Collectord configuration
Download
Link
collectorforkubernetes-opensearch.yaml
CURL
1curl -O https://www.outcoldsolutions.com/docs/elasticsearch-kubernetes/collectorforkubernetes-opensearch.yaml
WGET
1wget https://www.outcoldsolutions.com/docs/elasticsearch-kubernetes/collectorforkubernetes-opensearch.yaml
collectorforkubernetes.yaml
1apiVersion: v1
2kind: Namespace
3metadata:
4 labels:
5 app: collectorforkubernetes
6 name: collectorforkubernetes
7---
8apiVersion: apiextensions.k8s.io/v1
9kind: CustomResourceDefinition
10metadata:
11 name: configurations.collectord.io
12spec:
13 group: collectord.io
14 versions:
15 - name: v1
16 served: true
17 storage: true
18 schema:
19 openAPIV3Schema:
20 type: object
21 properties:
22 spec:
23 type: object
24 additionalProperties: true
25 force:
26 type: boolean
27 scope: Cluster
28 names:
29 plural: configurations
30 singular: configuration
31 kind: Configuration
32
33---
34apiVersion: v1
35kind: ServiceAccount
36metadata:
37 labels:
38 app: collectorforkubernetes
39 name: collectorforkubernetes
40 namespace: collectorforkubernetes
41---
42apiVersion: scheduling.k8s.io/v1
43kind: PriorityClass
44metadata:
45 name: collectorforkubernetes-critical
46value: 1000000000
47---
48apiVersion: rbac.authorization.k8s.io/v1
49kind: ClusterRole
50metadata:
51 labels:
52 app: collectorforkubernetes
53 name: collectorforkubernetes
54rules:
55- apiGroups: ['extensions']
56 resources: ['podsecuritypolicies']
57 verbs: ['use']
58 resourceNames:
59 - privileged
60- apiGroups:
61 - ""
62 - apps
63 - batch
64 - extensions
65 - rbac.authorization.k8s.io
66 - collectord.io
67 resources:
68 - alertmanagers
69 - cronjobs
70 - daemonsets
71 - deployments
72 - endpoints
73 - events
74 - jobs
75 - namespaces
76 - nodes
77 - nodes/metrics
78 - nodes/proxy
79 - pods
80 - replicasets
81 - replicationcontrollers
82 - scheduledjobs
83 - services
84 - statefulsets
85 - persistentvolumeclaims
86 - configurations
87 - resourcequotas
88 - clusterroles
89 - secrets
90 - configmaps
91 verbs:
92 - get
93 - list
94 - watch
95- nonResourceURLs:
96 - /metrics
97 verbs:
98 - get
99 apiGroups: []
100 resources: []
101---
102apiVersion: rbac.authorization.k8s.io/v1
103kind: ClusterRoleBinding
104metadata:
105 labels:
106 app: collectorforkubernetes
107 name: collectorforkubernetes
108 namespace: collectorforkubernetes
109roleRef:
110 apiGroup: rbac.authorization.k8s.io
111 kind: ClusterRole
112 name: collectorforkubernetes
113subjects:
114 - kind: ServiceAccount
115 name: collectorforkubernetes
116 namespace: collectorforkubernetes
117---
118apiVersion: v1
119kind: ConfigMap
120metadata:
121 name: collectorforkubernetes-elasticsearch
122 namespace: collectorforkubernetes
123 labels:
124 app: collectorforkubernetes-elasticsearch
125data:
126 001-general.conf: |
127 # The general configuration is used for all deployments
128 #
129 # Run collectord with the flag -conf and specify location of the configuration files.
130 #
131 # You can override all the values using environment variables with the format like
132 # COLLECTOR__<ANYNAME>=<section>__<key>=<value>
133 # As an example you can set dataPath in [general] section as
134 # COLLECTOR__DATAPATH=general__dataPath=C:\\some\\path\\data.db
135 # This parameter can be configured using -env-override, set it to empty string to disable this feature
136
137 [general]
138 # Please review license https://www.outcoldsolutions.com/docs/license-agreement/
139 # and accept license by changing the value to *true*
140 acceptLicense = false
141
142 # Location for the database
143 # Collectord stores positions of the files and internal state
144 dataPath = ./data/
145
146 # log level (accepted values are trace, debug, info, warn, error, fatal)
147 logLevel = info
148
149 # http server gives access to two endpoints
150 # /healthz
151 # /metrics/json
152 # /metrics/prometheus
153 httpServerBinding =
154
155 # telemetry report endpoint, set it to empty string to disable telemetry
156 telemetryEndpoint = https://license.outcold.solutions/telemetry/
157
158 # license check endpoint
159 licenseEndpoint = https://license.outcold.solutions/license/
160
161 # license server through proxy
162 licenseServerProxyUrl =
163
164 # authentication with basic authorization (user:password)
165 licenseServerProxyBasicAuth =
166
167 # license key
168 license =
169
170 # Environment variable $KUBERNETES_NODENAME is used by default to setup hostname
171 # Use value below to override specific name
172 # hostname = ${KUBERNETES_NODENAME}.second
173
174 # Default output for events, logs and metrics
175 # valid values: elasticsearch and devnull
176 # Use devnull by default if you don't want to redirect data
177 defaultOutput = elasticsearch
178
179 # Default buffer size for file input
180 fileInputBufferSize = 256b
181
182 # Maximum size of one line the file reader can read
183 fileInputLineMaxSize = 1mb
184
185 # Include custom fields to attach to every event, in example below every event sent to elasticsearch will have
186 # indexed field my_environment=dev. Fields names should match to ^[a-z][_a-z0-9\.]*$
187 # Better way to configure that is to specify labels for Kubernetes Nodes.
188 # ; fields.my_environment = dev
189 # Identify the cluster if you are planning to monitor multiple clusters
190 # For ElasticSearch look at the ECS (Elastic Common Schema) documentation https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html
191 fields.ecs.version = 8.0.0
192
193 fields.orchestrator.cluster.name = -
194 fields.orchestrator.type = kubernetes
195
196 fields.agent.type = collectord
197 fields.agent.version = ${COLLECTORD_VERSION}
198 fields.agent.ephemeral_id = ${COLLECTORD_INSTANCE_RUNTIME_ID}
199 fields.agent.id = ${COLLECTORD_INSTANCE_ID}
200 fields.agent.name = ${KUBERNETES_NODENAME}
201
202 fields.host.name = ${KUBERNETES_NODENAME}
203 fields.host.hostname = ${KUBERNETES_NODENAME}
204 fields.host.architecture = ${COLLECTORD_ARCH}
205
206 # Include EC2 Metadata (see list of possible fields https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)
207 # Should be in format ec2Metadata.{desired_field_name} = {url path to read the value}
208 # ec2Metadata.cloud.instance.id = /latest/meta-data/instance-id
209 # ec2Metadata.cloud.machine.type = /latest/meta-data/instance-type
210
211 # subdomain for the annotations added to the pods, workloads, namespaces or containers, like elasticsearch.collectord.io/..
212 annotationsSubdomain = elasticsearch
213
214 # configure global thruput per second for forwarded logs (metrics are not included)
215 # for example if you set `thruputPerSecond = 512Kb`, that will limit amount of logs forwarded
216 # from the single Collectord instance to 512Kb per second.
217 # You can configure thruput individually for the logs (including specific for container logs) below
218 thruputPerSecond =
219 ; thruputPerSecond = 512Kb
220
221 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
222 # older than 7 days
223 tooOldEvents =
224
225 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
226 tooNewEvents =
227
228 [license.client]
229 # point to the license located on the HTTP web server, or a hosted by the Collectord running as license server
230 url =
231 # basic authentication for the HTTP server
232 basicAuth =
233 # if SSL, ignore the certificate verification
234 insecure = false
235 # CA Path for the Server certificate
236 capath =
237 # CA Name fot the Server certificate
238 caname =
239 # license server through proxy
240 proxyUrl =
241 # authentication with basic authorization (user:password)
242 proxyBasicAuth =
243
244 # connection to kubernetes api
245 [general.kubernetes]
246
247 # Override service URL for Kubernetes (default is ${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT})
248 serviceURL =
249
250 # Environment variable $KUBERNETES_NODENAME is used by default to setup nodeName
251 # Use it only when you need to override it
252 nodeName =
253
254 # Configuration to access the API server,
255 # see https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
256 # for details
257 tokenPath = /var/run/secrets/kubernetes.io/serviceaccount/token
258 certPath = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
259
260 # Default timeout for http responses. The streaming/watch requests depend on this timeout.
261 timeout = 30m
262
263 # How long to keep the cache for the recent calls to API server (to limit number of calls when collectord discovers new pods)
264 metadataTTL = 30s
265
266 # path to the kubelet root location (use it to discover application logs for emptyDir)
267 # the expected format is `pods/{pod-id}/volumes/kubernetes.io~empty-dir/{volume-name}/_data/`
268 volumesRootDir = /rootfs/var/lib/kubelet/
269
270 # You can attach annotations as a metadata, using the format
271 # includeAnnotations.{key} = {regexp}
272 # For example if you want to include all annotations that starts with `prometheus.io` or `example.com` you can include
273 # the following format:
274 # includeAnnotations.1 = ^prometheus\.io.*
275 # includeAnnotations.2 = ^example\.com.*
276
277 # watch for changes (annotations) in the objects
278 watch.namespaces = v1/namespace
279 watch.deployments = apps/v1/deployment
280 watch.configurations = collectord.io/v1/configuration
281
282 # Collectord can review the assigned ClusterRole and traverse metadata for the Pods only for the Owner objects
283 # that are defined in the ClusterRole, ignoring anything else, it does not have access to.
284 # This way Collectord does not generate 403 requests on API Server
285 clusterRole = collectorforkubernetes
286
287 # Alternative of telling Collectord about the ClusterRole is to manually list the objects.
288 # You can define which objects Collectord should traverse when it sees Owners.
289 ; traverseOwnership.namespaces = v1/namespace
290
291
292 # ElasticSearch output
293 [output.elasticsearch]
294
295 # Default data stream name
296 dataStream = logs-collectord-{{agent.version}}
297 dataStreamFailedEvents = logs-collectord-failed-{{agent.version}}
298
299 # ElasticSearch Scheme Host and Port
300 host =
301
302 # You can specify muiltiple hosts with
303 #
304 # hosts.0 = https://es0:9200
305 # hosts.1 = https://es1:9200
306 # hosts.2 = https://es2:9200
307
308 # Specify how Hosts should be picked up (in case if multiple is used)
309 # * random - choose random url on first selection and after each failure (connection or HTTP status code >= 500)
310 # * round-robin - choose url starting from first one and bump on each failure (connection or HTTP status code >= 500)
311 # * random-with-round-robin - choose random url on first selection and after that in round-robin on each
312 # failure (connection or HTTP status code >= 500)
313 hostSelection = random-with-round-robin
314
315 # Configuration for basic authorization
316 authorizationBasicUsername =
317 authorizationBasicPassword =
318
319 # additional headers
320 headers.Content-Type = application/json
321 headers.Accept = application/json
322
323 # Allow invalid SSL server certificate
324 insecure = false
325
326 # Path to CA certificate
327 caPath =
328
329 # CA Name to verify
330 caName =
331
332 # path for client certificate (if required)
333 clientCertPath =
334
335 # path for a client key (if required)
336 clientKeyPath =
337
338 # Events are batched with the maximum size set by batchSize and staying in a pipeline for not longer
339 # than set by frequency
340 frequency = 5s
341 batchSize = 768K
342 # limit by the number of events (0 value has no limit on the number of events)
343 events = 50
344
345 # elasticsearch through proxy
346 proxyUrl =
347
348 # authentication with basic authorization (user:password)
349 proxyBasicAuth =
350
351 # Timeout specifies a time limit for requests made by collectord.
352 # The timeout includes connection time, any
353 # redirects, and reading the response body.
354 timeout = 30s
355
356 # gzip compression level (nocompression, default, 1...9)
357 compressionLevel = default
358
359 # number of dedicated elasticsearch output threads (to increase throughput above 4k events per second)
360 threads = 2
361 # Default algorithm between threads is roundrobin, but you can change it to weighted
362 threadsAlgorithm = roundrobin
363
364 # Submit objects to elasticsearch
365 #submit._ilm/policy/logs-collectord = /config/es-default-index-lifecycle-management-policy.json
366 put._index_template/logs-collectord-${COLLECTORD_VERSION} = /config/es-default-index-template.json
367 put._index_template/logs-collectord-failed-${COLLECTORD_VERSION} = /config/es-failed-index-template.json
368
369 # Dedicated queue size for the output, default is 1024, larger queue sizes will require more memory,
370 # but will allow to handle more events in case of network issues
371 queueSize = 1024
372
373 # Configure multiple outputs
374 # [output.elasticsearch::app1]
375 # host = http://esapp1:9200
376
377
378 002-daemonset.conf: |
379 # DaemonSet configuration is used for Nodes and Masters.
380
381 // connection to CRIO
382 [general.cri-o]
383
384 # url for CRIO API, only unix socket is supported
385 url = unix:///rootfs/var/run/crio/crio.sock
386
387 # Timeout for http responses to docker client. The streaming requests depend on this timeout.
388 timeout = 1m
389
390 [general.containerd]
391
392 runtimePath = /rootfs/var/run/containerd
393 namespace = k8s.io
394
395
396 # Container Log files
397 [input.files]
398
399 # disable container logs monitoring
400 disabled = false
401
402 # root location of docker log files
403 # logs are expected in standard docker format like {containerID}/{containerID}-json.log
404 # rotated files
405 path = /rootfs/var/lib/docker/containers/
406 # root location of CRI-O (including Containerd) files
407 # logs are expected in Kubernetes format, like {podID}/{containerName}/0.log
408 crioPath = /rootfs/var/log/pods/
409
410 # files are read using polling schema, when reach the EOF how often to check if files got updated
411 pollingInterval = 250ms
412
413 # how often to look for the new files under logs path
414 walkingInterval = 5s
415
416 # override type
417 type = container
418
419 # override datastream
420 elasticsearch.datastream =
421
422 # docker splits events when they are larger than 10-100k (depends on the docker version)
423 # we join them together by default and forward to elasticsearch as one event
424 joinPartialEvents = true
425
426 # In case if your containers report messages with terminal colors or other escape sequences
427 # you can enable strip for all the containers in one place.
428 # Better is to enable it only for required container with the label collectord.io/strip-terminal-escape-sequences=true
429 stripTerminalEscapeSequences = false
430 # Regexp used for stripping terminal colors, it does not stip all the escape sequences
431 # Read http://man7.org/linux/man-pages/man4/console_codes.4.html for more information
432 stripTerminalEscapeSequencesRegex = (\x1b\[\d{1,3}(;\d{1,3})*m)|(\x07)|(\x1b]\d+(\s\d)?;[^\x07]+\x07)|(.*\x1b\[K)
433
434 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
435 samplingPercent = -1
436
437 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
438 samplingKey =
439
440 # set output (elasticsearch or devnull, default is [general]defaultOutput)
441 output =
442
443 # configure default thruput per second for for each container log
444 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
445 # from the single container to 128Kb per second.
