add_kubernetes_metadata processor: add support for "/var/log/containers/" log path #4981
Conversation
|
Can one of the admins verify this patch? |
|
ok to test |
| cid := "" | ||
| if strings.Contains(source, f.LogsPath) { | ||
| //Docker container is 64 chars in length | ||
| cid = source[len(f.LogsPath) : len(f.LogsPath)+64] | ||
| if f.LogsPath == "/var/log/containers/" && strings.HasSuffix(source, ".log") { |
There was a problem hiding this comment.
I'm not a big fan of hardcoding this kind of things in the code, but I think I can live with this one if everyone else is ok with it
There was a problem hiding this comment.
Me neither, but the existing method already looked like a "quick-and-dirty" solution, so I just continued this way.
I'm now working on an alternative, more generic solution that ignores the "logs_path" parameter (it's nowhere documented and it doesn't seem to be used anywhere else) and instead parses the source to extract the container ID. Will have that ready in two hours or so. Maybe that's better than this solution.
|
Thank you very much for your contribution!! Could you please add a |
|
I've implemented an alternative cleaner and more generic solution in #4995. |
|
I still prefer this one, it covers all default cases and still allows to change the default in case Docker is not under |
|
Sure, that's OK. But then it's also necessary to update the documentation at https://www.elastic.co/guide/en/beats/filebeat/master/add-kubernetes-metadata.html with something like this:
Also, the matcher might still throw a "slice bound out of range" runtime error if |
|
That would be awesome yes :), also please add an entry to CHANGELOG.asciidoc |
… path The add_kubernetes_metadata processor's LogPathMatcher could extract a Docker container ID - and hence enrich a log document with Kubernetes metadata - only if the log path was '/var/lib/docker/containers/'. With this commit, the LogPathMatcher can extract the container ID also from a '/var/log/containers/' log path (Kubernetes symlinks).
|
Done. Now checking for the |
| } | ||
| logp.Debug("kubernetes", "Using container id: %s", cid) | ||
| } else { | ||
| logp.Debug("kubernetes", "Error extracting container id - source value does not contain log path.") |
There was a problem hiding this comment.
You will need to refactor this logic after adding length checks, in case of wrong length the error won't be logged at the moment
| sourceLen := len(source) | ||
| logsPathLen := len(f.LogsPath) | ||
|
|
||
| if f.LogsPath == "/var/log/containers/" && strings.HasSuffix(source, ".log") && sourceLen >= containerIdLen + 4 { |
There was a problem hiding this comment.
strings.HasPrefix(f.LogsPath, "/var/log/containers") would be better here, as this is user input, it may not be exactly /var/log/containers/
|
Thanks for your comments. I've added another commit to address both issues. I check if the path starts with Also I duplicated these two lines, as it makes the code flow much easier to read: |
|
Nice, please review code format (you can run |
|
Sorry... I didn't know about the One question though: When formatted, the multi-line So you can't easily recognize anymore where the Would you prefer to write the |
|
I'm ok with the single line version too |
|
Hi @SvenWoltmann, we have found your signature in our records, but it seems like you have signed with a different e-mail than the one used in yout Git commit. Can you please add both of these e-mails into your Github profile (they can be hidden), so we can match your e-mails to your Github profile? |
|
Thank you for adding this feature @SvenWoltmann! |
|
Hi Guys, I hit this issue in 6.0.0-rc1. It seems that this change has not been applied to the 6.0 branch which I assume is the branch used for the release candidates (please correct me if I'm wrong). Although I understand why it would be considered a new feature, I would argue that since this the processor is beta and the change quite small it might be worth including. This is very confusing that /var/log/containers can't be a source in the current version (fluentd would be fine with it) |
|
Hi @Julion, the change went in after the freeze deadline for 6.0, it wasn't backported as it's not a bugfix, should make it to the next release (6.1) |
|
Hi Guys, Am I doing something wrong, or is it just not possible at the moment ? Thanks! |
|
Hi @jeremievallee, Please for questions use discuss: https://discuss.elastic.co/c/beats |
|
Hi @exekias, thanks for your message, I will do that now. 👍 |
Following up on this topic:
https://discuss.elastic.co/t/add-kubernetes-metadata-should-work-in-var-log-containers/97945
The Issue
The “add_kubernetes_metadata” processor should also work on the "/var/log/containers/" log path for the following reasons:
You may want to exclude log files from certain pods, e.g. the filebeat pod itself with the
exclude_files: ['filebeat-*.log']option. That would work only in/var/log/containers, as only the symlinks there contain the pod name.You may want to read only the log files of docker containers used by active Kubernetes pods, not any other docker containers running on the system now or in the past. That also works only by following the symlinks in
/var/log/containers.The “source” field in the log documents would be much more informative if it contained a value like
/var/log/containers/kube-proxy-4d7nt_kube-system_kube-proxy-1bddb0001161285462528b7170a53d13dfe4e17b541319485b9020eef5433266.loginstead of
/var/lib/docker/containers/1bddb0001161285462528b7170a53d13dfe4e17b541319485b9020eef5433266/1bddb0001161285462528b7170a53d13dfe4e17b541319485b9020eef5433266-json.logAbout the Pull Request
The pull requests contains a simple solution, in which the container ID is extracted in a different way when the logs_path matcher's
logs_pathsetting is "/var/log/containers/".So the processor needs to be configured like this:
However, it seems that the
logs_pathsetting is used only in the code that extracts the container ID from the source. Wouldn't it make more sense to extract the log path from thesourcevariable? Then thelogs_pathsetting can be removed and the processor can be used with it's default configuration: