Download
Link
collectorforkubernetes-opensearch.yaml
CURL
1curl -O https://www.outcoldsolutions.com/docs/elasticsearch-kubernetes/collectorforkubernetes-opensearch.yamlWGET
1wget https://www.outcoldsolutions.com/docs/elasticsearch-kubernetes/collectorforkubernetes-opensearch.yamlcollectorforkubernetes.yaml
1apiVersion: v1
2kind: Namespace
3metadata:
4 labels:
5 app: collectorforkubernetes
6 name: collectorforkubernetes
7---
8apiVersion: apiextensions.k8s.io/v1
9kind: CustomResourceDefinition
10metadata:
11 name: configurations.collectord.io
12spec:
13 group: collectord.io
14 versions:
15 - name: v1
16 served: true
17 storage: true
18 schema:
19 openAPIV3Schema:
20 type: object
21 properties:
22 spec:
23 type: object
24 additionalProperties: true
25 force:
26 type: boolean
27 scope: Cluster
28 names:
29 plural: configurations
30 singular: configuration
31 kind: Configuration
32
33---
34apiVersion: v1
35kind: ServiceAccount
36metadata:
37 labels:
38 app: collectorforkubernetes
39 name: collectorforkubernetes
40 namespace: collectorforkubernetes
41---
42apiVersion: scheduling.k8s.io/v1
43kind: PriorityClass
44metadata:
45 name: collectorforkubernetes-critical
46value: 1000000000
47---
48apiVersion: rbac.authorization.k8s.io/v1
49kind: ClusterRole
50metadata:
51 labels:
52 app: collectorforkubernetes
53 name: collectorforkubernetes
54rules:
55- apiGroups: ['extensions']
56 resources: ['podsecuritypolicies']
57 verbs: ['use']
58 resourceNames:
59 - privileged
60- apiGroups:
61 - ""
62 - apps
63 - batch
64 - extensions
65 - rbac.authorization.k8s.io
66 - collectord.io
67 resources:
68 - alertmanagers
69 - cronjobs
70 - daemonsets
71 - deployments
72 - endpoints
73 - events
74 - jobs
75 - namespaces
76 - nodes
77 - nodes/metrics
78 - nodes/proxy
79 - pods
80 - replicasets
81 - replicationcontrollers
82 - scheduledjobs
83 - services
84 - statefulsets
85 - persistentvolumeclaims
86 - configurations
87 - resourcequotas
88 - clusterroles
89 - secrets
90 - configmaps
91 verbs:
92 - get
93 - list
94 - watch
95- nonResourceURLs:
96 - /metrics
97 verbs:
98 - get
99 apiGroups: []
100 resources: []
101---
102apiVersion: rbac.authorization.k8s.io/v1
103kind: ClusterRoleBinding
104metadata:
105 labels:
106 app: collectorforkubernetes
107 name: collectorforkubernetes
108 namespace: collectorforkubernetes
109roleRef:
110 apiGroup: rbac.authorization.k8s.io
111 kind: ClusterRole
112 name: collectorforkubernetes
113subjects:
114 - kind: ServiceAccount
115 name: collectorforkubernetes
116 namespace: collectorforkubernetes
117---
118apiVersion: v1
119kind: ConfigMap
120metadata:
121 name: collectorforkubernetes-elasticsearch
122 namespace: collectorforkubernetes
123 labels:
124 app: collectorforkubernetes-elasticsearch
125data:
126 001-general.conf: |
127 # The general configuration is used for all deployments
128 #
129 # Run collectord with the flag -conf and specify location of the configuration files.
130 #
131 # You can override all the values using environment variables with the format like
132 # COLLECTOR__<ANYNAME>=<section>__<key>=<value>
133 # As an example you can set dataPath in [general] section as
134 # COLLECTOR__DATAPATH=general__dataPath=C:\\some\\path\\data.db
135 # This parameter can be configured using -env-override, set it to empty string to disable this feature
136
137 [general]
138 # Please review license https://www.outcoldsolutions.com/docs/license-agreement/
139 # and accept license by changing the value to *true*
140 acceptLicense = false
141
142 # Location for the database
143 # Collectord stores positions of the files and internal state
144 dataPath = ./data/
145
146 # log level (accepted values are trace, debug, info, warn, error, fatal)
147 logLevel = info
148
149 # http server gives access to two endpoints
150 # /healthz
151 # /metrics/json
152 # /metrics/prometheus
153 httpServerBinding =
154
155 # telemetry report endpoint, set it to empty string to disable telemetry
156 telemetryEndpoint = https://license.outcold.solutions/telemetry/
157
158 # license check endpoint
159 licenseEndpoint = https://license.outcold.solutions/license/
160
161 # license server through proxy
162 licenseServerProxyUrl =
163
164 # authentication with basic authorization (user:password)
165 licenseServerProxyBasicAuth =
166
167 # license key
168 license =
169
170 # Environment variable $KUBERNETES_NODENAME is used by default to setup hostname
171 # Use value below to override specific name
172 # hostname = ${KUBERNETES_NODENAME}.second
173
174 # Default output for events, logs and metrics
175 # valid values: elasticsearch and devnull
176 # Use devnull by default if you don't want to redirect data
177 defaultOutput = elasticsearch
178
179 # Default buffer size for file input
180 fileInputBufferSize = 256b
181
182 # Maximum size of one line the file reader can read
183 fileInputLineMaxSize = 1mb
184
185 # Include custom fields to attach to every event, in example below every event sent to elasticsearch will have
186 # indexed field my_environment=dev. Fields names should match to ^[a-z][_a-z0-9\.]*$
187 # Better way to configure that is to specify labels for Kubernetes Nodes.
