diff --git a/bundle/manifests/cluster-logging.clusterserviceversion.yaml b/bundle/manifests/cluster-logging.clusterserviceversion.yaml index d89ca06a9a..be285679c6 100644 --- a/bundle/manifests/cluster-logging.clusterserviceversion.yaml +++ b/bundle/manifests/cluster-logging.clusterserviceversion.yaml @@ -82,7 +82,7 @@ metadata: categories: OpenShift Optional, Logging & Tracing certified: "false" containerImage: quay.io/openshift-logging/cluster-logging-operator:latest - createdAt: "2024-10-15T13:40:40Z" + createdAt: "2025-02-19T19:23:42Z" description: The Red Hat OpenShift Logging Operator for OCP provides a means for configuring and managing log collection and forwarding. features.operators.openshift.io/cnf: "false" diff --git a/docs/reference/datamodels/viaq/v1.adoc b/docs/reference/datamodels/viaq/v1.adoc index edca8bd316..308850a848 100644 --- a/docs/reference/datamodels/viaq/v1.adoc +++ b/docs/reference/datamodels/viaq/v1.adoc @@ -5,9 +5,9 @@ :doctype: book = Package viaq/v1 - + == Viaq Data Model for kubernetes api events - + The data model for collected audit event logs from kubernetes or OpenShift api servers. nolint:govet @@ -15,98 +15,98 @@ nolint:govet [options="header"] |====================== |Property|Type|Description - + |involvedObject - + |object - + a| The object that this event is about. - + |reason - + |string - + a| *(optional)* This should be a short, machine understandable string that gives the reason for the transition into the object's current status. TODO: provide exact specification for format. - + |message - + |string - + a| *(optional)* A human-readable description of the status of this operation. TODO: decide on maximum length. - + |source - + |object - + a| *(optional)* The component reporting this event. Should be a short machine understandable string. - + |firstTimestamp - + |string - + a| *(optional)* The time at which the event was first recorded. (Time of server receipt is in TypeMeta.) - + |lastTimestamp - + |string - + a| *(optional)* The time at which the most recent occurrence of this event was recorded. - + |count - + |int - + a| *(optional)* The number of times this event has occurred. - + |type - + |string - + a| *(optional)* Type of this event (Normal, Warning), new types could be added in the future - + |eventTime - + |object - + a| *(optional)* Time when this Event was first observed. - + |series - + |object - + a| *(optional)* Data about the Event series this event represents or nil if it's a singleton Event. - + |action - + |string - + a| *(optional)* What action was taken/failed regarding to the Regarding object. - + |related - + |object - + a| *(optional)* Optional secondary object for more complex actions. - + |reportingComponent - + |string - + a| *(optional)* Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. - + |reportingInstance - + |string - + a| *(optional)* ID of the controller instance, e.g. `kubelet-xyzf`. - + |@timestamp - + |string - + a| A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -119,78 +119,95 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + +|timestamp + +|string + +a| A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + |message - + |string - + a| *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + |level - + |string - + a| The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + |hostname - + |string - + a| The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + |pipeline_metadata - + |object - + a| **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + |log_source - + |string - + a| LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + |log_type - + |string - + a| The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -199,19 +216,19 @@ a| The source type of the log. The `log_type` field may contain one of these st ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + |viaq_index_name - + |string - + a| *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + |viaq_msg_id - + |string - + a| *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -220,192 +237,192 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + |openshift - + |object - + a| Openshift specific metadata - + |====================== - + [options="header"] |====================== |Property|Type|Description - + |action - + |string - + a| *(optional)* What action was taken/failed regarding to the Regarding object. - + |count - + |int - + a| *(optional)* The number of times this event has occurred. - + |eventTime - + |object - + a| *(optional)* Time when this Event was first observed. - + |firstTimestamp - + |string - + a| *(optional)* The time at which the event was first recorded. (Time of server receipt is in TypeMeta.) - + |involvedObject - + |object - + a| The object that this event is about. - + |lastTimestamp - + |string - + a| *(optional)* The time at which the most recent occurrence of this event was recorded. - + |message - + |string - + a| *(optional)* A human-readable description of the status of this operation. TODO: decide on maximum length. - + |reason - + |string - + a| *(optional)* This should be a short, machine understandable string that gives the reason for the transition into the object's current status. TODO: provide exact specification for format. - + |related - + |object - + a| *(optional)* Optional secondary object for more complex actions. - + |reportingComponent - + |string - + a| *(optional)* Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. - + |reportingInstance - + |string - + a| *(optional)* ID of the controller instance, e.g. `kubelet-xyzf`. - + |series - + |object - + a| *(optional)* Data about the Event series this event represents or nil if it's a singleton Event. - + |source - + |object - + a| *(optional)* The component reporting this event. Should be a short machine understandable string. - + |type - + |string - + a| *(optional)* Type of this event (Normal, Warning), new types could be added in the future - + |====================== - + === .action - + ===== Description - + *(optional)* What action was taken/failed regarding to the Regarding object. - + ===== Type - + * string - + === .count - + ===== Description - + *(optional)* The number of times this event has occurred. - + ===== Type - + * int - + === .eventTime - + ===== Description - + *(optional)* Time when this Event was first observed. - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |Time - + |string - + a| - + |====================== - + === .eventTime.Time - + ===== Description - + ===== Type - + * string - + === .firstTimestamp - + ===== Description - + *(optional)* The time at which the event was first recorded. (Time of server receipt is in TypeMeta.) - + ===== Type - + * string - + === .involvedObject - + ===== Description - + The object that this event is about. - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |apiVersion - + |string - + a| *(optional)* API version of the referent. - + |fieldPath - + |string - + a| *(optional)* If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: @@ -414,58 +431,58 @@ the event) or if no container name is specified "spec.containers[2]" (co index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. - + |kind - + |string - + a| *(optional)* Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - + |name - + |string - + a| *(optional)* Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - + |namespace - + |string - + a| *(optional)* Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - + |resourceVersion - + |string - + a| *(optional)* Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - + |uid - + |string - + a| *(optional)* UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - + |====================== - + === .involvedObject.apiVersion - + ===== Description - + *(optional)* API version of the referent. - + ===== Type - + * string - + === .involvedObject.fieldPath - + ===== Description - + *(optional)* If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: @@ -474,205 +491,205 @@ the event) or if no container name is specified "spec.containers[2]" (co index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. - + ===== Type - + * string - + === .involvedObject.kind - + ===== Description - + *(optional)* Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - + ===== Type - + * string - + === .involvedObject.name - + ===== Description - + *(optional)* Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - + ===== Type - + * string - + === .involvedObject.namespace - + ===== Description - + *(optional)* Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - + ===== Type - + * string - + === .involvedObject.resourceVersion - + ===== Description - + *(optional)* Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - + ===== Type - + * string - + === .involvedObject.uid - + ===== Description - + *(optional)* UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - + ===== Type - + * string - + === .lastTimestamp - + ===== Description - + *(optional)* The time at which the most recent occurrence of this event was recorded. - + ===== Type - + * string - + === .message - + ===== Description - + *(optional)* A human-readable description of the status of this operation. TODO: decide on maximum length. - + ===== Type - + * string - + === .reason - + ===== Description - + *(optional)* This should be a short, machine understandable string that gives the reason for the transition into the object's current status. TODO: provide exact specification for format. - + ===== Type - + * string - + === .related - + ===== Description - + *(optional)* Optional secondary object for more complex actions. - + ===== Type - + * object - + === .reportingComponent - + ===== Description - + *(optional)* Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. - + ===== Type - + * string - + === .reportingInstance - + ===== Description - + *(optional)* ID of the controller instance, e.g. `kubelet-xyzf`. - + ===== Type - + * string - + === .series - + ===== Description - + *(optional)* Data about the Event series this event represents or nil if it's a singleton Event. - + ===== Type - + * object - + === .source - + ===== Description - + *(optional)* The component reporting this event. Should be a short machine understandable string. - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |component - + |string - + a| *(optional)* Component from which the event is generated. - + |host - + |string - + a| *(optional)* Node name on which the event is generated. - + |====================== - + === .source.component - + ===== Description - + *(optional)* Component from which the event is generated. - + ===== Type - + * string - + === .source.host - + ===== Description - + *(optional)* Node name on which the event is generated. - + ===== Type - + * string - + === .type - + ===== Description - + *(optional)* Type of this event (Normal, Warning), new types could be added in the future - + ===== Type - + * string - + [options="header"] |====================== |Property|Type|Description - + |@timestamp - + |string - + a| A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -685,61 +702,61 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + |hostname - + |string - + a| The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + |level - + |string - + a| The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + |log_source - + |string - + a| LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + |log_type - + |string - + a| The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -748,42 +765,59 @@ a| The source type of the log. The `log_type` field may contain one of these st ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + |message - + |string - + a| *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + |openshift - + |object - + a| Openshift specific metadata - + |pipeline_metadata - + |object - + a| **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + +|timestamp + +|string + +a| A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + |viaq_index_name - + |string - + a| *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + |viaq_msg_id - + |string - + a| *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -792,13 +826,13 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + |====================== - + === .@timestamp - + ===== Description - + A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -811,77 +845,77 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + ===== Type - + * string - + === .hostname - + ===== Description - + The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + ===== Type - + * string - + === .level - + ===== Description - + The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + ===== Type - + * string - + === .log_source - + ===== Description - + LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + ===== Type - + * string - + === .log_type - + ===== Description - + The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -890,269 +924,290 @@ The source type of the log. The `log_type` field may contain one of these string ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + ===== Type - + * string - + === .message - + ===== Description - + *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + ===== Type - + * string - + === .openshift - + ===== Description - + Openshift specific metadata - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |cluster_id - + |string - + a| ClusterID is the unique id of the cluster where the workload is deployed - + |labels - + |object - + a| *(optional)* Labels is a set of common, static labels that were spec'd for log forwarding to be sent with the log Records - + |sequence - + |string - + a| Sequence is increasing id used in conjunction with the timestamp to estblish a linear timeline of log records. This was added as a workaround for logstores that do not have nano-second precision. - + |====================== - + === .openshift.cluster_id - + ===== Description - + ClusterID is the unique id of the cluster where the workload is deployed - + ===== Type - + * string - + === .openshift.labels - + ===== Description - + *(optional)* Labels is a set of common, static labels that were spec'd for log forwarding to be sent with the log Records - + ===== Type - + * object - + === .openshift.sequence - + ===== Description - + Sequence is increasing id used in conjunction with the timestamp to estblish a linear timeline of log records. This was added as a workaround for logstores that do not have nano-second precision. - + ===== Type - + * string - + === .pipeline_metadata - + ===== Description - + **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |collector - + |object - + a| Collector metadata - + |====================== - + === .pipeline_metadata.collector - + ===== Description - + Collector metadata - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |inputname - + |string - + a| **(DEPRECATED)** - + |ipaddr4 - + |string - + a| *(optional)* Ipaddr4 is the ipV4 address of the collector - + |name - + |string - + a| Name is the implementation of the collector agent - + |original_raw_message - + |string - + a| OriginalRawMessage captures the original message for eventrouter logs - + |received_at - + |string - + a| ReceivedAt the time the collector received the log entry - + |version - + |string - + a| Version is collector version information - + |====================== - + === .pipeline_metadata.collector.inputname - + ===== Description - + **(DEPRECATED)** - + ===== Type - + * string - + === .pipeline_metadata.collector.ipaddr4 - + ===== Description - + *(optional)* Ipaddr4 is the ipV4 address of the collector - + ===== Type - + * string - + === .pipeline_metadata.collector.name - + ===== Description - + Name is the implementation of the collector agent - + ===== Type - + * string - + === .pipeline_metadata.collector.original_raw_message - + ===== Description - + OriginalRawMessage captures the original message for eventrouter logs - + ===== Type - + * string - + === .pipeline_metadata.collector.received_at - + ===== Description - + ReceivedAt the time the collector received the log entry - + ===== Type - + * string - + === .pipeline_metadata.collector.version - + ===== Description - + Version is collector version information - -===== Type - -* string - -=== .viaq_index_name - -===== Description - -*(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). -The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - ===== Type - + * string - -=== .viaq_msg_id - -===== Description - -*(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. -It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), -or some other ASCII value and is used as the `_id` of the document when sending to Elasticsearch. The intended use of this field is that if you use another -logging store or application other than Elasticsearch, but you still need to correlate data with the data stored -in Elasticsearch, this field will give you the exact document corresponding to the record. +=== .timestamp + +===== Description + +A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + +===== Type + +* string + +=== .viaq_index_name + +===== Description + +*(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). + +The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. + +===== Type + +* string + +=== .viaq_msg_id + +===== Description + +*(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. + +It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), +or some other ASCII value and is used as the `_id` of the document when sending to Elasticsearch. The intended use of this field is that if you use another +logging store or application other than Elasticsearch, but you still need to correlate data with the data stored +in Elasticsearch, this field will give you the exact document corresponding to the record. + +This is only present when deploying fluentd collector implementations -This is only present when deploying fluentd collector implementations - ===== Type - + * string - + == Viaq Data Model for Containers - + The data model for collected logs from containers. - + [options="header"] |====================== |Property|Type|Description - + |@timestamp - + |string - + a| A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -1165,61 +1220,61 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + |hostname - + |string - + a| The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + |level - + |string - + a| The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + |log_source - + |string - + a| LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + |log_type - + |string - + a| The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -1228,42 +1283,59 @@ a| The source type of the log. The `log_type` field may contain one of these st ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + |message - + |string - + a| *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + |openshift - + |object - + a| Openshift specific metadata - + |pipeline_metadata - + |object - + a| **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + +|timestamp + +|string + +a| A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + |viaq_index_name - + |string - + a| *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + |viaq_msg_id - + |string - + a| *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -1272,23 +1344,23 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + |docker - + |object - + a| **(DEPRECATED)** *(optional)* - + |kubernetes - + |object - + a| The Kubernetes-specific metadata - + |structured - + |object - + a| *(optional)* Original log entry as a structured object. Example: @@ -1298,17 +1370,17 @@ This field may be present if the forwarder was configured to parse structured JS If the original log entry was a valid structured log, this field will contain an equivalent JSON structure. Otherwise this field will be empty or absent, and the `message` field will contain the original log message. The `structured` field includes the same sub-fields as the original log message. - + |====================== - + [options="header"] |====================== |Property|Type|Description - + |@timestamp - + |string - + a| A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -1321,61 +1393,61 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + |hostname - + |string - + a| The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + |level - + |string - + a| The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + |log_source - + |string - + a| LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + |log_type - + |string - + a| The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -1384,42 +1456,59 @@ a| The source type of the log. The `log_type` field may contain one of these st ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + |message - + |string - + a| *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + |openshift - + |object - + a| Openshift specific metadata - + |pipeline_metadata - + |object - + a| **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + +|timestamp + +|string + +a| A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + |viaq_index_name - + |string - + a| *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + |viaq_msg_id - + |string - + a| *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -1428,13 +1517,13 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + |====================== - + === .@timestamp - + ===== Description - + A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -1447,77 +1536,77 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + ===== Type - + * string - + === .hostname - + ===== Description - + The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + ===== Type - + * string - + === .level - + ===== Description - + The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + ===== Type - + * string - + === .log_source - + ===== Description - + LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + ===== Type - + * string - + === .log_type - + ===== Description - + The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -1526,244 +1615,265 @@ The source type of the log. The `log_type` field may contain one of these string ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + ===== Type - + * string - + === .message - + ===== Description - + *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + ===== Type - + * string - + === .openshift - + ===== Description - + Openshift specific metadata - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |cluster_id - + |string - + a| ClusterID is the unique id of the cluster where the workload is deployed - + |labels - + |object - + a| *(optional)* Labels is a set of common, static labels that were spec'd for log forwarding to be sent with the log Records - + |sequence - + |string - + a| Sequence is increasing id used in conjunction with the timestamp to estblish a linear timeline of log records. This was added as a workaround for logstores that do not have nano-second precision. - + |====================== - + === .openshift.cluster_id - + ===== Description - + ClusterID is the unique id of the cluster where the workload is deployed - + ===== Type - + * string - + === .openshift.labels - + ===== Description - + *(optional)* Labels is a set of common, static labels that were spec'd for log forwarding to be sent with the log Records - + ===== Type - + * object - + === .openshift.sequence - + ===== Description - + Sequence is increasing id used in conjunction with the timestamp to estblish a linear timeline of log records. This was added as a workaround for logstores that do not have nano-second precision. - + ===== Type - + * string - + === .pipeline_metadata - + ===== Description - + **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |collector - + |object - + a| Collector metadata - + |====================== - + === .pipeline_metadata.collector - + ===== Description - + Collector metadata - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |inputname - + |string - + a| **(DEPRECATED)** - + |ipaddr4 - + |string - + a| *(optional)* Ipaddr4 is the ipV4 address of the collector - + |name - + |string - + a| Name is the implementation of the collector agent - + |original_raw_message - + |string - + a| OriginalRawMessage captures the original message for eventrouter logs - + |received_at - + |string - + a| ReceivedAt the time the collector received the log entry - + |version - + |string - + a| Version is collector version information - + |====================== - + === .pipeline_metadata.collector.inputname - + ===== Description - + **(DEPRECATED)** - + ===== Type - + * string - + === .pipeline_metadata.collector.ipaddr4 - + ===== Description - + *(optional)* Ipaddr4 is the ipV4 address of the collector - + ===== Type - + * string - + === .pipeline_metadata.collector.name - + ===== Description - + Name is the implementation of the collector agent - + ===== Type - + * string - + === .pipeline_metadata.collector.original_raw_message - + ===== Description - + OriginalRawMessage captures the original message for eventrouter logs - + ===== Type - + * string - + === .pipeline_metadata.collector.received_at - + ===== Description - + ReceivedAt the time the collector received the log entry - + ===== Type - + * string - + === .pipeline_metadata.collector.version - + ===== Description - + Version is collector version information - + +===== Type + +* string + +=== .timestamp + +===== Description + +A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + ===== Type - + * string - + === .viaq_index_name - + ===== Description - + *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + ===== Type - + * string - + === .viaq_msg_id - + ===== Description - + *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -1772,287 +1882,287 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + ===== Type - + * string - + === .docker - + ===== Description - + **(DEPRECATED)** *(optional)* - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |container_id - + |string - + a| ContainerID is the id of the container producing the log - + |====================== - + === .docker.container_id - + ===== Description - + ContainerID is the id of the container producing the log - + ===== Type - + * string - + === .kubernetes - + ===== Description - + The Kubernetes-specific metadata - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |annotations - + |object - + a| *(optional)* Annotations associated with the Kubernetes pod - + |container_id - + |string - + a| *(optional)* - + |container_image - + |string - + a| *(optional)* - + |container_image_id - + |string - + a| *(optional)* - + |container_name - + |string - + a| ContainerName of the the pod container that produced the log - + |flat_labels - + |array - + a| **(DEPRECATED)** *(optional)* FlatLabels is an array of the pod labels joined as key=value - + |host - + |string - + a| *(optional)* Host is the kubernetes node name that hosts the pod - + |labels - + |object - + a| *(optional)* Labels present on the Pod at time the log was generated - + |master_url - + |string - + a| **(DEPRECATED)** MasterURL is the url to the apiserver - + |namespace_id - + |string - + a| *(optional)* NamespaceID is the unique uuid of the namespace - + |namespace_labels - + |object - + a| *(optional)* NamespaceLabels are the labels present on the pod namespace - + |namespace_name - + |string - + a| NamespaceName where the pod is deployed - + |pod_id - + |string - + a| *(optional)* PodID is the unique uuid of the pod - + |pod_name - + |string - + a| PodName is the name of the pod - + |====================== - + === .kubernetes.annotations - + ===== Description - + *(optional)* Annotations associated with the Kubernetes pod - + ===== Type - + * object - + === .kubernetes.container_id - + ===== Description - + *(optional)* - + ===== Type - + * string - + === .kubernetes.container_image - + ===== Description - + *(optional)* - + ===== Type - + * string - + === .kubernetes.container_image_id - + ===== Description - + *(optional)* - + ===== Type - + * string - + === .kubernetes.container_name - + ===== Description - + ContainerName of the the pod container that produced the log - + ===== Type - + * string - + === .kubernetes.flat_labels[] - + ===== Description - + **(DEPRECATED)** *(optional)* FlatLabels is an array of the pod labels joined as key=value - + ===== Type - + * array - + === .kubernetes.host - + ===== Description - + *(optional)* Host is the kubernetes node name that hosts the pod - + ===== Type - + * string - + === .kubernetes.labels - + ===== Description - + *(optional)* Labels present on the Pod at time the log was generated - + ===== Type - + * object - + === .kubernetes.master_url - + ===== Description - + **(DEPRECATED)** MasterURL is the url to the apiserver - + ===== Type - + * string - + === .kubernetes.namespace_id - + ===== Description - + *(optional)* NamespaceID is the unique uuid of the namespace - + ===== Type - + * string - + === .kubernetes.namespace_labels - + ===== Description - + *(optional)* NamespaceLabels are the labels present on the pod namespace - + ===== Type - + * object - + === .kubernetes.namespace_name - + ===== Description - + NamespaceName where the pod is deployed - + ===== Type - + * string - + === .kubernetes.pod_id - + ===== Description - + *(optional)* PodID is the unique uuid of the pod - + ===== Type - + * string - + === .kubernetes.pod_name - + ===== Description - + PodName is the name of the pod - + ===== Type - + * string - + === .structured - + ===== Description - + *(optional)* Original log entry as a structured object. Example: @@ -2062,23 +2172,23 @@ This field may be present if the forwarder was configured to parse structured JS If the original log entry was a valid structured log, this field will contain an equivalent JSON structure. Otherwise this field will be empty or absent, and the `message` field will contain the original log message. The `structured` field includes the same sub-fields as the original log message. - + ===== Type - + * object - + == Viaq Data Model for EventRouter - + The data model for event logs collected from the EventRouter. - + [options="header"] |====================== |Property|Type|Description - + |@timestamp - + |string - + a| A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -2091,61 +2201,61 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + |hostname - + |string - + a| The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + |level - + |string - + a| The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + |log_source - + |string - + a| LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + |log_type - + |string - + a| The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -2154,42 +2264,59 @@ a| The source type of the log. The `log_type` field may contain one of these st ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + |message - + |string - + a| *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + |openshift - + |object - + a| Openshift specific metadata - + |pipeline_metadata - + |object - + a| **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + +|timestamp + +|string + +a| A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + |viaq_index_name - + |string - + a| *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + |viaq_msg_id - + |string - + a| *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -2198,30 +2325,30 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + |kubernetes - + |object - + a| The Kubernetes-specific metadata - + |old_event - + |object - + a| OldEvent is a core KubernetesEvent that was replaced by kubernetes.event - + |====================== - + [options="header"] |====================== |Property|Type|Description - + |@timestamp - + |string - + a| A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -2234,61 +2361,61 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + |hostname - + |string - + a| The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + |level - + |string - + a| The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + |log_source - + |string - + a| LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + |log_type - + |string - + a| The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -2297,42 +2424,59 @@ a| The source type of the log. The `log_type` field may contain one of these st ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + |message - + |string - + a| *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + |openshift - + |object - + a| Openshift specific metadata - + |pipeline_metadata - + |object - + a| **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + +|timestamp + +|string + +a| A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + |viaq_index_name - + |string - + a| *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + |viaq_msg_id - + |string - + a| *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -2341,13 +2485,13 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + |====================== - + === .@timestamp - + ===== Description - + A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -2360,77 +2504,77 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + ===== Type - + * string - + === .hostname - + ===== Description - + The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + ===== Type - + * string - + === .level - + ===== Description - + The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + ===== Type - + * string - + === .log_source - + ===== Description - + LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + ===== Type - + * string - + === .log_type - + ===== Description - + The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -2439,244 +2583,265 @@ The source type of the log. The `log_type` field may contain one of these string ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + ===== Type - + * string - + === .message - + ===== Description - + *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + ===== Type - + * string - + === .openshift - + ===== Description - + Openshift specific metadata - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |cluster_id - + |string - + a| ClusterID is the unique id of the cluster where the workload is deployed - + |labels - + |object - + a| *(optional)* Labels is a set of common, static labels that were spec'd for log forwarding to be sent with the log Records - + |sequence - + |string - + a| Sequence is increasing id used in conjunction with the timestamp to estblish a linear timeline of log records. This was added as a workaround for logstores that do not have nano-second precision. - + |====================== - + === .openshift.cluster_id - + ===== Description - + ClusterID is the unique id of the cluster where the workload is deployed - + ===== Type - + * string - + === .openshift.labels - + ===== Description - + *(optional)* Labels is a set of common, static labels that were spec'd for log forwarding to be sent with the log Records - + ===== Type - + * object - + === .openshift.sequence - + ===== Description - + Sequence is increasing id used in conjunction with the timestamp to estblish a linear timeline of log records. This was added as a workaround for logstores that do not have nano-second precision. - + ===== Type - + * string - + === .pipeline_metadata - + ===== Description - + **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |collector - + |object - + a| Collector metadata - + |====================== - + === .pipeline_metadata.collector - + ===== Description - + Collector metadata - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |inputname - + |string - + a| **(DEPRECATED)** - + |ipaddr4 - + |string - + a| *(optional)* Ipaddr4 is the ipV4 address of the collector - + |name - + |string - + a| Name is the implementation of the collector agent - + |original_raw_message - + |string - + a| OriginalRawMessage captures the original message for eventrouter logs - + |received_at - + |string - + a| ReceivedAt the time the collector received the log entry - + |version - + |string - + a| Version is collector version information - + |====================== - + === .pipeline_metadata.collector.inputname - + ===== Description - + **(DEPRECATED)** - + ===== Type - + * string - + === .pipeline_metadata.collector.ipaddr4 - + ===== Description - + *(optional)* Ipaddr4 is the ipV4 address of the collector - + ===== Type - + * string - + === .pipeline_metadata.collector.name - + ===== Description - + Name is the implementation of the collector agent - + ===== Type - + * string - + === .pipeline_metadata.collector.original_raw_message - + ===== Description - + OriginalRawMessage captures the original message for eventrouter logs - + ===== Type - + * string - + === .pipeline_metadata.collector.received_at - + ===== Description - + ReceivedAt the time the collector received the log entry - + ===== Type - + * string - + === .pipeline_metadata.collector.version - + ===== Description - + Version is collector version information - + +===== Type + +* string + +=== .timestamp + +===== Description + +A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + ===== Type - + * string - + === .viaq_index_name - + ===== Description - + *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + ===== Type - + * string - + === .viaq_msg_id - + ===== Description - + *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -2685,633 +2850,655 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + ===== Type - + * string - + === .kubernetes - + ===== Description - + The Kubernetes-specific metadata - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |annotations - + |object - + a| *(optional)* Annotations associated with the Kubernetes pod - + |container_id - + |string - + a| *(optional)* - + |container_image - + |string - + a| *(optional)* - + |container_image_id - + |string - + a| *(optional)* - + +|container_iostream + +|string + +a| *(optional)* The name of the stream the log line was submitted to (e.g.: stdout, stderr) + |container_name - + |string - + a| ContainerName of the the pod container that produced the log - + |flat_labels - + |array - + a| **(DEPRECATED)** *(optional)* FlatLabels is an array of the pod labels joined as key=value - + |host - + |string - + a| *(optional)* Host is the kubernetes node name that hosts the pod - + |labels - + |object - + a| *(optional)* Labels present on the Pod at time the log was generated - + |master_url - + |string - + a| **(DEPRECATED)** MasterURL is the url to the apiserver - + |namespace_id - + |string - + a| *(optional)* NamespaceID is the unique uuid of the namespace - + |namespace_labels - + |object - + a| *(optional)* NamespaceLabels are the labels present on the pod namespace - + |namespace_name - + |string - + a| NamespaceName where the pod is deployed - + |pod_id - + |string - + a| *(optional)* PodID is the unique uuid of the pod - + |pod_name - + |string - + a| PodName is the name of the pod - + |event - + |object - + a| Event is the core KubernetesEvent - + |====================== - + [options="header"] |====================== |Property|Type|Description - + |annotations - + |object - + a| *(optional)* Annotations associated with the Kubernetes pod - + |container_id - + |string - + a| *(optional)* - + |container_image - + |string - + a| *(optional)* - + |container_image_id - + |string - + a| *(optional)* - + +|container_iostream + +|string + +a| *(optional)* The name of the stream the log line was submitted to (e.g.: stdout, stderr) + |container_name - + |string - + a| ContainerName of the the pod container that produced the log - + |flat_labels - + |array - + a| **(DEPRECATED)** *(optional)* FlatLabels is an array of the pod labels joined as key=value - + |host - + |string - + a| *(optional)* Host is the kubernetes node name that hosts the pod - + |labels - + |object - + a| *(optional)* Labels present on the Pod at time the log was generated - + |master_url - + |string - + a| **(DEPRECATED)** MasterURL is the url to the apiserver - + |namespace_id - + |string - + a| *(optional)* NamespaceID is the unique uuid of the namespace - + |namespace_labels - + |object - + a| *(optional)* NamespaceLabels are the labels present on the pod namespace - + |namespace_name - + |string - + a| NamespaceName where the pod is deployed - + |pod_id - + |string - + a| *(optional)* PodID is the unique uuid of the pod - + |pod_name - + |string - + a| PodName is the name of the pod - + |====================== - + === .kubernetes.annotations - + ===== Description - + *(optional)* Annotations associated with the Kubernetes pod - + ===== Type - + * object - + === .kubernetes.container_id - + ===== Description - + *(optional)* - + ===== Type - + * string - + === .kubernetes.container_image - + ===== Description - + *(optional)* - + ===== Type - + * string - + === .kubernetes.container_image_id - + ===== Description - + *(optional)* - + +===== Type + +* string + +=== .kubernetes.container_iostream + +===== Description + +*(optional)* The name of the stream the log line was submitted to (e.g.: stdout, stderr) + ===== Type - + * string - + === .kubernetes.container_name - + ===== Description - + ContainerName of the the pod container that produced the log - + ===== Type - + * string - + === .kubernetes.flat_labels[] - + ===== Description - + **(DEPRECATED)** *(optional)* FlatLabels is an array of the pod labels joined as key=value - + ===== Type - + * array - + === .kubernetes.host - + ===== Description - + *(optional)* Host is the kubernetes node name that hosts the pod - + ===== Type - + * string - + === .kubernetes.labels - + ===== Description - + *(optional)* Labels present on the Pod at time the log was generated - + ===== Type - + * object - + === .kubernetes.master_url - + ===== Description - + **(DEPRECATED)** MasterURL is the url to the apiserver - + ===== Type - + * string - + === .kubernetes.namespace_id - + ===== Description - + *(optional)* NamespaceID is the unique uuid of the namespace - + ===== Type - + * string - + === .kubernetes.namespace_labels - + ===== Description - + *(optional)* NamespaceLabels are the labels present on the pod namespace - + ===== Type - + * object - + === .kubernetes.namespace_name - + ===== Description - + NamespaceName where the pod is deployed - + ===== Type - + * string - + === .kubernetes.pod_id - + ===== Description - + *(optional)* PodID is the unique uuid of the pod - + ===== Type - + * string - + === .kubernetes.pod_name - + ===== Description - + PodName is the name of the pod - + ===== Type - + * string - + === .kubernetes.event - + ===== Description - + Event is the core KubernetesEvent - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |action - + |string - + a| *(optional)* What action was taken/failed regarding to the Regarding object. - + |count - + |int - + a| *(optional)* The number of times this event has occurred. - + |eventTime - + |object - + a| *(optional)* Time when this Event was first observed. - + |firstTimestamp - + |string - + a| *(optional)* The time at which the event was first recorded. (Time of server receipt is in TypeMeta.) - + |involvedObject - + |object - + a| The object that this event is about. - + |lastTimestamp - + |string - + a| *(optional)* The time at which the most recent occurrence of this event was recorded. - + |message - + |string - + a| *(optional)* A human-readable description of the status of this operation. TODO: decide on maximum length. - + |reason - + |string - + a| *(optional)* This should be a short, machine understandable string that gives the reason for the transition into the object's current status. TODO: provide exact specification for format. - + |related - + |object - + a| *(optional)* Optional secondary object for more complex actions. - + |reportingComponent - + |string - + a| *(optional)* Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. - + |reportingInstance - + |string - + a| *(optional)* ID of the controller instance, e.g. `kubelet-xyzf`. - + |series - + |object - + a| *(optional)* Data about the Event series this event represents or nil if it's a singleton Event. - + |source - + |object - + a| *(optional)* The component reporting this event. Should be a short machine understandable string. - + |type - + |string - + a| *(optional)* Type of this event (Normal, Warning), new types could be added in the future - + |verb - + |string - + a| Verb is indicates if event was created or updated - + |====================== - + [options="header"] |====================== |Property|Type|Description - + |action - + |string - + a| *(optional)* What action was taken/failed regarding to the Regarding object. - + |count - + |int - + a| *(optional)* The number of times this event has occurred. - + |eventTime - + |object - + a| *(optional)* Time when this Event was first observed. - + |firstTimestamp - + |string - + a| *(optional)* The time at which the event was first recorded. (Time of server receipt is in TypeMeta.) - + |involvedObject - + |object - + a| The object that this event is about. - + |lastTimestamp - + |string - + a| *(optional)* The time at which the most recent occurrence of this event was recorded. - + |message - + |string - + a| *(optional)* A human-readable description of the status of this operation. TODO: decide on maximum length. - + |reason - + |string - + a| *(optional)* This should be a short, machine understandable string that gives the reason for the transition into the object's current status. TODO: provide exact specification for format. - + |related - + |object - + a| *(optional)* Optional secondary object for more complex actions. - + |reportingComponent - + |string - + a| *(optional)* Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. - + |reportingInstance - + |string - + a| *(optional)* ID of the controller instance, e.g. `kubelet-xyzf`. - + |series - + |object - + a| *(optional)* Data about the Event series this event represents or nil if it's a singleton Event. - + |source - + |object - + a| *(optional)* The component reporting this event. Should be a short machine understandable string. - + |type - + |string - + a| *(optional)* Type of this event (Normal, Warning), new types could be added in the future - + |====================== - + === .kubernetes.event.action - + ===== Description - + *(optional)* What action was taken/failed regarding to the Regarding object. - + ===== Type - + * string - + === .kubernetes.event.count - + ===== Description - + *(optional)* The number of times this event has occurred. - + ===== Type - + * int - + === .kubernetes.event.eventTime - + ===== Description - + *(optional)* Time when this Event was first observed. - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |Time - + |string - + a| - + |====================== - + === .kubernetes.event.eventTime.Time - + ===== Description - + ===== Type - + * string - + === .kubernetes.event.firstTimestamp - + ===== Description - + *(optional)* The time at which the event was first recorded. (Time of server receipt is in TypeMeta.) - + ===== Type - + * string - + === .kubernetes.event.involvedObject - + ===== Description - + The object that this event is about. - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |apiVersion - + |string - + a| *(optional)* API version of the referent. - + |fieldPath - + |string - + a| *(optional)* If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: @@ -3320,58 +3507,58 @@ the event) or if no container name is specified "spec.containers[2]" (co index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. - + |kind - + |string - + a| *(optional)* Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - + |name - + |string - + a| *(optional)* Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - + |namespace - + |string - + a| *(optional)* Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - + |resourceVersion - + |string - + a| *(optional)* Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - + |uid - + |string - + a| *(optional)* UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - + |====================== - + === .kubernetes.event.involvedObject.apiVersion - + ===== Description - + *(optional)* API version of the referent. - + ===== Type - + * string - + === .kubernetes.event.involvedObject.fieldPath - + ===== Description - + *(optional)* If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: @@ -3380,230 +3567,230 @@ the event) or if no container name is specified "spec.containers[2]" (co index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. - + ===== Type - + * string - + === .kubernetes.event.involvedObject.kind - + ===== Description - + *(optional)* Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - + ===== Type - + * string - + === .kubernetes.event.involvedObject.name - + ===== Description - + *(optional)* Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - + ===== Type - + * string - + === .kubernetes.event.involvedObject.namespace - + ===== Description - + *(optional)* Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - + ===== Type - + * string - + === .kubernetes.event.involvedObject.resourceVersion - + ===== Description - + *(optional)* Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - + ===== Type - + * string - + === .kubernetes.event.involvedObject.uid - + ===== Description - + *(optional)* UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - + ===== Type - + * string - + === .kubernetes.event.lastTimestamp - + ===== Description - + *(optional)* The time at which the most recent occurrence of this event was recorded. - + ===== Type - + * string - + === .kubernetes.event.message - + ===== Description - + *(optional)* A human-readable description of the status of this operation. TODO: decide on maximum length. - + ===== Type - + * string - + === .kubernetes.event.reason - + ===== Description - + *(optional)* This should be a short, machine understandable string that gives the reason for the transition into the object's current status. TODO: provide exact specification for format. - + ===== Type - + * string - + === .kubernetes.event.related - + ===== Description - + *(optional)* Optional secondary object for more complex actions. - + ===== Type - + * object - + === .kubernetes.event.reportingComponent - + ===== