fluentd-journald-elasticsearch/fluent.conf at master · aliasmee/fluentd-journald-elasticsearch · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
<source>
  @type systemd
  <storage>
    @type local
    persistent true
    path /var/log/fluent/journal.pos
  </storage>
  path /run/log/journal
  tag journal
  read_from_head true
  filters [{ "_SYSTEMD_UNIT": "docker.service" }]
  <entry>
  field_map {"_HOSTNAME": "Node"}
  fields_strip_underscores true
  </entry>
</source>

# probably want to use something like fluent-plugin-rewrite-tag-filter to
# retag entries from k8s
<match journal>
  @type rewrite_tag_filter
  <rule>
    key CONTAINER_NAME
    pattern ^k8s_
    tag kubernetes.journal.container
  </rule>
</match>

<filter kubernetes.**>
  @type kubernetes_metadata
  use_journal true
</filter>

# 2018-01-30 add for filter namespace
<filter kubernetes.**>
  @type record_transformer
  enable_ruby true
  <record>
    kubernetes_namespace_container_name ${record["kubernetes"]["namespace_name"]}.${record["kubernetes"]["container_name"]}
  </record>
</filter>

<match kubernetes.**>
  @type rewrite_tag_filter
  # Update the tag have a structure of kube.<namespace>.<containername>
  <rule>
    key kubernetes_namespace_container_name
    pattern ^(.+)$
    tag kube.$1
  </rule>
</match>

<match kube.kube-system.**>
  @type null
</match>

# Easy to debug
#<match **>
#  @type stdout
#</match>

# Remove unnecessary fields
<match **>
  @type elasticsearch
  host FLUENT_ELASTICSEARCH_HOST
  port FLUENT_ELASTICSEARCH_PORT
  user FLUENT_ELASTICSEARCH_USER
  password FLUENT_ELASTICSEARCH_PASSWORD
  index_name kubernetes-%Y%m%d
  type_name docker-fluentd
  remove_keys EXE,CMDLINE,SYSTEMD_CGROUP,SYSTEMD_SLICE,UID,GID,PRIORITY,CAP_EFFECTIVE,BOOT_ID
  logstash_format true
  logstash_prefix kubernetes
</match>