188 # ; fields.my_environment = dev
189 # Identify the cluster if you are planning to monitor multiple clusters
190 # For ElasticSearch look at the ECS (Elastic Common Schema) documentation https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html
191 fields.ecs.version = 8.0.0
192
193 fields.orchestrator.cluster.name = -
194 fields.orchestrator.type = kubernetes
195
196 fields.agent.type = collectord
197 fields.agent.version = ${COLLECTORD_VERSION}
198 fields.agent.ephemeral_id = ${COLLECTORD_INSTANCE_RUNTIME_ID}
199 fields.agent.id = ${COLLECTORD_INSTANCE_ID}
200 fields.agent.name = ${KUBERNETES_NODENAME}
201
202 fields.host.name = ${KUBERNETES_NODENAME}
203 fields.host.hostname = ${KUBERNETES_NODENAME}
204 fields.host.architecture = ${COLLECTORD_ARCH}
205
206 # Include EC2 Metadata (see list of possible fields https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)
207 # Should be in format ec2Metadata.{desired_field_name} = {url path to read the value}
208 # ec2Metadata.cloud.instance.id = /latest/meta-data/instance-id
209 # ec2Metadata.cloud.machine.type = /latest/meta-data/instance-type
210
211 # subdomain for the annotations added to the pods, workloads, namespaces or containers, like elasticsearch.collectord.io/..
212 annotationsSubdomain = elasticsearch
213
214 # configure global thruput per second for forwarded logs (metrics are not included)
215 # for example if you set `thruputPerSecond = 512Kb`, that will limit amount of logs forwarded
216 # from the single Collectord instance to 512Kb per second.
217 # You can configure thruput individually for the logs (including specific for container logs) below
218 thruputPerSecond =
219 ; thruputPerSecond = 512Kb
220
221 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
222 # older than 7 days
223 tooOldEvents =
224
225 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
226 tooNewEvents =
227
228 # Multi-output async publishing. When enabled (default), events routed to
229 # non-default outputs are published asynchronously so that a slow or down
230 # output does not block events destined for other outputs.
231 ; multioutput.async = true
232 # Buffer size for the async proxy (default 100). Absorbs transient bursts.
233 # When this buffer and the output's own queue are both full, events are
234 # dropped immediately without blocking the pipeline.
235 ; multioutput.asyncBufferSize = 100
236
237 [license.client]
238 # point to the license located on the HTTP web server, or a hosted by the Collectord running as license server
239 url =
240 # basic authentication for the HTTP server
241 basicAuth =
242 # if SSL, ignore the certificate verification
243 insecure = false
244 # CA Path for the Server certificate
245 capath =
246 # CA Name fot the Server certificate
247 caname =
248 # license server through proxy
249 proxyUrl =
250 # authentication with basic authorization (user:password)
251 proxyBasicAuth =
252
253 # connection to kubernetes api
254 [general.kubernetes]
255
256 # Override service URL for Kubernetes (default is ${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT})
257 serviceURL =
258
259 # Environment variable $KUBERNETES_NODENAME is used by default to setup nodeName
260 # Use it only when you need to override it
261 nodeName =
262
263 # Configuration to access the API server,
264 # see https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
265 # for details
266 tokenPath = /var/run/secrets/kubernetes.io/serviceaccount/token
267 certPath = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
268
269 # Default timeout for http responses. The streaming/watch requests depend on this timeout.
270 timeout = 30m
271
272 # How long to keep the cache for the recent calls to API server (to limit number of calls when collectord discovers new pods)
273 metadataTTL = 30s
274
275 # path to the kubelet root location (use it to discover application logs for emptyDir)
276 # the expected format is `pods/{pod-id}/volumes/kubernetes.io~empty-dir/{volume-name}/_data/`
277 volumesRootDir = /rootfs/var/lib/kubelet/
278
279 # You can attach annotations as a metadata, using the format
280 # includeAnnotations.{key} = {regexp}
281 # For example if you want to include all annotations that starts with `prometheus.io` or `example.com` you can include
282 # the following format:
283 # includeAnnotations.1 = ^prometheus\.io.*
284 # includeAnnotations.2 = ^example\.com.*
285
286 # watch for changes (annotations) in the objects
287 watch.namespaces = v1/namespace
288 watch.deployments = apps/v1/deployment
289 watch.configurations = collectord.io/v1/configuration
290
291 # Collectord can review the assigned ClusterRole and traverse metadata for the Pods only for the Owner objects
292 # that are defined in the ClusterRole, ignoring anything else, it does not have access to.
293 # This way Collectord does not generate 403 requests on API Server
294 clusterRole = collectorforkubernetes
295
296 # Alternative of telling Collectord about the ClusterRole is to manually list the objects.
