blob: 4ca42232db070b47249424c942dc3f1e274554bb [file] [log] [blame]
# Copyright 2018 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
<system>
# By default, any logging related files should not be world readable.
# Some plugins may need explicit permissions set regardless of the
# value of this default system configuration key.
file_permission 0640
</system>
<source>
@type systemd
filters [{ "_SYSTEMD_UNIT": "docker.service" }]
<storage>
@type local
persistent true
path /var/log/google-fluentd/docker.log.pos
mode 0640
</storage>
read_from_head true
tag cos_docker
</source>
<source>
@type systemd
filters [
{"_SYSTEMD_UNIT": [
"docker-events-collector.service",
"konlet-startup.service",
"kubelet.service",
"crash-reporter.service",
"crash-sender.service",
"crash-boot-collect.service",
"kdump-load-kernel.service",
"kdump-save-dump.service",
"cis-level1.service",
"cis-level2.service",
"cis-compliance-scanner.service"]},
{"SYSLOG_IDENTIFIER": "crash-sender.sh"}]
<storage>
@type local
persistent true
path /var/log/google-fluentd/system.log.pos
mode 0640
</storage>
read_from_head true
tag cos_system
</source>
<source>
@type systemd
filters [{ "SYSLOG_IDENTIFIER": "audit" }]
<storage>
@type local
persistent true
path /var/log/google-fluentd/audit.log.pos
mode 0640
</storage>
read_from_head true
tag cos_audit
</source>
# Collects all journal logs with priority >= warning
# Change priority levels to make it more/less verbose.
<source>
@type systemd
filters [{ "PRIORITY": ["0", "1", "2", "3", "4"] }]
<storage>
@type local
persistent true
path /var/log/google-fluentd/journal.pos
mode 0640
</storage>
read_from_head true
tag cos_journal_warning
</source>
# Docker container logs (when not running Kubernetes).
# This will collect logs from all containers using json file logging driver.
# To query logs for specific container, use below filter on GCP logging:
# jsonPayload.container_id=CONTAINER_ID
<source>
@type tail
format json
time_key time
path /var/lib/docker/containers/*/*.log
pos_file /var/log/google-fluentd/containers.log.pos
time_format %Y-%m-%dT%H:%M:%S.%N%Z
tag reform_containers.*
read_from_head true
</source>
# Revise fields in container log records.
<match reform_containers.**>
@type record_reformer
enable_ruby true
<record>
# 1) Add container_id field in container logs.
# tag_parts[] looks like:
# ['reform_containers', 'var', 'lib', 'docker', 'containers', container_id]
cos.googleapis.com/container_id ${tag_parts[5]}
# 2) Rename field 'stream' to avoid collisions from container logs where
# users may be also using 'stream' as a key
cos.googleapis.com/stream ${record['stream']}
# 3) Record container_name from log attrs
cos.googleapis.com/container_name ${record.fetch('attrs', {}).fetch('tag', 'UNKNOWN')}
# 4) Rename field 'log' to a more generic field 'message'. This way Logs
# Explorer UI will display the log message as summary of the log entry.
message ${record['log']}
</record>
tag cos_containers
remove_keys attrs,log,stream
</match>
# Parse message field in container log records as json, if applicable.
<filter cos_containers.**>
@type parser
key_name message
reserve_data true
remove_key_name_field true
<parse>
@type multi_format
# multi_format will attempt to parse 'key_name' field from record based
# on 'format'. If a parse fails, it will move on to next 'format'.
<pattern>
# Attempt parsing as json
format json
# Add support by default for multiple common time formats
time_type mixed
time_format %Y-%m-%dT%H:%M:%S.%N%Z
time_format_fallbacks float,unixtime
</pattern>
<pattern>
# If above fails, leave as is (i.e. as text)
format none
</pattern>
</parse>
</filter>
# stackdriver-logging-agent handles sending logs to cloud logging.
# See https://cloud.google.com/logging/docs/agent/installation#configure for more details.