (connection or HTTP status code >= 500)
310 # * random-with-round-robin - choose random url on first selection and after that in round-robin on each
311 # failure (connection or HTTP status code >= 500)
312 hostSelection = random-with-round-robin
313
314 # Configuration for basic authorization
315 authorizationBasicUsername =
316 authorizationBasicPassword =
317
318 # additional headers
319 headers.Content-Type = application/json
320 headers.Accept = application/json
321
322 # Allow invalid SSL server certificate
323 insecure = false
324
325 # Path to CA certificate
326 caPath =
327
328 # CA Name to verify
329 caName =
330
331 # path for client certificate (if required)
332 clientCertPath =
333
334 # path for a client key (if required)
335 clientKeyPath =
336
337 # Events are batched with the maximum size set by batchSize and staying in pipeline for not longer
338 # than set by frequency
339 frequency = 5s
340 batchSize = 768K
341 # limit by the number of events (0 value has no limit on the number of events)
342 events = 50
343
344 # elasticsearch through proxy
345 proxyUrl =
346
347 # authentication with basic authorization (user:password)
348 proxyBasicAuth =
349
350 # Timeout specifies a time limit for requests made by collectord.
351 # The timeout includes connection time, any
352 # redirects, and reading the response body.
353 timeout = 30s
354
355 # gzip compression level (nocompression, default, 1...9)
356 compressionLevel = default
357
358 # number of dedicated elasticsearch output threads (to increase throughput above 4k events per second)
359 threads = 2
360 # Default algorithm between threads is roundrobin, but you can change it to weighted
361 threadsAlgorithm = roundrobin
362
363 # Submit objects to elasticsearch
364 put._ilm/policy/logs-collectord = /config/es-default-index-lifecycle-management-policy.json
365 put._index_template/logs-collectord-${COLLECTORD_VERSION} = /config/es-default-index-template.json
366 put._index_template/logs-collectord-failed-${COLLECTORD_VERSION} = /config/es-failed-index-template.json
367
368 # Dedicated queue size for the output, default is 1024, larger queue sizes will require more memory,
369 # but will allow to handle more events in case of network issues
370 queueSize = 1024
371
372 # Configure multiple outputs
373 # [output.elasticsearch::app1]
374 # host = http://esapp1:9200
375
376 002-daemonset.conf: |
377 # DaemonSet configuration is used for Nodes and Masters.
378
379 // connection to CRIO
380 [general.cri-o]
381
382 # url for CRIO API, only unix socket is supported
383 url = unix:///rootfs/var/run/crio/crio.sock
384
385 # Timeout for http responses to docker client. The streaming requests depend on this timeout.
386 timeout = 1m
387
388 [general.containerd]
389
390 runtimePath = /rootfs/var/run/containerd
391 namespace = k8s.io
392
393 # Container Log files
394 [input.files]
395
396 # disable container logs monitoring
397 disabled = false
398
399 # root location of docker log files
400 # logs are expected in standard docker format like {containerID}/{containerID}-json.log
401 # rotated files
402 path = /rootfs/var/lib/docker/containers/
403 # root location of CRI-O (including Containerd) files
404 # logs are expected in Kubernetes format, like {podID}/{containerName}/0.log
405 crioPath = /rootfs/var/log/pods/
406
407 # files are read using polling schema, when reach the EOF how often to check if files got updated
408 pollingInterval = 250ms
409
410 # how often to look for the new files under logs path
411 walkingInterval = 5s
412
413 # override type
414 type = container
415
416 # override datastream
417 elasticsearch.datastream =
418
419 # docker splits events when they are larger than 10-100k (depends on the docker version)
420 # we join them together by default and forward to elasticsearch as one event
421 joinPartialEvents = true
422
423 # In case if your containers report messages with terminal colors or other escape sequences
424 # you can enable strip for all the containers in one place.
425 # Better is to enable it only for required container with the label collectord.io/strip-terminal-escape-sequences=true
426 stripTerminalEscapeSequences = false
427 # Regexp used for stripping terminal colors, it does not stip all the escape sequences
428 # Read http://man7.org/linux/man-pages/man4/console_codes.4.html for more information
429 stripTerminalEscapeSequencesRegex = (\x1b\[\d{1,3}(;\d{1,3})*m)|(\x07)|(\x1b]\d+(\s\d)?;[^\x07]+\x07)|(.*\x1b\[K)
430
431 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
432 samplingPercent = -1
433
434 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
435 samplingKey =
436
437 # set output (elasticsearch or devnull, default is [general]defaultOutput)
438 output =
439
440 # configure default thruput per second for each container log
441 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
442 # from the single container to 128Kb per second.