297 # You can define which objects Collectord should traverse when it sees Owners.
298 ; traverseOwnership.namespaces = v1/namespace
299
300
301 # ElasticSearch output
302 [output.elasticsearch]
303
304 # Default data stream name
305 dataStream = logs-collectord-{{agent.version}}
306 dataStreamFailedEvents = logs-collectord-failed-{{agent.version}}
307
308 # ElasticSearch Scheme Host and Port
309 host =
310
311 # You can specify muiltiple hosts with
312 #
313 # hosts.0 = https://es0:9200
314 # hosts.1 = https://es1:9200
315 # hosts.2 = https://es2:9200
316
317 # Specify how Hosts should be picked up (in case if multiple is used)
318 # * random - choose random url on first selection and after each failure (connection or HTTP status code >= 500)
319 # * round-robin - choose url starting from first one and bump on each failure (connection or HTTP status code >= 500)
320 # * random-with-round-robin - choose random url on first selection and after that in round-robin on each
321 # failure (connection or HTTP status code >= 500)
322 hostSelection = random-with-round-robin
323
324 # Configuration for basic authorization
325 authorizationBasicUsername =
326 authorizationBasicPassword =
327
328 # additional headers
329 headers.Content-Type = application/json
330 headers.Accept = application/json
331
332 # Allow invalid SSL server certificate
333 insecure = false
334
335 # Path to CA certificate
336 caPath =
337
338 # CA Name to verify
339 caName =
340
341 # path for client certificate (if required)
342 clientCertPath =
343
344 # path for a client key (if required)
345 clientKeyPath =
346
347 # Events are batched with the maximum size set by batchSize and staying in a pipeline for not longer
348 # than set by frequency
349 frequency = 5s
350 batchSize = 768K
351 # limit by the number of events (0 value has no limit on the number of events)
352 events = 50
353
354 # elasticsearch through proxy
355 proxyUrl =
356
357 # authentication with basic authorization (user:password)
358 proxyBasicAuth =
359
360 # Timeout specifies a time limit for requests made by collectord.
361 # The timeout includes connection time, any
362 # redirects, and reading the response body.
363 timeout = 30s
364
365 # gzip compression level (nocompression, default, 1...9)
366 compressionLevel = default
367
368 # number of dedicated elasticsearch output threads (to increase throughput above 4k events per second)
369 threads = 2
370 # Default algorithm between threads is roundrobin, but you can change it to weighted
371 threadsAlgorithm = roundrobin
372
373 # Submit objects to elasticsearch
374 #submit._ilm/policy/logs-collectord = /config/es-default-index-lifecycle-management-policy.json
375 put._index_template/logs-collectord-${COLLECTORD_VERSION} = /config/es-default-index-template.json
376 put._index_template/logs-collectord-failed-${COLLECTORD_VERSION} = /config/es-failed-index-template.json
377
378 # Dedicated queue size for the output, default is 1024, larger queue sizes will require more memory,
379 # but will allow to handle more events in case of network issues
380 queueSize = 1024
381
382 # Configure multiple outputs
383 # [output.elasticsearch::app1]
384 # host = http://esapp1:9200
385
386
387 002-daemonset.conf: |
388 # DaemonSet configuration is used for Nodes and Masters.
389
390 // connection to CRIO
391 [general.cri-o]
392
393 # url for CRIO API, only unix socket is supported
394 url = unix:///rootfs/var/run/crio/crio.sock
395
396 # Timeout for http responses to docker client. The streaming requests depend on this timeout.
397 timeout = 1m
398
399 [general.containerd]
400
401 runtimePath = /rootfs/var/run/containerd
402 namespace = k8s.io
403
404
405 # Container Log files
406 [input.files]
407
408 # disable container logs monitoring
409 disabled = false
410
411 # root location of docker log files
412 # logs are expected in standard docker format like {containerID}/{containerID}-json.log
413 # rotated files
414 path = /rootfs/var/lib/docker/containers/
415 # root location of CRI-O (including Containerd) files
416 # logs are expected in Kubernetes format, like {podID}/{containerName}/0.log
417 crioPath = /rootfs/var/log/pods/
418
419 # files are read using polling schema, when reach the EOF how often to check if files got updated
420 pollingInterval = 250ms
421
422 # how often to look for the new files under logs path
423 walkingInterval = 5s
424
425 # override type
426 type = container
427
428 # override datastream
429 elasticsearch.datastream =
430
431 # docker splits events when they are larger than 10-100k (depends on the docker version)
432 # we join them together by default and forward to elasticsearch as one event
433 joinPartialEvents = true
434
435 # In case if your containers report messages with terminal colors or other escape sequences
436 # you can enable strip for all the containers in one place.
437 # Better is to enable it only for required container with the label collectord.io/strip-terminal-escape-sequences=true
438 stripTerminalEscapeSequences = false
439 # Regexp used for stripping terminal colors, it does not stip all the escape sequences
440 # Read http://man7.org/linux/man-pages/man4/console_codes.4.html for more information
441 stripTerminalEscapeSequencesRegex = (\x1b\[\d{1,3}(;\d{1,3})*m)|(\x07)|(\x1b]\d+(\s\d)?;[^\x07]+\x07)|(.*\x1b\[K)
442
443 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
444 samplingPercent = -1
445
446 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
447 samplingKey =
448
449 # set output (elasticsearch or devnull, default is [general]defaultOutput)
450 output =
451
452 # configure default thruput per second for for each container log
453 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
454 # from the single container to 128Kb per second.
