| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| <system> |
| # By default, any logging related files should not be world readable. |
| # Some plugins may need explicit permissions set regardless of the |
| # value of this default system configuration key. |
| file_permission 0640 |
| </system> |
| |
| <source> |
| @type systemd |
| filters [{ "_SYSTEMD_UNIT": "docker.service" }] |
| <storage> |
| @type local |
| persistent true |
| path /var/log/google-fluentd/docker.log.pos |
| mode 0640 |
| </storage> |
| read_from_head true |
| tag cos_docker |
| </source> |
| |
| <source> |
| @type systemd |
| filters [ |
| {"_SYSTEMD_UNIT": [ |
| "docker-events-collector.service", |
| "konlet-startup.service", |
| "kubelet.service", |
| "crash-reporter.service", |
| "crash-sender.service", |
| "crash-boot-collect.service", |
| "kdump-load-kernel.service", |
| "kdump-save-dump.service", |
| "cis-level1.service", |
| "cis-level2.service", |
| "cis-compliance-scanner.service"]}, |
| {"SYSLOG_IDENTIFIER": "crash-sender.sh"}] |
| <storage> |
| @type local |
| persistent true |
| path /var/log/google-fluentd/system.log.pos |
| mode 0640 |
| </storage> |
| read_from_head true |
| tag cos_system |
| </source> |
| |
| <source> |
| @type systemd |
| filters [{ "SYSLOG_IDENTIFIER": "audit" }] |
| <storage> |
| @type local |
| persistent true |
| path /var/log/google-fluentd/audit.log.pos |
| mode 0640 |
| </storage> |
| read_from_head true |
| tag cos_audit |
| </source> |
| |
| # Collects all journal logs with priority >= warning |
| # Change priority levels to make it more/less verbose. |
| <source> |
| @type systemd |
| filters [{ "PRIORITY": ["0", "1", "2", "3", "4"] }] |
| <storage> |
| @type local |
| persistent true |
| path /var/log/google-fluentd/journal.pos |
| mode 0640 |
| </storage> |
| read_from_head true |
| tag cos_journal_warning |
| </source> |
| |
| # Docker container logs (when not running Kubernetes). |
| # This will collect logs from all containers using json file logging driver. |
| # To query logs for specific container, use below filter on GCP logging: |
| # jsonPayload.container_id=CONTAINER_ID |
| <source> |
| @type tail |
| format json |
| time_key time |
| path /var/lib/docker/containers/*/*.log |
| pos_file /var/log/google-fluentd/containers.log.pos |
| time_format %Y-%m-%dT%H:%M:%S.%N%Z |
| tag reform_containers.* |
| read_from_head true |
| </source> |
| |
| # Revise fields in container log records. |
| <match reform_containers.**> |
| @type record_reformer |
| enable_ruby true |
| <record> |
| # 1) Add container_id field in container logs. |
| # tag_parts[] looks like: |
| # ['reform_containers', 'var', 'lib', 'docker', 'containers', container_id] |
| cos.googleapis.com/container_id ${tag_parts[5]} |
| # 2) Rename field 'stream' to avoid collisions from container logs where |
| # users may be also using 'stream' as a key |
| cos.googleapis.com/stream ${record['stream']} |
| # 3) Record container_name from log attrs |
| cos.googleapis.com/container_name ${record.fetch('attrs', {}).fetch('tag', 'UNKNOWN')} |
| # 4) Rename field 'log' to a more generic field 'message'. This way Logs |
| # Explorer UI will display the log message as summary of the log entry. |
| message ${record['log']} |
| </record> |
| tag cos_containers |
| remove_keys attrs,log,stream |
| </match> |
| |
| # Parse message field in container log records as json, if applicable. |
| <filter cos_containers.**> |
| @type parser |
| key_name message |
| reserve_data true |
| remove_key_name_field true |
| <parse> |
| @type multi_format |
| # multi_format will attempt to parse 'key_name' field from record based |
| # on 'format'. If a parse fails, it will move on to next 'format'. |
| <pattern> |
| # Attempt parsing as json |
| format json |
| # Add support by default for multiple common time formats |
| time_type mixed |
| time_format %Y-%m-%dT%H:%M:%S.%N%Z |
| time_format_fallbacks float,unixtime |
| </pattern> |
| <pattern> |
| # If above fails, leave as is (i.e. as text) |
| format none |
| </pattern> |
| </parse> |
| </filter> |
| |
| # stackdriver-logging-agent handles sending logs to cloud logging. |
| # See https://cloud.google.com/logging/docs/agent/installation#configure for more details. |