443 thruputPerSecond =
444
445 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
446 # older than 7 days
447 tooOldEvents =
448
449 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
450 tooNewEvents =
451
452
453 # Application Logs
454 [input.app_logs]
455
456 # disable container application logs monitoring
457 disabled = false
458
459 # root location of mounts (applies to hostPath mounts only), if the hostPath differs inside container from the path on host
460 root = /rootfs/
461
462 # how often to review list of available volumes
463 syncInterval = 5s
464
465 # glob matching pattern for log files
466 glob = *.log*
467
468 # files are read using polling schema, when reach the EOF how often to check if files got updated
469 pollingInterval = 250ms
470
471 # how often to look for the new files under logs path
472 walkingInterval = 5s
473
474 # include verbose fields in events (file offset)
475 verboseFields = false
476
477 # override type
478 type = container.file
479
480 # override datastream
481 elasticsearch.datastream =
482
483 # we split files using new line character, with this configuration you can specify what defines the new event
484 # after new line
485 eventPatternRegex = ^[^\s]
486 # Maximum interval of messages in pipeline
487 eventPatternMaxInterval = 100ms
488 # Maximum time to wait for the messages in pipeline
489 eventPatternMaxWait = 1s
490 # Maximum message size
491 eventPatternMaxSize = 1MB
492
493 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
494 samplingPercent = -1
495
496 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
497 samplingKey =
498
499 # set output (elasticsearch or devnull, default is [general]defaultOutput)
500 output =
501
502 # configure default thruput per second for for each container log
503 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
504 # from the single container to 128Kb per second.
505 thruputPerSecond =
506
507 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
508 # older than 7 days
509 tooOldEvents =
510
511 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
512 tooNewEvents =
513
514 # Configure how long Collectord should keep the file descriptors open for files, that has not been forwarded yet
515 # When using PVC, and if pipeline is lagging behind, Collectord holding open fd for files, can cause long termination
516 # of pods, as kubelet cannot unmount the PVC volume from the system
517 maxHoldAfterClose = 1800s
518
519
520 # Host logs. Input syslog(.\d+)? files
521 [input.files::syslog]
522
523 # disable host level logs
524 disabled = false
525
526 # root location of docker files
527 path = /rootfs/var/log/
528
529 # regex matching pattern
530 match = ^(syslog|messages)(.\d+)?$
531
532 # limit search only on one level
533 recursive = false
534
535 # files are read using polling schema, when reach the EOF how often to check if files got updated
536 pollingInterval = 250ms
537
538 # how often o look for the new files under logs path
539 walkingInterval = 5s
540
541 # include verbose fields in events (file offset)
542 verboseFields = false
543
544 # override type
545 type = file
546
547 # override datastream
548 elasticsearch.datastream =
549
550 # field extraction
551 extraction = ^(?P<timestamp>[A-Za-z]+\s+\d+\s\d+:\d+:\d+)\s(?P<log__syslog__hostname>[^\s]+)\s(?P<log__syslog__appname>[^:\[]+)(\[(?P<log__syslog__procid>\d+)\])?: (.+)$
552 # extractionMessageField =
553
554 # timestamp field
555 timestampField = timestamp
556
557 # format for timestamp
558 # the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
559 timestampFormat = Jan 2 15:04:05
560
561 # Adjust date, if month/day aren't set in format
562 timestampSetMonth = false
563 timestampSetDay = false
564
565 # timestamp location (if not defined by format)
566 timestampLocation = Local
567
568 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
569 samplingPercent = -1
570
571 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
572 samplingKey =
573
574 # set output (elasticsearch or devnull, default is [general]defaultOutput)
575 output =
576
577 # configure default thruput per second for this files group
578 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
579 # from the files in this group to 128Kb per second.
