Nginx Ingress Log Shipping
Kubernetes is gaining popularity every day. Using an Ingress controller is the preferred method of allowing external access to the services in a cluster. This makes Ingress logs incredibly important for tracking the performance of your services, issues, bugs, and the security of your cluster.
Ship Ingress logs¶
Note: Make sure that the following prerequisites are met before continuing:
Enable JSON logging, by updating the Ingress config section:
defaultBackend:
replicaCount: 2
controller:
kind: DaemonSet
extraEnvs:
- name: LOGS_TOKEN
value: "<YOUR_LOGS_TOKEN>"
config:
use-forwarded-headers: "true"
use-geoip: "false"
use-geoip2: "false"
log-format-escape-json: "true"
log-format-upstream: '{
"@timestamp": "$time_iso8601",
"remote_addr": "$remote_addr",
"x-forward-for": "$proxy_add_x_forwarded_for",
"request_id": "$req_id",
"remote_user": "$remote_user",
"bytes_sent": $bytes_sent,
"request_time": $request_time,
"status": $status,
"vhost": "$host",
"request_proto": "$server_protocol",
"path": "$uri",
"request_query": "$args",
"request_length": $request_length,
"duration": $request_time,
"method": "$request_method",
"http_referrer": "$http_referer",
"http_user_agent": "$http_user_agent"
}'
To limit log collection to the default and ingress namespaces, use the MATCH_BY_NAME option.
Create an agent.yaml file that looks like this:
region: US
logsToken: "<YOUR_LOGS_TOKEN>"
logagent:
config:
MATCH_BY_NAME: .*_(default|ingress)_.*
Setup Logagent to parse and ship logs:
helm install --name agent stable/sematext-agent -f agent.yaml
Remove log enrichment¶
Some of the larger fields like container, labels and logSource are added by Logagent for better context. These can be removed by using the REMOVE_FIELDS option in Logagent:
Add the REMOVE_FIELDS option to your agent.yaml:
region: US
logsToken: "<YOUR_LOGS_TOKEN>"
logagent:
config:
MATCH_BY_NAME: .*_(default|ingress)_.*
REMOVE_FIELDS: container,labels,logSource
Run the Helm upgrade command:
helm upgrade agent stable/sematext-agent -f agent.yaml
Remove unneeded fields¶
The same thing can be done by removing the unneeded fields from the Nginx Ingress log format.
log-format-upstream: '{
"@timestamp": "$time_iso8601",
"remote_addr": "$remote_addr",
"bytes_sent": $bytes_sent,
"request_time": $request_time,
"status": $status,
"vhost": "$host",
"request_proto": "$server_protocol",
"path": "$uri",
"request_query": "$args",
"request_length": $request_length,
"duration": $request_time,
"method": "$request_method",
"http_user_agent": "$http_user_agent"
}'
Remove unneeded logs¶
To reduce logs size even further, some of the logs can be dropped. For example the 2xx requests can filtered by using the IGNORE_LOGS_PATTERN option in Logagent:
Add the IGNORE_LOGS_PATTERN option to your agent.yaml:
region: US
logsToken: "<YOUR_LOGS_TOKEN>"
logagent:
config:
MATCH_BY_NAME: .*_(default|ingress)_.*
REMOVE_FIELDS: container,labels,logSource
IGNORE_LOGS_PATTERN: \"status\":\s20
Run the Helm upgrade once again:
helm upgrade agent stable/sematext-agent -f agent.yaml
By using MATCH_BY_NAME you can limit log collection to desired namespaces. Unneeded fields can be removed using REMOVE_FIELDS in the configuration. Even entire log lines can be ignored with IGNORE_LOGS_PATTERN. Logagent makes it easy to slim down any logs with very little effort.