446 thruputPerSecond =
447
448 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
449 # older than 7 days
450 tooOldEvents =
451
452 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
453 tooNewEvents =
454
455 # by default every new event should start from not space symbol
456 eventPattern = ^[^\s]
457
458
459 # Application Logs
460 [input.app_logs]
461
462 # disable container application logs monitoring
463 disabled = false
464
465 # root location of mounts (applies to hostPath mounts only), if the hostPath differs inside container from the path on host
466 root = /rootfs/
467
468 # how often to review list of available volumes
469 syncInterval = 5s
470
471 # glob matching pattern for log files
472 glob = *.log*
473
474 # files are read using polling schema, when reach the EOF how often to check if files got updated
475 pollingInterval = 250ms
476
477 # how often to look for the new files under logs path
478 walkingInterval = 5s
479
480 # include verbose fields in events (file offset)
481 verboseFields = false
482
483 # override type
484 type = container.file
485
486 # override datastream
487 elasticsearch.datastream =
488
489 # we split files using new line character, with this configuration you can specify what defines the new event
490 # after new line
491 eventPatternRegex = ^[^\s]
492 # Maximum interval of messages in pipeline
493 eventPatternMaxInterval = 100ms
494 # Maximum time to wait for the messages in pipeline
495 eventPatternMaxWait = 1s
496 # Maximum message size
497 eventPatternMaxSize = 1MB
498
499 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
500 samplingPercent = -1
501
502 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
503 samplingKey =
504
505 # set output (elasticsearch or devnull, default is [general]defaultOutput)
506 output =
507
508 # configure default thruput per second for for each container log
509 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
510 # from the single container to 128Kb per second.
511 thruputPerSecond =
512
513 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
514 # older than 7 days
515 tooOldEvents =
516
517 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
518 tooNewEvents =
519
520 # Configure how long Collectord should keep the file descriptors open for files, that has not been forwarded yet
521 # When using PVC, and if pipeline is lagging behind, Collectord holding open fd for files, can cause long termination
522 # of pods, as kubelet cannot unmount the PVC volume from the system
523 maxHoldAfterClose = 1800s
524
525
526 # Host logs. Input syslog(.\d+)? files
527 [input.files::syslog]
528
529 # disable host level logs
530 disabled = false
531
532 # root location of docker files
533 path = /rootfs/var/log/
534
535 # regex matching pattern
536 match = ^(syslog|messages)(.\d+)?$
537
538 # limit search only on one level
539 recursive = false
540
541 # files are read using polling schema, when reach the EOF how often to check if files got updated
542 pollingInterval = 250ms
543
544 # how often o look for the new files under logs path
545 walkingInterval = 5s
546
547 # include verbose fields in events (file offset)
548 verboseFields = false
549
550 # override type
551 type = file
552
553 # override datastream
554 elasticsearch.datastream =
555
556 # field extraction
557 extraction = ^(?P<timestamp>[A-Za-z]+\s+\d+\s\d+:\d+:\d+)\s(?P<log__syslog__hostname>[^\s]+)\s(?P<log__syslog__appname>[^:\[]+)(\[(?P<log__syslog__procid>\d+)\])?: (.+)$
558 # extractionMessageField =
559
560 # timestamp field
561 timestampField = timestamp
562
563 # format for timestamp
564 # the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
565 timestampFormat = Jan 2 15:04:05
566
567 # Adjust date, if month/day aren't set in format
568 timestampSetMonth = false
569 timestampSetDay = false
570
571 # timestamp location (if not defined by format)
572 timestampLocation = Local
573
574 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
575 samplingPercent = -1
576
577 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
578 samplingKey =
579
580 # set output (elasticsearch or devnull, default is [general]defaultOutput)
581 output =
582
583 # configure default thruput per second for this files group
584 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
585 # from the files in this group to 128Kb per second.
586 thruputPerSecond =
587
588 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
589 # older than 7 days
590 tooOldEvents =
591
592 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
593 tooNewEvents =
594
595 # by default every new event should start from not space symbol
596 eventPattern = ^[^\s]
597
598 # Blacklisting and whitelisting the logs
599 # whitelist.0 = ^regexp$
600 # blacklist.0 = ^regexp$
601
602
603 # Host logs. Input all *.log(.\d+)? files
604 [input.files::logs]
605
606 # disable host level logs
607 disabled = false
608
609 # root location of log files
610 path = /rootfs/var/log/
611
612 # regex matching pattern
613 match = ^(([\w\-.]+\.log(.[\d\-]+)?)|(docker))$
614
615 # files are read using polling schema, when reach the EOF how often to check if files got updated
616 pollingInterval = 250ms
617
618 # how often o look for the new files under logs path
619 walkingInterval = 5s
620
621 # include verbose fields in events (file offset)
622 verboseFields = false
623
624 # override type
625 type = file
626
627 # override datastream
628 elasticsearch.datastream =
629
630 # field extraction
631 extraction =
632
633 # timestamp field
634 timestampField =
635
636 # format for timestamp
637 # the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
638 timestampFormat =
639
640 # timestamp location (if not defined by format)
641 timestampLocation =
642
643 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
644 samplingPercent = -1
645
646 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
647 samplingKey =
648
649 # set output (elasticsearch or devnull, default is [general]defaultOutput)
650 output =
651
652 # configure default thruput per second for this files group
653 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
654 # from the files in this group to 128Kb per second.
655 thruputPerSecond =
656
657 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
658 # older than 7 days
659 tooOldEvents =
660
661 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
662 tooNewEvents =
663
664 # by default every new event should start from not space symbol
665 eventPattern = ^[^\s]
666
667 # Blacklisting and whitelisting the logs
668 # whitelist.0 = ^regexp$
669 # blacklist.0 = ^regexp$
670
671
672 [input.journald]
673
674 # disable host level logs
675 disabled = false
676
677 # root location of log files
678 path.persistent = /rootfs/var/log/journal/
679 path.volatile = /rootfs/run/log/journal/
680
681 # when reach end of journald, how often to pull
682 pollingInterval = 250ms
683
684 # if you don't want to forward journald from the beginning,
685 # set the oldest event in relative value, like -14h or -30m or -30s (h/m/s supported)
686 startFromRel =
687
688 # override type
689 type = journald
690
691 # override datastream
692 elasticsearch.datastream =
693
694 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
695 samplingPercent = -1
696
697 # sampling key (should be regexp with the named match pattern `key`)
698 samplingKey =
699
700 # how often to reopen the journald to free old files
701 reopenInterval = 1h
702
703 # set output (elasticsearch or devnull, default is [general]defaultOutput)
704 output =
705
706 # configure default thruput per second for journald
707 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
708 # from the journald to 128Kb per second.
709 thruputPerSecond =
710
711 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
712 # older than 7 days
713 tooOldEvents =
714
715 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
716 tooNewEvents =
717
718 # by default every new event should start from not space symbol
719 eventPattern = ^[^\s]
720
721 # Blacklisting and whitelisting the logs
722 # whitelist.0 = ^regexp$
723 # blacklist.0 = ^regexp$
724
725 # Pipe to join events (container logs only)
726 [pipe.join]
727
728 # disable joining event
729 disabled = false
730
731 # Maximum interval of messages in pipeline
732 maxInterval = 100ms
733
734 # Maximum time to wait for the messages in pipeline
735 maxWait = 1s
736
737 # Maximum message size
738 maxSize = 1MB
739
740 # Default pattern to indicate new message (should start not from space)
741 patternRegex = ^[^\s]
742
743 # You can configure global replace rules for the events, which can help to remove sensitive data
744 # from logs before they are sent to Splunk. Those rules will be applied to all pipelines for container logs, host logs,
745 # application logs and events.
746 # In the following example we replace password=TEST with password=********
747 ; [pipe.replace::name]
748 ; patternRegex = (password=)([^\s]+)
749 ; replace = $1********
750
751 # You can configure global hash rules for the events, which can help to hide sensitive data
752 # from logs before they are sent to outputs. Those rules will be applied to all pipelines for container logs, host logs,
753 # application logs and events.
754 # In the following example we hash IP addresses with fnv-1a-64
755 ; [pipe.hash::name]
756 ; match = (\d{1,3}\.){3}\d{1,3}'
757 ; function = fnv-1a-64
758
759 004-addon.conf: |
760 [ general ]
761
762 # addons can be run in parallel with agents
763 addon = true
764
765 [input.kubernetes_events]
766
767 # disable events
768 disabled = false
769
770 # override type
771 type = events
772
773 # override datastream
774 elasticsearch.datastream =
775
776 # set output (elasticsearch or devnull, default is [general]defaultOutput)
777 output =
778
779 # exclude managed fields from the metadata
780 excludeManagedFields = true
781
782 [input.kubernetes_watch::pods]
783
784 # disable events
785 disabled = false
786
787 # Set the timeout for how often watch request should refresh the whole list
788 refresh = 10m
789
790 apiVersion = v1
791 kind = Pod
792 namespace =
793 excludeManagedFields = true
794
795 # override type
796 type = objects
797
798 # override datastream
799 elasticsearch.datastream =
800
801 # set output (elasticsearch or devnull, default is [general]defaultOutput)
802 output =
803
804 # you can remove or hash some values in the events (after modifyValues you can define path in the JSON object,
805 # and the value can be hash:{hashFunction}, or remove to remove the object )
806 ; modifyValues.object.data.* = hash:sha256
807 ; modifyValues.object.metadata.annotations.* = remove
808
809 # You can exclude events by namespace with blacklist or whitelist only required namespaces
810 # blacklist.kubernetes_namespace = ^namespace0$