455 thruputPerSecond =
456
457 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
458 # older than 7 days
459 tooOldEvents =
460
461 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
462 tooNewEvents =
463
464 # by default every new event should start from not space symbol
465 eventPattern = ^[^\s]
466
467
468 # Application Logs
469 [input.app_logs]
470
471 # disable container application logs monitoring
472 disabled = false
473
474 # root location of mounts (applies to hostPath mounts only), if the hostPath differs inside container from the path on host
475 root = /rootfs/
476
477 # how often to review list of available volumes
478 syncInterval = 5s
479
480 # glob matching pattern for log files
481 glob = *.log*
482
483 # files are read using polling schema, when reach the EOF how often to check if files got updated
484 pollingInterval = 250ms
485
486 # how often to look for the new files under logs path
487 walkingInterval = 5s
488
489 # include verbose fields in events (file offset)
490 verboseFields = false
491
492 # override type
493 type = container.file
494
495 # override datastream
496 elasticsearch.datastream =
497
498 # we split files using new line character, with this configuration you can specify what defines the new event
499 # after new line
500 eventPatternRegex = ^[^\s]
501 # Maximum interval of messages in pipeline
502 eventPatternMaxInterval = 100ms
503 # Maximum time to wait for the messages in pipeline
504 eventPatternMaxWait = 1s
505 # Maximum message size
506 eventPatternMaxSize = 1MB
507
508 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
509 samplingPercent = -1
510
511 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
512 samplingKey =
513
514 # set output (elasticsearch or devnull, default is [general]defaultOutput)
515 output =
516
517 # configure default thruput per second for for each container log
518 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
519 # from the single container to 128Kb per second.
520 thruputPerSecond =
521
522 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
523 # older than 7 days
524 tooOldEvents =
525
526 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
527 tooNewEvents =
528
529 # Configure how long Collectord should keep the file descriptors open for files, that has not been forwarded yet
530 # When using PVC, and if pipeline is lagging behind, Collectord holding open fd for files, can cause long termination
531 # of pods, as kubelet cannot unmount the PVC volume from the system
532 maxHoldAfterClose = 1800s
533
534
535 # Host logs. Input syslog(.\d+)? files
536 [input.files::syslog]
537
538 # disable host level logs
539 disabled = false
540
541 # root location of docker files
542 path = /rootfs/var/log/
543
544 # regex matching pattern
545 match = ^(syslog|messages)(.\d+)?$
546
547 # limit search only on one level
548 recursive = false
549
550 # files are read using polling schema, when reach the EOF how often to check if files got updated
551 pollingInterval = 250ms
552
553 # how often o look for the new files under logs path
554 walkingInterval = 5s
555
556 # include verbose fields in events (file offset)
557 verboseFields = false
558
559 # override type
560 type = file
561
562 # override datastream
563 elasticsearch.datastream =
564
565 # field extraction
566 extraction = ^(?P<timestamp>[A-Za-z]+\s+\d+\s\d+:\d+:\d+)\s(?P<log__syslog__hostname>[^\s]+)\s(?P<log__syslog__appname>[^:\[]+)(\[(?P<log__syslog__procid>\d+)\])?: (.+)$
567 # extractionMessageField =
568
569 # timestamp field
570 timestampField = timestamp
571
572 # format for timestamp
573 # the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
574 timestampFormat = Jan 2 15:04:05
575
576 # Adjust date, if month/day aren't set in format
577 timestampSetMonth = false
578 timestampSetDay = false
579
580 # timestamp location (if not defined by format)
581 timestampLocation = Local
582
583 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
584 samplingPercent = -1
585
586 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
587 samplingKey =
588
589 # set output (elasticsearch or devnull, default is [general]defaultOutput)
590 output =
591
592 # configure default thruput per second for this files group
593 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
594 # from the files in this group to 128Kb per second.
595 thruputPerSecond =
596
597 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
598 # older than 7 days
599 tooOldEvents =
600
601 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
602 tooNewEvents =
603
604 # by default every new event should start from not space symbol
605 eventPattern = ^[^\s]
606
607 # Blacklisting and whitelisting the logs
608 # whitelist.0 = ^regexp$
609 # blacklist.0 = ^regexp$
610
611
612 # Host logs. Input all *.log(.\d+)? files
613 [input.files::logs]
614
615 # disable host level logs
616 disabled = false
617
618 # root location of log files
619 path = /rootfs/var/log/
620
621 # regex matching pattern
622 match = ^(([\w\-.]+\.log(.[\d\-]+)?)|(docker))$
623
624 # files are read using polling schema, when reach the EOF how often to check if files got updated
625 pollingInterval = 250ms
626
627 # how often o look for the new files under logs path
628 walkingInterval = 5s
629
630 # include verbose fields in events (file offset)
631 verboseFields = false
632
633 # override type
634 type = file
635
636 # override datastream
637 elasticsearch.datastream =
638
639 # field extraction
640 extraction =
641
642 # timestamp field
643 timestampField =
644
645 # format for timestamp
646 # the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
647 timestampFormat =
648
649 # timestamp location (if not defined by format)
650 timestampLocation =
651
652 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
653 samplingPercent = -1
654
655 # sampling key for hash based sampling (should be regexp with the named match pattern `key`)
656 samplingKey =
657
658 # set output (elasticsearch or devnull, default is [general]defaultOutput)
659 output =
660
661 # configure default thruput per second for this files group
662 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
663 # from the files in this group to 128Kb per second.