580 thruputPerSecond =
581
582 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
583 # older than 7 days
584 tooOldEvents =
585
586 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
587 tooNewEvents =
588
589 # by default every new event should start from not space symbol
590 eventPattern = ^[^\s]
591
592 # Blacklisting and whitelisting the logs
593 # whitelist.0 = ^regexp$
594 # blacklist.0 = ^regexp$
595
596
597 # Host logs. Input all *.log(.\d+)? files
598 [input.files::logs]
599
600 # disable host level logs
601 disabled = false
602
603 # root location of log files
604 path = /rootfs/var/log/
605
606 # regex matching pattern
607 match = ^(([\w\-.]+\.log(.[\d\-]+)?)|(docker))$
608
609 # files are read using polling schema, when reach the EOF how often to check if files got updated
610 pollingInterval = 250ms
611
612 # how often o look for the new files under logs path
613 walkingInterval = 5s
614
615 # include verbose fields in events (file offset)
616 verboseFields = false
617
618 # override type
619 type = file
620
621 # override datastream
622 elasticsearch.datastream =
623
624 # field extraction
625 extraction =
626
627 # timestamp field
628 timestampField =
629
630 # format for timestamp
631 # the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
632 timestampFormat =
633
634 # timestamp location (if not defined by format)
635 timestampLocation =
636
637 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
638 samplingPercent = -1
639
640 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
641 samplingKey =
642
643 # set output (elasticsearch or devnull, default is [general]defaultOutput)
644 output =
645
646 # configure default thruput per second for this files group
647 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
648 # from the files in this group to 128Kb per second.
649 thruputPerSecond =
650
651 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
652 # older than 7 days
653 tooOldEvents =
654
655 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
656 tooNewEvents =
657
658 # by default every new event should start from not space symbol
659 eventPattern = ^[^\s]
660
661 # Blacklisting and whitelisting the logs
662 # whitelist.0 = ^regexp$
663 # blacklist.0 = ^regexp$
664
665
666 [input.journald]
667
668 # disable host level logs
669 disabled = false
670
671 # root location of log files
672 path.persistent = /rootfs/var/log/journal/
673 path.volatile = /rootfs/run/log/journal/
674
675 # when reach end of journald, how often to pull
676 pollingInterval = 250ms
677
678 # if you don't want to forward journald from the beginning,
679 # set the oldest event in relative value, like -14h or -30m or -30s (h/m/s supported)
680 startFromRel =
681
682 # override type
683 type = journald
684
685 # override datastream
686 elasticsearch.datastream =
687
688 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
689 samplingPercent = -1
690
691 # sampling key (should be regexp with the named match pattern `key`)
692 samplingKey =
693
694 # how often to reopen the journald to free old files
695 reopenInterval = 1h
696
697 # set output (elasticsearch or devnull, default is [general]defaultOutput)
698 output =
699
700 # configure default thruput per second for journald
701 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
702 # from the journald to 128Kb per second.
703 thruputPerSecond =
704
705 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
706 # older than 7 days
707 tooOldEvents =
708
709 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
710 tooNewEvents =
711
712 # by default every new event should start from not space symbol
713 eventPattern = ^[^\s]
714
715 # Blacklisting and whitelisting the logs
716 # whitelist.0 = ^regexp$
717 # blacklist.0 = ^regexp$
718
719 # Pipe to join events (container logs only)
720 [pipe.join]
721
722 # disable joining event
723 disabled = false
724
725 # Maximum interval of messages in pipeline
726 maxInterval = 100ms
727
728 # Maximum time to wait for the messages in pipeline
729 maxWait = 1s
730
731 # Maximum message size
732 maxSize = 1MB
733
734 # Default pattern to indicate new message (should start not from space)
735 patternRegex = ^[^\s]
736
737 # You can configure global replace rules for the events, which can help to remove sensitive data
738 # from logs before they are sent to Splunk. Those rules will be applied to all pipelines for container logs, host logs,
739 # application logs and events.
740 # In the following example we replace password=TEST with password=********
741 ; [pipe.replace::name]
742 ; patternRegex = (password=)([^\s]+)
743 ; replace = $1********
744
745 # You can configure global hash rules for the events, which can help to hide sensitive data
746 # from logs before they are sent to outputs. Those rules will be applied to all pipelines for container logs, host logs,
747 # application logs and events.