811 # whitelist.kubernetes_namespace = ^((namespace1)|(namespace2))$
812
813 [input.kubernetes_watch::deployments]
814
815 # disable events
816 disabled = false
817
818 # Set the timeout for how often watch request should refresh the whole list
819 refresh = 10m
820
821 apiVersion = apps/v1
822 kind = Deployment
823 namespace =
824 excludeManagedFields = true
825
826 # override type
827 type = objects
828
829 # override datastream
830 elasticsearch.datastream =
831
832 # set output (elasticsearch or devnull, default is [general]defaultOutput)
833 output =
834
835 es-default-index-lifecycle-management-policy.json: |
836 {
837 "policy": {
838 "_meta": {
839 "description": "Default policy for Collectord indexes",
840 "version": 1
841 },
842 "phases": {
843 "hot": {
844 "min_age": "0ms",
845 "actions": {
846 "rollover": {
847 "max_primary_shard_size": "50gb",
848 "max_age": "30d"
849 }
850 }
851 }
852 }
853 }
854 }
855 es-default-index-template.json: |
856 {
857 "version": 1,
858 "data_stream": {},
859 "_meta": {
860 "description": "Default template for Collectord indexes"
861 },
862 "priority": 500,
863 "template": {
864 "settings": {
865 "index": {
866 "refresh_interval": "5s",
867 "mapping": {
868 "total_fields": {
869 "limit": "10000"
870 }
871 },
872 "max_docvalue_fields_search": "200"
873 },
874 "query": {
875 "default_field": [
876 "message",
877 "container.name",
878 "container.image.name",
879 "host.name",
880 "orchestrator.namespace",
881 "orchestrator.cluster.name",
882 "container.name",
883 "kubernetes.pod.name",
884 "kubernetes.pod.id",
885 "kubernetes.pod.ip",
886 "kubernetes.namespace.name",
887 "kubernetes.node.name",
888 "kubernetes.cluster.name",
889 "kubernetes.replicaset.name",
890 "kubernetes.deployment.name",
891 "kubernetes.statefulset.name",
892 "kubernetes.daemonset.name",
893 "kubernetes.job.name",
894 "kubernetes.cronjob.name"
895 ]
896 }
897 },
898 "mappings": {
899 "dynamic_templates": [
900 {
901 "kubernetes.pod.labels.*": {
902 "path_match": "kubernetes.pod.labels.*",
903 "mapping": { "type": "keyword" },
904 "match_mapping_type": "*"
905 }
906 },
907 {
908 "kubernetes.namespace.labels.*": {
909 "path_match": "kubernetes.namespace.labels.*",
910 "mapping": { "type": "keyword" },
911 "match_mapping_type": "*"
912 }
913 },
914 {
915 "kubernetes.node.labels.*": {
916 "path_match": "kubernetes.node.labels.*",
917 "mapping": { "type": "keyword" },
918 "match_mapping_type": "*"
919 }
920 },
921 {
922 "kubernetes.daemonset.labels.*": {
923 "path_match": "kubernetes.daemonset.labels.*",
924 "mapping": { "type": "keyword" },
925 "match_mapping_type": "*"
926 }
927 },
928 {
929 "kubernetes.replicaset.labels.*": {
930 "path_match": "kubernetes.replicaset.labels.*",
931 "mapping": { "type": "keyword" },
932 "match_mapping_type": "*"
933 }
934 },
935 {
936 "kubernetes.deployment.labels.*": {
937 "path_match": "kubernetes.deployment.labels.*",
938 "mapping": { "type": "keyword" },
939 "match_mapping_type": "*"
940 }
941 },
942 {
943 "kubernetes.statefulset.labels.*": {
944 "path_match": "kubernetes.statefulset.labels.*",
945 "mapping": { "type": "keyword" },
946 "match_mapping_type": "*"
947 }
948 },
949 {
950 "kubernetes.job.labels.*": {
951 "path_match": "kubernetes.job.labels.*",
952 "mapping": { "type": "keyword" },
953 "match_mapping_type": "*"
954 }
955 },
956 {
957 "kubernetes.cronjob.labels.*": {
958 "path_match": "kubernetes.cronjob.labels.*",
959 "mapping": { "type": "keyword" },
960 "match_mapping_type": "*"
961 }
962 },
963 {
964 "strings_as_keyword": {
965 "mapping": { "ignore_above": 1024, "type": "keyword" },
966 "match_mapping_type": "string"
967 }
968 }
969 ],
970 "properties": {
971 "@timestamp": { "type": "date"},
972 "message":{"type":"text"},
973 "collectord_errors": {"type": "keyword","ignore_above": 1024},
974 "input":{"properties":{"type":{"ignore_above":1024,"type":"keyword"}}},
975 "container": {"properties": {
976 "name": { "ignore_above": 1024, "type": "keyword"},
977 "id": { "ignore_above": 1024, "type": "keyword"},
978 "runtime": {"ignore_above": 1024, "type": "keyword"},
979 "image": {"properties": {
980 "name": { "ignore_above": 1024, "type": "keyword"}
981 }}
982 }
983 },
984 "event": {"properties": {
985 "id": {"ignore_above": 1024, "type": "keyword"}
986 }},
987 "host": {"properties": {
988 "name": {"ignore_above": 1024, "type": "keyword"},
989 "architecture": {"ignore_above": 1024, "type": "keyword"},
990 "hostname": {"ignore_above": 1024, "type": "keyword"}
991 }},
992 "log": { "properties": {
993 "file": { "properties": {
994 "path": {"ignore_above": 1024, "type": "keyword"}
995 }},
996 "offset": {"type": "long"},
997 "syslog": {"properties": {
998 "appname": {"ignore_above": 1024, "type": "keyword"},
999 "facility": {"properties": {
1000 "code": {"type": "long"}
1001 }},
1002 "priority": {"type": "long"},
1003 "procid": {"type": "long"},
1004 "hostname": {"ignore_above": 1024, "type": "keyword"}
1005 }}
1006 }},
1007 "orchestrator": {"properties": {
1008 "cluster": {"properties": {
1009 "name": {"ignore_above": 1024, "type": "keyword"}
1010 }},
1011 "namespace": {"properties": {
1012 "name":{"path":"kubernetes.namespace.name","type":"alias"}
1013 }},
1014 "type": {"ignore_above": 1024, "type": "keyword"}
1015 }},
1016 "stream": {"ignore_above": 1024, "type": "keyword"},
1017 "agent":{"properties":{
1018 "hostname":{"path":"agent.name","type":"alias"},
1019 "name":{"ignore_above":1024,"type":"keyword"},
1020 "id":{"ignore_above":1024,"type":"keyword"},
1021 "type":{"ignore_above":1024,"type":"keyword"},
1022 "ephemeral_id":{"ignore_above":1024,"type":"keyword"},
1023 "version":{"ignore_above":1024,"type":"keyword"}
1024 }},
1025 "ecs":{"properties":{"version":{"ignore_above":1024,"type":"keyword"}}},
1026 "kubernetes": { "properties": {
1027 "container": {"properties": {
1028 "imageid": {"ignore_above": 1024, "type": "keyword"}
1029 }},
1030 "host": {"properties": {
1031 "ip": {"type": "ip"}
1032 }},
1033 "namespace": {"properties": {
1034 "name": {"ignore_above": 1024, "type": "keyword"}
1035 }},
1036 "node": { "properties": {
1037 "id": {"ignore_above": 1024, "type": "keyword"},
1038 "name": {"ignore_above": 1024,"type": "keyword"}
1039 }},
1040 "pod": {"properties": {
1041 "id": {"ignore_above": 1024,"type": "keyword"},
1042 "ip": {"type": "ip"},
1043 "name": {"ignore_above": 1024,"type": "keyword"}
1044 }},
1045 "statefulset": { "properties": {
1046 "id": {"ignore_above": 1024,"type": "keyword"},
1047 "name": {"ignore_above": 1024,"type": "keyword"}
1048 }},
1049 "replicaset": {"properties": {
1050 "id": {"ignore_above": 1024,"type": "keyword"},
1051 "name": {"ignore_above": 1024, "type": "keyword"}
1052 }},
1053 "deployment": { "properties": {
1054 "id": {"ignore_above": 1024,"type": "keyword"},
1055 "name": {"ignore_above": 1024,"type": "keyword" }
1056 }},
1057 "cronjob": {"properties": {
1058 "id": {"ignore_above": 1024,"type": "keyword"},
1059 "name": {"ignore_above": 1024, "type": "keyword"}
1060 }},
1061 "job": {"properties": {
1062 "id": {"ignore_above": 1024,"type": "keyword"},
1063 "name": {"ignore_above": 1024, "type": "keyword"}
1064 }}
1065 }},
1066 "volume": {"properties": {
1067 "name": {"ignore_above": 1024,"type": "keyword"}
1068 }}
1069 }
1070 }
1071 },
1072 "index_patterns": ["logs-collectord-${COLLECTORD_VERSION}"]
1073 }
1074 es-failed-index-template.json: |
1075 {
1076 "version": 1,
1077 "data_stream": {},
1078 "_meta": {
1079 "description": "Default template for Collectord indexes for events that failed to be ingested"
1080 },
1081 "priority": 1000,
1082 "template": {
1083 "settings": {
1084 "index": {
1085
1086 "refresh_interval": "5s",
1087 "mapping": {
1088 "total_fields": {
1089 "limit": "10000"
1090 }
1091 },
1092 "max_docvalue_fields_search": "200"
1093 },
1094 "query": {
1095 "default_field": [
1096 "message"
1097 ]
1098 }
1099 },
1100 "mappings": {
1101 "properties": {
1102 "@timestamp": {
1103 "type": "date"},
1104 "message": {
1105 "type": "text"}
1106 }
1107 }
1108 },
1109 "index_patterns": [
1110 "logs-collectord-failed-${COLLECTORD_VERSION}"]
1111 }
1112---
1113apiVersion: apps/v1
1114kind: DaemonSet
1115metadata:
1116 name: collectorforkubernetes-elasticsearch
1117 namespace: collectorforkubernetes
1118 labels:
1119 app: collectorforkubernetes-elasticsearch
1120spec:
1121 updateStrategy:
1122 type: RollingUpdate
1123 selector:
1124 matchLabels:
1125 daemon: collectorforkubernetes-elasticsearch
1126 template:
1127 metadata:
1128 name: collectorforkubernetes-elasticsearch
1129 labels:
1130 daemon: collectorforkubernetes-elasticsearch
1131 spec:
1132 priorityClassName: collectorforkubernetes-critical
1133 dnsPolicy: ClusterFirstWithHostNet
1134 hostNetwork: true
1135 serviceAccountName: collectorforkubernetes
1136 tolerations:
1137 - operator: "Exists"
1138 effect: "NoSchedule"
1139 - operator: "Exists"
1140 effect: "NoExecute"
1141 containers:
1142 - name: collectorforkubernetes
1143 image: docker.io/outcoldsolutions/collectorforkubernetes:25.10.3
1144 imagePullPolicy: Always
1145 securityContext:
1146 runAsUser: 0
1147 privileged: true
1148 # Define your resources if you need. Defaults should be fine for most.
1149 # You can lower or increase based on your hosts.
1150 resources:
1151 limits:
1152 cpu: 2000m
1153 memory: 512Mi
1154 requests:
1155 cpu: 200m
1156 memory: 192Mi
1157 env:
1158 - name: KUBERNETES_NODENAME
1159 valueFrom:
1160 fieldRef:
1161 fieldPath: spec.nodeName
1162 - name: POD_NAME
1163 valueFrom:
1164 fieldRef:
1165 fieldPath: metadata.name
1166 volumeMounts:
1167 # We store state in /data folder (file positions)
1168 - name: collectorforkubernetes-state
1169 mountPath: /data
1170 # Configuration file deployed with ConfigMap
1171 - name: collectorforkubernetes-config
1172 mountPath: /config/
1173 readOnly: true
1174 # Rootfs
1175 - name: rootfs
1176 mountPath: /rootfs/
1177 readOnly: false
1178 mountPropagation: HostToContainer
1179 # correct timezone
1180 - name: localtime
1181 mountPath: /etc/localtime
1182 readOnly: true
1183 volumes:
1184 # We store state directly on host, change this location, if
1185 # your persistent volume is somewhere else
1186 - name: collectorforkubernetes-state
1187 hostPath:
1188 path: /var/lib/collectorforkubernetes-elasticsearch/data/
1189 type: DirectoryOrCreate
1190 # Location of docker root (for container logs and metadata)
1191 - name: rootfs
1192 hostPath:
1193 path: /
1194 # correct timezone
1195 - name: localtime
1196 hostPath:
1197 path: /etc/localtime
1198 # configuration from ConfigMap
1199 - name: collectorforkubernetes-config
1200 configMap:
1201 name: collectorforkubernetes-elasticsearch
1202 items:
1203 - key: 001-general.conf
1204 path: 001-general.conf
1205 - key: 002-daemonset.conf
1206 path: 002-daemonset.conf
1207 - key: es-default-index-template.json
1208 path: es-default-index-template.json
1209 - key: es-default-index-lifecycle-management-policy.json
1210 path: es-default-index-lifecycle-management-policy.json
1211 - key: es-failed-index-template.json
1212 path: es-failed-index-template.json
1213---
1214apiVersion: apps/v1
1215kind: Deployment
1216metadata:
1217 name: collectorforkubernetes-elasticsearch-addon
1218 namespace: collectorforkubernetes
1219 labels:
1220 app: collectorforkubernetes-elasticsearch
1221spec:
1222 replicas: 1
1223
1224 selector:
1225 matchLabels:
1226 daemon: collectorforkubernetes-elasticsearch
1227
1228 template:
1229 metadata:
1230 name: collectorforkubernetes-elasticsearch-addon
1231 labels:
1232 daemon: collectorforkubernetes-elasticsearch
1233 spec:
1234 priorityClassName: collectorforkubernetes-critical
1235 serviceAccountName: collectorforkubernetes
1236 containers:
1237 - name: collectorforkubernetes
1238 image: docker.io/outcoldsolutions/collectorforkubernetes:25.10.3
1239 imagePullPolicy: Always
1240 securityContext:
1241 runAsUser: 0
1242 privileged: true
1243 resources:
1244 limits:
1245 cpu: 500m
1246 memory: 256Mi
1247 requests:
1248 cpu: 50m
1249 memory: 64Mi
1250 env:
1251 - name: KUBERNETES_NODENAME
1252 valueFrom:
1253 fieldRef:
1254 fieldPath: spec.nodeName
1255 - name: POD_NAME
1256 valueFrom:
1257 fieldRef:
1258 fieldPath: metadata.name
1259 volumeMounts:
1260 - name: collectorforkubernetes-state
1261 mountPath: /data
1262 - name: collectorforkubernetes-config
1263 mountPath: /config/
1264 readOnly: true
1265 volumes:
1266 - name: collectorforkubernetes-state
1267 hostPath:
1268 path: /var/lib/collectorforkubernetes-elasticsearch/data/
1269 type: Directory
1270 - name: collectorforkubernetes-config
1271 configMap:
1272 name: collectorforkubernetes-elasticsearch
1273 items:
1274 - key: 001-general.conf
1275 path: 001-general.conf
1276 - key: 004-addon.conf
1277 path: 004-addon.conf
1278 - key: es-default-index-template.json
1279 path: es-default-index-template.json
1280 - key: es-default-index-lifecycle-management-policy.json
1281 path: es-default-index-lifecycle-management-policy.json
1282 - key: es-failed-index-template.json
1283 path: es-failed-index-template.json