664 thruputPerSecond =
665
666 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
667 # older than 7 days
668 tooOldEvents =
669
670 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
671 tooNewEvents =
672
673 # by default every new event should start from not space symbol
674 eventPattern = ^[^\s]
675
676 # Blacklisting and whitelisting the logs
677 # whitelist.0 = ^regexp$
678 # blacklist.0 = ^regexp$
679
680
681 [input.journald]
682
683 # disable host level logs
684 disabled = false
685
686 # root location of log files
687 path.persistent = /rootfs/var/log/journal/
688 path.volatile = /rootfs/run/log/journal/
689
690 # when reach end of journald, how often to pull
691 pollingInterval = 250ms
692
693 # if you don't want to forward journald from the beginning,
694 # set the oldest event in relative value, like -14h or -30m or -30s (h/m/s supported)
695 startFromRel =
696
697 # override type
698 type = journald
699
700 # override datastream
701 elasticsearch.datastream =
702
703 # sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
704 samplingPercent = -1
705
706 # sampling key (should be regexp with the named match pattern `key`)
707 samplingKey =
708
709 # how often to reopen the journald to free old files
710 reopenInterval = 1h
711
712 # set output (elasticsearch or devnull, default is [general]defaultOutput)
713 output =
714
715 # configure default thruput per second for journald
716 # for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
717 # from the journald to 128Kb per second.
718 thruputPerSecond =
719
720 # Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
721 # older than 7 days
722 tooOldEvents =
723
724 # Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
725 tooNewEvents =
726
727 # by default every new event should start from not space symbol
728 eventPattern = ^[^\s]
729
730 # Blacklisting and whitelisting the logs
731 # whitelist.0 = ^regexp$
732 # blacklist.0 = ^regexp$
733
734 # Pipe to join events (container logs only)
735 [pipe.join]
736
737 # disable joining event
738 disabled = false
739
740 # Maximum interval of messages in pipeline
741 maxInterval = 100ms
742
743 # Maximum time to wait for the messages in pipeline
744 maxWait = 1s
745
746 # Maximum message size
747 maxSize = 1MB
748
749 # Default pattern to indicate new message (should start not from space)
750 patternRegex = ^[^\s]
751
752 # You can configure global replace rules for the events, which can help to remove sensitive data
753 # from logs before they are sent to Splunk. Those rules will be applied to all pipelines for container logs, host logs,
754 # application logs and events.
755 # In the following example we replace password=TEST with password=********
756 ; [pipe.replace::name]
757 ; patternRegex = (password=)([^\s]+)
758 ; replace = $1********
759
760 # You can configure global hash rules for the events, which can help to hide sensitive data
761 # from logs before they are sent to outputs. Those rules will be applied to all pipelines for container logs, host logs,
762 # application logs and events.
763 # In the following example we hash IP addresses with fnv-1a-64
764 ; [pipe.hash::name]
765 ; match = (\d{1,3}\.){3}\d{1,3}'
766 ; function = fnv-1a-64
767
768 004-addon.conf: |
769 [ general ]
770
771 # addons can be run in parallel with agents
772 addon = true
773
774 [input.kubernetes_events]
775
776 # disable events
777 disabled = false
778
779 # override type
780 type = events
781
782 # override datastream
783 elasticsearch.datastream =
784
785 # set output (elasticsearch or devnull, default is [general]defaultOutput)
786 output =
787
788 # exclude managed fields from the metadata
789 excludeManagedFields = true
790
791 [input.kubernetes_watch::pods]
792
793 # disable events
794 disabled = false
795
796 # Set the timeout for how often watch request should refresh the whole list
797 refresh = 10m
798
799 apiVersion = v1
800 kind = Pod
801 namespace =
802 excludeManagedFields = true
803
804 # override type
805 type = objects
806
807 # override datastream
808 elasticsearch.datastream =
809
810 # set output (elasticsearch or devnull, default is [general]defaultOutput)
811 output =
812
813 # you can remove or hash some values in the events (after modifyValues you can define path in the JSON object,
814 # and the value can be hash:{hashFunction}, or remove to remove the object )
815 ; modifyValues.object.data.* = hash:sha256
816 ; modifyValues.object.metadata.annotations.* = remove
817
818 # You can exclude events by namespace with blacklist or whitelist only required namespaces
819 # blacklist.kubernetes_namespace = ^namespace0$
820 # whitelist.kubernetes_namespace = ^((namespace1)|(namespace2))$
821
822 [input.kubernetes_watch::deployments]
823
824 # disable events
825 disabled = false
826
827 # Set the timeout for how often watch request should refresh the whole list
828 refresh = 10m
829
830 apiVersion = apps/v1
831 kind = Deployment
832 namespace =
833 excludeManagedFields = true
834
835 # override type
836 type = objects
837
838 # override datastream
839 elasticsearch.datastream =
840
841 # set output (elasticsearch or devnull, default is [general]defaultOutput)
842 output =
843
844 es-default-index-lifecycle-management-policy.json: |
845 {
846 "policy": {
847 "_meta": {
848 "description": "Default policy for Collectord indexes",
849 "version": 1
850 },
851 "phases": {
852 "hot": {
853 "min_age": "0ms",
854 "actions": {
855 "rollover": {
856 "max_primary_shard_size": "50gb",
857 "max_age": "30d"
858 }
859 }
860 }
861 }
862 }
863 }
864 es-default-index-template.json: |
865 {
866 "version": 1,
867 "data_stream": {},
868 "_meta": {
869 "description": "Default template for Collectord indexes"
870 },
871 "priority": 500,
872 "template": {
873 "settings": {
874 "index": {
875 "refresh_interval": "5s",
876 "mapping": {
877 "total_fields": {
878 "limit": "10000"
879 }
880 },
881 "max_docvalue_fields_search": "200"
882 },
883 "query": {
884 "default_field": [
885 "message",
886 "container.name",
887 "container.image.name",
888 "host.name",
889 "orchestrator.namespace",
890 "orchestrator.cluster.name",
891 "container.name",
892 "kubernetes.pod.name",
893 "kubernetes.pod.id",
894 "kubernetes.pod.ip",
895 "kubernetes.namespace.name",
896 "kubernetes.node.name",
897 "kubernetes.cluster.name",
898 "kubernetes.replicaset.name",
899 "kubernetes.deployment.name",
900 "kubernetes.statefulset.name",
901 "kubernetes.daemonset.name",
902 "kubernetes.job.name",
903 "kubernetes.cronjob.name"
904 ]
905 }
906 },
907 "mappings": {
908 "dynamic_templates": [
909 {
910 "kubernetes.pod.labels.*": {
911 "path_match": "kubernetes.pod.labels.*",
912 "mapping": { "type": "keyword" },
913 "match_mapping_type": "*"
914 }
915 },
916 {
917 "kubernetes.namespace.labels.*": {
918 "path_match": "kubernetes.namespace.labels.*",
919 "mapping": { "type": "keyword" },
920 "match_mapping_type": "*"
921 }
922 },
923 {
924 "kubernetes.node.labels.*": {
925 "path_match": "kubernetes.node.labels.*",
926 "mapping": { "type": "keyword" },
927 "match_mapping_type": "*"
928 }
929 },
930 {
931 "kubernetes.daemonset.labels.*": {
932 "path_match": "kubernetes.daemonset.labels.*",
933 "mapping": { "type": "keyword" },
934 "match_mapping_type": "*"
935 }
936 },
937 {
938 "kubernetes.replicaset.labels.*": {
939 "path_match": "kubernetes.replicaset.labels.*",
940 "mapping": { "type": "keyword" },
941 "match_mapping_type": "*"
942 }
943 },
944 {
945 "kubernetes.deployment.labels.*": {
946 "path_match": "kubernetes.deployment.labels.*",
947 "mapping": { "type": "keyword" },
948 "match_mapping_type": "*"
949 }
950 },
951 {
952 "kubernetes.statefulset.labels.*": {
953 "path_match": "kubernetes.statefulset.labels.*",
954 "mapping": { "type": "keyword" },
955 "match_mapping_type": "*"
956 }
957 },
958 {
959 "kubernetes.job.labels.*": {
960 "path_match": "kubernetes.job.labels.*",
961 "mapping": { "type": "keyword" },
962 "match_mapping_type": "*"
963 }
964 },
965 {
966 "kubernetes.cronjob.labels.*": {
967 "path_match": "kubernetes.cronjob.labels.*",
968 "mapping": { "type": "keyword" },
969 "match_mapping_type": "*"
970 }
971 },
972 {
973 "strings_as_keyword": {
974 "mapping": { "ignore_above": 1024, "type": "keyword" },
975 "match_mapping_type": "string"
976 }
977 }
978 ],
979 "properties": {
980 "@timestamp": { "type": "date"},
981 "message":{"type":"text"},
982 "collectord_errors": {"type": "keyword","ignore_above": 1024},
983 "input":{"properties":{"type":{"ignore_above":1024,"type":"keyword"}}},
984 "container": {"properties": {
985 "name": { "ignore_above": 1024, "type": "keyword"},
986 "id": { "ignore_above": 1024, "type": "keyword"},
987 "runtime": {"ignore_above": 1024, "type": "keyword"},
988 "image": {"properties": {
989 "name": { "ignore_above": 1024, "type": "keyword"}
990 }}
991 }
992 },
993 "event": {"properties": {
994 "id": {"ignore_above": 1024, "type": "keyword"}
995 }},
996 "host": {"properties": {
997 "name": {"ignore_above": 1024, "type": "keyword"},
998 "architecture": {"ignore_above": 1024, "type": "keyword"},
999 "hostname": {"ignore_above": 1024, "type": "keyword"}
1000 }},
1001 "log": { "properties": {
1002 "file": { "properties": {
1003 "path": {"ignore_above": 1024, "type": "keyword"}
1004 }},
1005 "offset": {"type": "long"},
1006 "syslog": {"properties": {
1007 "appname": {"ignore_above": 1024, "type": "keyword"},
1008 "facility": {"properties": {
1009 "code": {"type": "long"}
1010 }},
1011 "priority": {"type": "long"},
1012 "procid": {"type": "long"},
1013 "hostname": {"ignore_above": 1024, "type": "keyword"}
1014 }}
1015 }},
1016 "orchestrator": {"properties": {
1017 "cluster": {"properties": {
1018 "name": {"ignore_above": 1024, "type": "keyword"}
1019 }},
1020 "namespace": {"properties": {
1021 "name":{"path":"kubernetes.namespace.name","type":"alias"}
1022 }},
1023 "type": {"ignore_above": 1024, "type": "keyword"}
1024 }},
1025 "stream": {"ignore_above": 1024, "type": "keyword"},
1026 "agent":{"properties":{
1027 "hostname":{"path":"agent.name","type":"alias"},
1028 "name":{"ignore_above":1024,"type":"keyword"},
1029 "id":{"ignore_above":1024,"type":"keyword"},
1030 "type":{"ignore_above":1024,"type":"keyword"},
1031 "ephemeral_id":{"ignore_above":1024,"type":"keyword"},
1032 "version":{"ignore_above":1024,"type":"keyword"}
1033 }},
1034 "ecs":{"properties":{"version":{"ignore_above":1024,"type":"keyword"}}},
1035 "kubernetes": { "properties": {
1036 "container": {"properties": {
1037 "imageid": {"ignore_above": 1024, "type": "keyword"}
1038 }},
1039 "host": {"properties": {
1040 "ip": {"type": "ip"}
1041 }},
1042 "namespace": {"properties": {
1043 "name": {"ignore_above": 1024, "type": "keyword"}
1044 }},
1045 "node": { "properties": {
1046 "id": {"ignore_above": 1024, "type": "keyword"},
1047 "name": {"ignore_above": 1024,"type": "keyword"}
1048 }},
1049 "pod": {"properties": {
1050 "id": {"ignore_above": 1024,"type": "keyword"},
1051 "ip": {"type": "ip"},
1052 "name": {"ignore_above": 1024,"type": "keyword"}
1053 }},
1054 "statefulset": { "properties": {
1055 "id": {"ignore_above": 1024,"type": "keyword"},
1056 "name": {"ignore_above": 1024,"type": "keyword"}
1057 }},
1058 "replicaset": {"properties": {
1059 "id": {"ignore_above": 1024,"type": "keyword"},
1060 "name": {"ignore_above": 1024, "type": "keyword"}
1061 }},
1062 "deployment": { "properties": {
1063 "id": {"ignore_above": 1024,"type": "keyword"},
1064 "name": {"ignore_above": 1024,"type": "keyword" }
1065 }},
1066 "cronjob": {"properties": {
1067 "id": {"ignore_above": 1024,"type": "keyword"},
1068 "name": {"ignore_above": 1024, "type": "keyword"}
1069 }},
1070 "job": {"properties": {
1071 "id": {"ignore_above": 1024,"type": "keyword"},
1072 "name": {"ignore_above": 1024, "type": "keyword"}
1073 }}
1074 }},
1075 "volume": {"properties": {
1076 "name": {"ignore_above": 1024,"type": "keyword"}
1077 }}
1078 }
1079 }
1080 },
1081 "index_patterns": ["logs-collectord-${COLLECTORD_VERSION}"]
1082 }
1083 es-failed-index-template.json: |
1084 {
1085 "version": 1,
1086 "data_stream": {},
1087 "_meta": {
1088 "description": "Default template for Collectord indexes for events that failed to be ingested"
1089 },
1090 "priority": 1000,
1091 "template": {
1092 "settings": {
1093 "index": {
1094
1095 "refresh_interval": "5s",
1096 "mapping": {
1097 "total_fields": {
1098 "limit": "10000"
1099 }
1100 },
1101 "max_docvalue_fields_search": "200"
1102 },
1103 "query": {
1104 "default_field": [
1105 "message"
1106 ]
1107 }
1108 },
1109 "mappings": {
1110 "properties": {
1111 "@timestamp": {
1112 "type": "date"},
1113 "message": {
1114 "type": "text"}
1115 }
1116 }
1117 },
1118 "index_patterns": [
1119 "logs-collectord-failed-${COLLECTORD_VERSION}"]
1120 }
1121---
1122apiVersion: apps/v1
1123kind: DaemonSet
1124metadata:
1125 name: collectorforkubernetes-elasticsearch
1126 namespace: collectorforkubernetes
1127 labels:
1128 app: collectorforkubernetes-elasticsearch
1129spec:
1130 updateStrategy:
1131 type: RollingUpdate
1132 selector:
1133 matchLabels:
1134 daemon: collectorforkubernetes-elasticsearch
1135 template:
1136 metadata:
1137 name: collectorforkubernetes-elasticsearch
1138 labels:
1139 daemon: collectorforkubernetes-elasticsearch
1140 spec:
1141 priorityClassName: collectorforkubernetes-critical
1142 dnsPolicy: ClusterFirstWithHostNet
1143 hostNetwork: true
1144 serviceAccountName: collectorforkubernetes
1145 tolerations:
1146 - operator: "Exists"
1147 effect: "NoSchedule"
1148 - operator: "Exists"
1149 effect: "NoExecute"
1150 containers:
1151 - name: collectorforkubernetes
1152 image: docker.io/outcoldsolutions/collectorforkubernetes:26.04.1
1153 imagePullPolicy: Always
1154 securityContext:
1155 runAsUser: 0
1156 privileged: true
1157 # Define your resources if you need. Defaults should be fine for most.