748 # In the following example we hash IP addresses with fnv-1a-64
749 ; [pipe.hash::name]
750 ; match = (\d{1,3}\.){3}\d{1,3}'
751 ; function = fnv-1a-64
752
753 004-addon.conf: |
754 [ general ]
755
756 # addons can be run in parallel with agents
757 addon = true
758
759 [input.kubernetes_events]
760
761 # disable events
762 disabled = false
763
764 # override type
765 type = events
766
767 # override datastream
768 elasticsearch.datastream =
769
770 # set output (elasticsearch or devnull, default is [general]defaultOutput)
771 output =
772
773 # exclude managed fields from the metadata
774 excludeManagedFields = true
775
776 [input.kubernetes_watch::pods]
777
778 # disable events
779 disabled = false
780
781 # Set the timeout for how often watch request should refresh the whole list
782 refresh = 10m
783
784 apiVersion = v1
785 kind = Pod
786 namespace =
787 excludeManagedFields = true
788
789 # override type
790 type = objects
791
792 # override datastream
793 elasticsearch.datastream =
794
795 # set output (elasticsearch or devnull, default is [general]defaultOutput)
796 output =
797
798 # you can remove or hash some values in the events (after modifyValues you can define path in the JSON object,
799 # and the value can be hash:{hashFunction}, or remove to remove the object )
800 ; modifyValues.object.data.* = hash:sha256
801 ; modifyValues.object.metadata.annotations.* = remove
802
803 # You can exclude events by namespace with blacklist or whitelist only required namespaces
804 # blacklist.kubernetes_namespace = ^namespace0$
805 # whitelist.kubernetes_namespace = ^((namespace1)|(namespace2))$
806
807 [input.kubernetes_watch::deployments]
808
809 # disable events
810 disabled = false
811
812 # Set the timeout for how often watch request should refresh the whole list
813 refresh = 10m
814
815 apiVersion = apps/v1
816 kind = deployment
817 namespace =
818 excludeManagedFields = true
819
820 # override type
821 type = objects
822
823 # override datastream
824 elasticsearch.datastream =
825
826 # set output (elasticsearch or devnull, default is [general]defaultOutput)
827 output =
828
829 es-default-index-lifecycle-management-policy.json: |
830 {
831 "policy": {
832 "_meta": {
833 "description": "Default policy for Collectord indexes",
834 "version": 1
835 },
836 "phases": {
837 "hot": {
838 "min_age": "0ms",
839 "actions": {
840 "rollover": {
841 "max_primary_shard_size": "50gb",
842 "max_age": "30d"
843 }
844 }
845 }
846 }
847 }
848 }
849 es-default-index-template.json: |
850 {
851 "version": 1,
852 "data_stream": {},
853 "_meta": {
854 "description": "Default template for Collectord indexes"
855 },
856 "priority": 500,
857 "template": {
858 "settings": {
859 "index": {
860 "lifecycle": {
861 "name": "logs-collectord"
862 },
863 "refresh_interval": "5s",
864 "mapping": {
865 "total_fields": {
866 "limit": "10000"
867 }
868 },
869 "max_docvalue_fields_search": "200"
870 },
871 "query": {
872 "default_field": [
873 "message",
874 "container.name",
875 "container.image.name",
876 "host.name",
877 "orchestrator.namespace",
878 "orchestrator.cluster.name",
879 "container.name",
880 "kubernetes.pod.name",
881 "kubernetes.pod.id",
882 "kubernetes.pod.ip",
883 "kubernetes.namespace.name",
884 "kubernetes.node.name",
885 "kubernetes.cluster.name",
886 "kubernetes.replicaset.name",
887 "kubernetes.deployment.name",
888 "kubernetes.statefulset.name",
889 "kubernetes.daemonset.name",
890 "kubernetes.job.name",
891 "kubernetes.cronjob.name"
892 ]
893 }
894 },
895 "mappings": {
896 "dynamic_templates": [
897 {
898 "kubernetes.pod.labels.*": {
899 "path_match": "kubernetes.pod.labels.*",
