Skip to content
share library_books

IBM Cloud Kubernetes Logs Integration

With this integration you can:

  • Forward all Containerd container logs
  • Use log globs to choose which container log files to tail
  • Drop noisy logs with dropEvents
  • Forward logs to different Apps
  • Enable Kubernetes audit logs

IBM Cloud Kubernetes uses Cointainerd as the container engine. In this case Logagent can't use the Docker remote API to retrieve logs and metadata. Instead, logs are collected from Containerd log files, which requires access to the relevant directories.

The Logagent input-filter for Containerd supports:

  • Tailing log files from /var/log/containers/, /var/log/pods and /var/data/kubeletlogs
  • Enrichment of logs with podName, namespace, containerName, containerId
  • Joining long log events over 4KB into one log event
  • Parsing Containerd log headers (timestamp, stream, flags)
  • Parsing message content with Logagent's parser library

Default Setup of IBM Cloud Kubernetes Logs

With the default setup you edit env vars to change the configuration.

Forward all Container Logs

Run Logagent as Kubernetes DaemonSet.

First, create the ibm-cloud-logagent-ds.yml DaemonSet file.

curl -o ibm-cloud-logagent-ds.yml  https://raw.githubusercontent.com/sematext/logagent-js/master/kubernetes/ibm-cloud-logagent-ds.yml

Set your LOGS_TOKEN in the spec.env section in the ibm-cloud-logagent-ds.yml file.

Then run the DaemonSet:

kubectl create -f ibm-cloud-logagent-ds.yml

Use LOG_GLOB to Filter Which Container Logs to Forward

Log globs make it easy to use wildcards to filter in/out which log files to tail. In the spec.env.LOG_GLOB env var you can set values not to include logs from certain containers. To read more about log globs, check this out.

Here's how you can exclude all logs from the kube-system namespace:

env:
  - name: LOG_GLOB
    value: "/var/log/containers/!(*kube-system*.log);/var/log/*.log"

Or, only include logs from the default namespace:

env:
  - name: LOG_GLOB
    value: "/var/log/containers/*default*.log;/var/log/*.log"

This is a quick way of including/excluding logs from containers.

Advanced Setup of IBM Cloud Kubernetes Logs

With the advanced setup you add a logagent.conf file as a ConfigMap to change the configuration. With this config file you have more control over the settings, including:

  • dropping logs
  • log routing
  • more fine tuned filtering
  • ability to add audit logs

1. Create a logagent.conf file

The logagent.conf is the main config file for Logagent.

# logagent.conf
options:
  debug: false

input: 
  files: 
    - /var/log/*.log
    - /var/log/containers/*.log

inputFilter:
  - module: input-filter-k8s-containerd

output:
  elasticsearch:
    module: elasticsearch
    url: https://logsene-receiver.sematext.com # for US
    # url: https://logsene-receiver.eu.sematext.com # for EU
    index: YOUR_SEMATEXT_LOGS_TOKEN

This particular config above will work the same as using the default setup with env vars. You may need to adjust the url to the Sematext region you are using.

2. Add the logagent.conf as a ConfigMap

Create the ConfigMap from the logagent.conf file. Run this command from the dir where you have the logagent.conf:

kubectl create configmap logagent-config --from-file=./logagent.conf

3. Create the Logagent DaemonSet

Create the ibm-cloud-logagent-with-config-ds.yml DaemonSet file.

curl -o ibm-cloud-logagent-with-config-ds.yml https://raw.githubusercontent.com/sematext/logagent-js/master/kubernetes/ibm-cloud-logagent-with-config-ds.yml 

You don't need to change anything as all the config is in logagent.conf, just run the DaemonSet:

kubectl create -f ibm-cloud-logagent-with-config-ds.yml

When you want to edit the config, change the logagent.conf, recreate the ConfigMap, restart the Logagent Pod to grab the new ConfigMap and you're done!

Continue reading below to see how to configure more advanced settings.

Drop Noisy Container Logs

Edit the logagent.conf to add the drop-events outputFilter.

# logagent.conf
options:
  debug: false

input: 
  files: 
    - /var/log/*.log
    - /var/log/containers/*.log

inputFilter:
  - module: input-filter-k8s-containerd

outputFilter:
  dropEvents:
    module: drop-events
    filters:
      message:
        include: !!js/regexp /critical|auth|error|failed/
        exclude: !!js/regexp /status/i

output:
  elasticsearch:
    module: elasticsearch
    url: https://logsene-receiver.sematext.com
    index: YOUR_SEMATEXT_LOGS_TOKEN

In the filters section you can pick a field to apply regex matching to. If there's a match you can either include or exclude that particular log line. The example above will include all log lines that match critical|auth|error|failed but exclude all that match status.

Forward Container Logs to Multiple Apps with Log Routing

To enable log routing you edit the output plugin to use multiple indices. Under the token value you need to add a regex for the log file you want to match.

# logagent.conf
options:
  debug: true

input: 
  files: 
    - /var/log/*.log
    - /var/log/containers/*.log

inputFilter:
  - module: input-filter-k8s-containerd

outputFilter:
  dropEventsFilter:
    module: drop-events
    filters:
      message:
        exclude: !!js/regexp /status/i

output:
  elasticsearch:
    module: elasticsearch
    url: https://logsene-receiver.sematext.com
    indices: 
      b0e9f481-xxxx-xxxx-xxxx-3ff20227d3d3: # All logs except kube-system
        - ^(?!.*(kube-system).*).*\.log
      9365eb2f-xxxx-xxxx-xxxx-5a833072353f: # Only kube-system logs
        - .*kube-system.*\.log

In place of b0e9f481-xxxx-xxxx-xxxx-3ff20227d3d3 and 9365eb2f-xxxx-xxxx-xxxx-5a833072353f in the example above you would use your own Sematext Apps logs tokens.

Enable Kubernetes Audit Logs

Create a Kubernetes Audit Logs App and a Generic Logs App.

Forwarding Kubernetes audit logs is similar to log routing. The prerequisite is to follow steps 1-9 in the official IBM docs here.

This will provision an audit webhook that will forward logs to a log file. With Logagent you can tail this file and forward logs to a Kubernetes Audit Logs App in Sematext.

In your logagent.conf, under the indices section, where you specify the token value for your Kubernetes Audit Logs App, you need to add a regex for the name of the audit webhook you created in the steps above. The name of this Pod is ibm-kube-audit.

# logagent.conf
options:
  debug: true

input: 
  files: 
    - /var/log/*.log
    - /var/log/containers/!(st-logagent*.log) # exclude Logagent's own logs

inputFilter:
  - module: input-filter-k8s-containerd

outputFilter:
  dropEventsFilter:
    module: drop-events
    filters:
      message:
        exclude: !!js/regexp /status/i

output:
  elasticsearch:
    module: elasticsearch
    url: https://logsene-receiver.sematext.com
    indices: 
      b0e9f481-xxxx-xxxx-xxxx-3ff20227d3d3: # generic logs app
        - ^(?!.*(ibm-kube-audit).*).*\.log
      9365eb2f-xxxx-xxxx-xxxx-5a833072353f: # kubernetes audit logs app
        - .*ibm-kube-audit.*\.log

This config will route all audit logs to your Kubernetes Audit Logs App and the other logs to your other Generic Logs App.

Note: Here's how you find the token after you create a Kubernetes Audit Logs App.

Need more help?

This was a brief overview of how to configure logging for IBM Cloud Kubernetes Service. If you have any more questions, feel free to reach out through the live chat or Twitter @sematext!