1158 # You can lower or increase based on your hosts.
1159 resources:
1160 limits:
1161 cpu: 2000m
1162 memory: 512Mi
1163 requests:
1164 cpu: 200m
1165 memory: 192Mi
1166 env:
1167 - name: KUBERNETES_NODENAME
1168 valueFrom:
1169 fieldRef:
1170 fieldPath: spec.nodeName
1171 - name: POD_NAME
1172 valueFrom:
1173 fieldRef:
1174 fieldPath: metadata.name
1175 volumeMounts:
1176 # We store state in /data folder (file positions)
1177 - name: collectorforkubernetes-state
1178 mountPath: /data
1179 # Configuration file deployed with ConfigMap
1180 - name: collectorforkubernetes-config
1181 mountPath: /config/
1182 readOnly: true
1183 # Rootfs
1184 - name: rootfs
1185 mountPath: /rootfs/
1186 readOnly: false
1187 mountPropagation: HostToContainer
1188 # correct timezone
1189 - name: localtime
1190 mountPath: /etc/localtime
1191 readOnly: true
1192 volumes:
1193 # We store state directly on host, change this location, if
1194 # your persistent volume is somewhere else
1195 - name: collectorforkubernetes-state
1196 hostPath:
1197 path: /var/lib/collectorforkubernetes-elasticsearch/data/
1198 type: DirectoryOrCreate
1199 # Location of docker root (for container logs and metadata)
1200 - name: rootfs
1201 hostPath:
1202 path: /
1203 # correct timezone
1204 - name: localtime
1205 hostPath:
1206 path: /etc/localtime
1207 # configuration from ConfigMap
1208 - name: collectorforkubernetes-config
1209 configMap:
1210 name: collectorforkubernetes-elasticsearch
1211 items:
1212 - key: 001-general.conf
1213 path: 001-general.conf
1214 - key: 002-daemonset.conf
1215 path: 002-daemonset.conf
1216 - key: es-default-index-template.json
1217 path: es-default-index-template.json
1218 - key: es-default-index-lifecycle-management-policy.json
1219 path: es-default-index-lifecycle-management-policy.json
1220 - key: es-failed-index-template.json
1221 path: es-failed-index-template.json
1222---
1223apiVersion: apps/v1
1224kind: Deployment
1225metadata:
1226 name: collectorforkubernetes-elasticsearch-addon
1227 namespace: collectorforkubernetes
1228 labels:
1229 app: collectorforkubernetes-elasticsearch
1230spec:
1231 replicas: 1
1232
1233 selector:
1234 matchLabels:
1235 daemon: collectorforkubernetes-elasticsearch
1236
1237 template:
1238 metadata:
1239 name: collectorforkubernetes-elasticsearch-addon
1240 labels:
1241 daemon: collectorforkubernetes-elasticsearch
1242 spec:
1243 priorityClassName: collectorforkubernetes-critical
1244 serviceAccountName: collectorforkubernetes
1245 containers:
1246 - name: collectorforkubernetes
1247 image: docker.io/outcoldsolutions/collectorforkubernetes:26.04.1
1248 imagePullPolicy: Always
1249 securityContext:
1250 runAsUser: 0
1251 privileged: true
1252 resources:
1253 limits:
1254 cpu: 500m
1255 memory: 256Mi
1256 requests:
1257 cpu: 50m
1258 memory: 64Mi
1259 env:
1260 - name: KUBERNETES_NODENAME
1261 valueFrom:
1262 fieldRef:
1263 fieldPath: spec.nodeName
1264 - name: POD_NAME
1265 valueFrom:
1266 fieldRef:
1267 fieldPath: metadata.name
1268 volumeMounts:
1269 - name: collectorforkubernetes-state
1270 mountPath: /data
1271 - name: collectorforkubernetes-config
1272 mountPath: /config/
1273 readOnly: true
1274 volumes:
1275 - name: collectorforkubernetes-state
1276 hostPath:
1277 path: /var/lib/collectorforkubernetes-elasticsearch/data/
1278 type: Directory
1279 - name: collectorforkubernetes-config
1280 configMap:
1281 name: collectorforkubernetes-elasticsearch
1282 items:
1283 - key: 001-general.conf
1284 path: 001-general.conf
1285 - key: 004-addon.conf
1286 path: 004-addon.conf
1287 - key: es-default-index-template.json
1288 path: es-default-index-template.json
1289 - key: es-default-index-lifecycle-management-policy.json
1290 path: es-default-index-lifecycle-management-policy.json
1291 - key: es-failed-index-template.json
1292 path: es-failed-index-template.json