900 "mapping": { "type": "keyword" },
901 "match_mapping_type": "*"
902 }
903 },
904 {
905 "kubernetes.namespace.labels.*": {
906 "path_match": "kubernetes.namespace.labels.*",
907 "mapping": { "type": "keyword" },
908 "match_mapping_type": "*"
909 }
910 },
911 {
912 "kubernetes.node.labels.*": {
913 "path_match": "kubernetes.node.labels.*",
914 "mapping": { "type": "keyword" },
915 "match_mapping_type": "*"
916 }
917 },
918 {
919 "kubernetes.daemonset.labels.*": {
920 "path_match": "kubernetes.daemonset.labels.*",
921 "mapping": { "type": "keyword" },
922 "match_mapping_type": "*"
923 }
924 },
925 {
926 "kubernetes.replicaset.labels.*": {
927 "path_match": "kubernetes.replicaset.labels.*",
928 "mapping": { "type": "keyword" },
929 "match_mapping_type": "*"
930 }
931 },
932 {
933 "kubernetes.deployment.labels.*": {
934 "path_match": "kubernetes.deployment.labels.*",
935 "mapping": { "type": "keyword" },
936 "match_mapping_type": "*"
937 }
938 },
939 {
940 "kubernetes.statefulset.labels.*": {
941 "path_match": "kubernetes.statefulset.labels.*",
942 "mapping": { "type": "keyword" },
943 "match_mapping_type": "*"
944 }
945 },
946 {
947 "kubernetes.job.labels.*": {
948 "path_match": "kubernetes.job.labels.*",
949 "mapping": { "type": "keyword" },
950 "match_mapping_type": "*"
951 }
952 },
953 {
954 "kubernetes.cronjob.labels.*": {
955 "path_match": "kubernetes.cronjob.labels.*",
956 "mapping": { "type": "keyword" },
957 "match_mapping_type": "*"
958 }
959 },
960 {
961 "strings_as_keyword": {
962 "mapping": { "ignore_above": 1024, "type": "keyword" },
963 "match_mapping_type": "string"
964 }
965 }
966 ],
967 "properties": {
968 "@timestamp": { "type": "date"},
969 "message":{"type":"match_only_text"},
970 "collectord_errors": {"type": "keyword","ignore_above": 1024},
971 "input":{"properties":{"type":{"ignore_above":1024,"type":"keyword"}}},
972 "container": {"properties": {
973 "name": { "ignore_above": 1024, "type": "keyword"},
974 "id": { "ignore_above": 1024, "type": "keyword"},
975 "runtime": {"ignore_above": 1024, "type": "keyword"},
976 "image": {"properties": {
977 "name": { "ignore_above": 1024, "type": "keyword"}
978 }}
979 }
980 },
981 "event": {"properties": {
982 "id": {"ignore_above": 1024, "type": "keyword"}
983 }},
984 "host": {"properties": {
985 "name": {"ignore_above": 1024, "type": "keyword"},
986 "architecture": {"ignore_above": 1024, "type": "keyword"},
987 "hostname": {"ignore_above": 1024, "type": "keyword"}
988 }},
989 "log": { "properties": {
990 "file": { "properties": {
991 "path": {"ignore_above": 1024, "type": "keyword"}
992 }},
993 "offset": {"type": "long"},
994 "syslog": {"properties": {
995 "appname": {"ignore_above": 1024, "type": "keyword"},
996 "facility": {"properties": {
997 "code": {"type": "long"}
998 }},
999 "priority": {"type": "long"},
1000 "procid": {"type": "long"},
1001 "hostname": {"ignore_above": 1024, "type": "keyword"}
1002 }}
1003 }},
1004 "orchestrator": {"properties": {
1005 "cluster": {"properties": {
1006 "name": {"ignore_above": 1024, "type": "keyword"}
1007 }},
1008 "namespace": {"properties": {
1009 "name":{"path":"kubernetes.namespace.name","type":"alias"}
1010 }},
1011 "type": {"ignore_above": 1024, "type": "keyword"}
1012 }},
1013 "stream": {"ignore_above": 1024, "type": "keyword"},
1014 "agent":{"properties":{
1015 "hostname":{"path":"agent.name","type":"alias"},
1016 "name":{"ignore_above":1024,"type":"keyword"},
1017 "id":{"ignore_above":1024,"type":"keyword"},
1018 "type":{"ignore_above":1024,"type":"keyword"},
1019 "ephemeral_id":{"ignore_above":1024,"type":"keyword"},
1020 "version":{"ignore_above":1024,"type":"keyword"}
1021 }},
1022 "ecs":{"properties":{"version":{"ignore_above":1024,"type":"keyword"}}},
1023 "kubernetes": { "properties": {
1024 "container": {"properties": {
1025 "imageid": {"ignore_above": 1024, "type": "keyword"}
1026 }},
1027 "host": {"properties": {
1028 "ip": {"type": "ip"}
1029 }},
1030 "namespace": {"properties": {
1031 "name": {"ignore_above": 1024, "type": "keyword"}
1032 }},
1033 "node": { "properties": {
1034 "id": {"ignore_above": 1024, "type": "keyword"},
1035 "name": {"ignore_above": 1024,"type": "keyword"}
1036 }},
1037 "pod": {"properties": {
1038 "id": {"ignore_above": 1024,"type": "keyword"},
1039 "ip": {"type": "ip"},
1040 "name": {"ignore_above": 1024,"type": "keyword"}
1041 }},
1042 "statefulset": { "properties": {
1043 "id": {"ignore_above": 1024,"type": "keyword"},
1044 "name": {"ignore_above": 1024,"type": "keyword"}
1045 }},
1046 "replicaset": {"properties": {
1047 "id": {"ignore_above": 1024,"type": "keyword"},
1048 "name": {"ignore_above": 1024, "type": "keyword"}
1049 }},
1050 "deployment": { "properties": {
1051 "id": {"ignore_above": 1024,"type": "keyword"},
1052 "name": {"ignore_above": 1024,"type": "keyword" }
1053 }},
1054 "cronjob": {"properties": {
1055 "id": {"ignore_above": 1024,"type": "keyword"},
1056 "name": {"ignore_above": 1024, "type": "keyword"}
1057 }},
1058 "job": {"properties": {
1059 "id": {"ignore_above": 1024,"type": "keyword"},
1060 "name": {"ignore_above": 1024, "type": "keyword"}
1061 }}
1062 }},
1063 "volume": {"properties": {
1064 "name": {"ignore_above": 1024,"type": "keyword"}
1065 }}
1066 }
1067 }
1068 },
1069 "index_patterns": ["logs-collectord-${COLLECTORD_VERSION}"]
1070 }
1071 es-failed-index-template.json: |
1072 {
1073 "version": 1,
1074 "data_stream": {},
1075 "_meta": {
1076 "description": "Default template for Collectord indexes for events that failed to be ingested"
1077 },
1078 "priority": 1000,
1079 "template": {
1080 "settings": {
1081 "index": {
1082 "lifecycle": {
1083 "name": "logs-collectord"
1084 },
1085 "refresh_interval": "5s",
1086 "mapping": {
1087 "total_fields": {
1088 "limit": "10000"
1089 }
1090 },
1091 "max_docvalue_fields_search": "200"
1092 },
1093 "query": {
1094 "default_field": [
1095 "message"
1096 ]
1097 }
1098 },
1099 "mappings": {
1100 "properties": {
1101 "@timestamp": {
1102 "type": "date"},
1103 "message": {
1104 "type": "match_only_text"}
1105 }
1106 }
1107 },
1108 "index_patterns": [
1109 "logs-collectord-failed-${COLLECTORD_VERSION}"]
1110 }
1111---
1112apiVersion: apps/v1
1113kind: DaemonSet
1114metadata:
1115 name: collectorforkubernetes-elasticsearch
1116 namespace: collectorforkubernetes
1117 labels:
1118 app: collectorforkubernetes-elasticsearch
1119spec:
1120 updateStrategy:
1121 type: RollingUpdate
1122
1123 selector:
1124 matchLabels:
1125 daemon: collectorforkubernetes-elasticsearch
1126
1127 template:
1128 metadata:
1129 name: collectorforkubernetes-elasticsearch
1130 labels:
1131 daemon: collectorforkubernetes-elasticsearch
1132 spec:
1133 priorityClassName: collectorforkubernetes-critical
1134 dnsPolicy: ClusterFirstWithHostNet
1135 hostNetwork: true
1136 serviceAccountName: collectorforkubernetes
1137 tolerations:
1138 - operator: "Exists"
1139 effect: "NoSchedule"
1140 - operator: "Exists"
1141 effect: "NoExecute"
1142 containers:
1143 - name: collectorforkubernetes
1144 image: docker.io/outcoldsolutions/collectorforkubernetes:25.10.3
1145 imagePullPolicy: Always
1146 securityContext:
1147 runAsUser: 0
1148 privileged: true
1149 # Define your resources if you need. Defaults should be fine for most.
1150 # You can lower or increase based on your hosts.
1151 resources:
1152 limits:
1153 cpu: 2000m
1154 memory: 512Mi
1155 requests:
1156 cpu: 200m
1157 memory: 192Mi
1158 env:
1159 - name: KUBERNETES_NODENAME
1160 valueFrom:
1161 fieldRef:
1162 fieldPath: spec.nodeName
1163 - name: POD_NAME
1164 valueFrom:
1165 fieldRef:
1166 fieldPath: metadata.name
1167 volumeMounts:
1168 # We store state in /data folder (file positions)
1169 - name: collectorforkubernetes-state
1170 mountPath: /data
1171 # Configuration file deployed with ConfigMap
1172 - name: collectorforkubernetes-config
1173 mountPath: /config/
1174 readOnly: true
1175 # Rootfs
1176 - name: rootfs
1177 mountPath: /rootfs/
1178 readOnly: false
1179 mountPropagation: HostToContainer
1180 # correct timezone
1181 - name: localtime
1182 mountPath: /etc/localtime
1183 readOnly: true
1184 volumes:
1185 # We store state directly on host, change this location, if
1186 # your persistent volume is somewhere else
1187 - name: collectorforkubernetes-state
1188 hostPath:
1189 path: /var/lib/collectorforkubernetes-elasticsearch/data/
1190 type: DirectoryOrCreate
1191 # Location of docker root (for container logs and metadata)
1192 - name: rootfs
1193 hostPath:
1194 path: /
1195 # correct timezone
1196 - name: localtime
1197 hostPath:
1198 path: /etc/localtime
1199 # configuration from ConfigMap
1200 - name: collectorforkubernetes-config
1201 configMap:
1202 name: collectorforkubernetes-elasticsearch
1203 items:
1204 - key: 001-general.conf
1205 path: 001-general.conf
1206 - key: 002-daemonset.conf
1207 path: 002-daemonset.conf
1208 - key: es-default-index-template.json
1209 path: es-default-index-template.json
1210 - key: es-default-index-lifecycle-management-policy.json
1211 path: es-default-index-lifecycle-management-policy.json
1212 - key: es-failed-index-template.json
1213 path: es-failed-index-template.json
1214---
1215apiVersion: apps/v1
1216kind: Deployment
1217metadata:
1218 name: collectorforkubernetes-elasticsearch-addon
1219 namespace: collectorforkubernetes
1220 labels:
1221 app: collectorforkubernetes-elasticsearch
1222spec:
1223 replicas: 1
1224
1225 selector:
1226 matchLabels:
1227 daemon: collectorforkubernetes-elasticsearch
1228
1229 template:
1230 metadata:
1231 name: collectorforkubernetes-elasticsearch-addon
1232 labels:
1233 daemon: collectorforkubernetes-elasticsearch
1234 spec:
1235 priorityClassName: collectorforkubernetes-critical
1236 serviceAccountName: collectorforkubernetes
1237 containers:
1238 - name: collectorforkubernetes
1239 image: docker.io/outcoldsolutions/collectorforkubernetes:25.10.3
1240 imagePullPolicy: Always
1241 securityContext:
1242 runAsUser: 0
1243 privileged: true
1244 resources:
1245 limits:
1246 cpu: 500m
1247 memory: 256Mi
1248 requests:
1249 cpu: 50m
1250 memory: 64Mi
1251 env:
1252 - name: KUBERNETES_NODENAME
1253 valueFrom:
1254 fieldRef:
1255 fieldPath: spec.nodeName
1256 - name: POD_NAME
1257 valueFrom:
1258 fieldRef:
1259 fieldPath: metadata.name
1260 volumeMounts:
1261 - name: collectorforkubernetes-state
1262 mountPath: /data
1263 - name: collectorforkubernetes-config
1264 mountPath: /config/
1265 readOnly: true
1266 volumes:
1267 - name: collectorforkubernetes-state
1268 hostPath:
1269 path: /var/lib/collectorforkubernetes-elasticsearch/data/
1270 type: Directory
1271 - name: collectorforkubernetes-config
1272 configMap:
1273 name: collectorforkubernetes-elasticsearch
1274 items:
1275 - key: 001-general.conf
1276 path: 001-general.conf
1277 - key: 004-addon.conf
1278 path: 004-addon.conf
1279 - key: es-default-index-template.json
1280 path: es-default-index-template.json
1281 - key: es-default-index-lifecycle-management-policy.json
1282 path: es-default-index-lifecycle-management-policy.json
1283 - key: es-failed-index-template.json
1284 path: es-failed-index-template.json
