project-lakitu/app-admin/stackdriver/files/logging_configs/fluentd-lakitu.conf - cos/overlays/board-overlays - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 <source>
   @type systemd
   filters [{ "_SYSTEMD_UNIT": "docker.service" }]
   <storage>
     @type local
     persistent true
     path /var/log/google-fluentd/docker.log.pos
   </storage>
   read_from_head true
   tag cos_docker
 </source>

 <source>
   @type systemd
   filters [
       {"_SYSTEMD_UNIT": [
           "docker-events-collector.service",
           "konlet-startup.service",
           "kubelet.service",
           "crash-reporter.service",
           "crash-sender.service",
           "crash-boot-collect.service",
           "kdump-load-kernel.service",
           "kdump-save-dump.service"]},
       {"SYSLOG_IDENTIFIER": "crash-sender.sh"}]
   <storage>
     @type local
     persistent true
     path /var/log/google-fluentd/system.log.pos
   </storage>
   read_from_head true
   tag cos_system
 </source>

 <source>
   @type systemd
   filters [{ "SYSLOG_IDENTIFIER": "audit" }]
   <storage>
     @type local
     persistent true
     path /var/log/google-fluentd/audit.log.pos
   </storage>
   read_from_head true
   tag cos_audit
 </source>

 # Collects all journal logs with priority >= warning
 # Change priority levels to make it more/less verbose.
 <source>
   @type systemd
   filters [{ "PRIORITY": ["0", "1", "2", "3", "4"] }]
   <storage>
     @type local
     persistent true
     path /var/log/google-fluentd/journal.pos
   </storage>
   read_from_head true
   tag cos_journal_warning
 </source>

 # Docker container logs (when not running Kubernetes).
 # This will collect logs from all containers using json file logging driver.
 # To query logs for specific container, use below filter on GCP logging:
 # jsonPayload.container_id=CONTAINER_ID
 <source>
   @type tail
   format json
   time_key time
   path /var/lib/docker/containers/*/*.log
   pos_file /var/log/google-fluentd/containers.log.pos
   time_format %Y-%m-%dT%H:%M:%S.%N%Z
   tag reform_containers.*
   read_from_head true
 </source>

 # Revise fields in container log records.
 <match reform_containers.**>
   @type record_reformer
   enable_ruby true
   <record>
     # 1) Add container_id field in container logs.
     # tag_parts[] looks like:
     # ['reform_containers', 'var', 'lib', 'docker', 'containers', container_id]
     cos.googleapis.com/container_id ${tag_parts[5]}
     # 2) Rename field 'stream' to avoid collisions from container logs where
     # users may be also using 'stream' as a key
     cos.googleapis.com/stream ${record['stream']}
     # 3) Rename field 'log' to a more generic field 'message'. This way Logs
     # Explorer UI will display the log message as summary of the log entry.
     message ${record['log']}
   </record>
   tag cos_containers
   remove_keys log,stream
 </match>

 # Parse message field in container log records as json, if applicable.
 <filter cos_containers.**>
   @type parser
   key_name message
   reserve_data true
   remove_key_name_field true
   <parse>
     @type multi_format
     # multi_format will attempt to parse 'key_name' field from record based
     # on 'format'. If a parse fails, it will move on to next 'format'.
     <pattern>
       # Attempt parsing as json
       format json
     </pattern>
     <pattern>
       # If above fails, leave as is (i.e. as text)
       format none
     </pattern>
   </parse>
 </filter>

 # stackdriver-logging-agent handles sending logs to cloud logging.
 # See https://cloud.google.com/logging/docs/agent/installation#configure for more details.
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	<source>
	@type systemd
	filters [{ "_SYSTEMD_UNIT": "docker.service" }]
	<storage>
	@type local
	persistent true
	path /var/log/google-fluentd/docker.log.pos
	</storage>
	read_from_head true
	tag cos_docker
	</source>

	<source>
	@type systemd
	filters [
	{"_SYSTEMD_UNIT": [
	"docker-events-collector.service",
	"konlet-startup.service",
	"kubelet.service",
	"crash-reporter.service",
	"crash-sender.service",
	"crash-boot-collect.service",
	"kdump-load-kernel.service",
	"kdump-save-dump.service"]},
	{"SYSLOG_IDENTIFIER": "crash-sender.sh"}]
	<storage>
	@type local
	persistent true
	path /var/log/google-fluentd/system.log.pos
	</storage>
	read_from_head true
	tag cos_system
	</source>

	<source>
	@type systemd
	filters [{ "SYSLOG_IDENTIFIER": "audit" }]
	<storage>
	@type local
	persistent true
	path /var/log/google-fluentd/audit.log.pos
	</storage>
	read_from_head true
	tag cos_audit
	</source>

	# Collects all journal logs with priority >= warning
	# Change priority levels to make it more/less verbose.
	<source>
	@type systemd
	filters [{ "PRIORITY": ["0", "1", "2", "3", "4"] }]
	<storage>
	@type local
	persistent true
	path /var/log/google-fluentd/journal.pos
	</storage>
	read_from_head true
	tag cos_journal_warning
	</source>

	# Docker container logs (when not running Kubernetes).
	# This will collect logs from all containers using json file logging driver.
	# To query logs for specific container, use below filter on GCP logging:
	# jsonPayload.container_id=CONTAINER_ID
	<source>
	@type tail
	format json
	time_key time
	path /var/lib/docker/containers//.log
	pos_file /var/log/google-fluentd/containers.log.pos
	time_format %Y-%m-%dT%H:%M:%S.%N%Z
	tag reform_containers.*
	read_from_head true
	</source>

	# Revise fields in container log records.
	<match reform_containers.**>
	@type record_reformer
	enable_ruby true
	<record>
	# 1) Add container_id field in container logs.
	# tag_parts[] looks like:
	# ['reform_containers', 'var', 'lib', 'docker', 'containers', container_id]
	cos.googleapis.com/container_id ${tag_parts[5]}
	# 2) Rename field 'stream' to avoid collisions from container logs where
	# users may be also using 'stream' as a key
	cos.googleapis.com/stream ${record['stream']}
	# 3) Rename field 'log' to a more generic field 'message'. This way Logs
	# Explorer UI will display the log message as summary of the log entry.
	message ${record['log']}
	</record>
	tag cos_containers
	remove_keys log,stream
	</match>

	# Parse message field in container log records as json, if applicable.
	<filter cos_containers.**>
	@type parser
	key_name message
	reserve_data true
	remove_key_name_field true
	<parse>
	@type multi_format
	# multi_format will attempt to parse 'key_name' field from record based
	# on 'format'. If a parse fails, it will move on to next 'format'.
	<pattern>
	# Attempt parsing as json
	format json
	</pattern>
	<pattern>
	# If above fails, leave as is (i.e. as text)
	format none
	</pattern>
	</parse>
	</filter>

	# stackdriver-logging-agent handles sending logs to cloud logging.
	# See https://cloud.google.com/logging/docs/agent/installation#configure for more details.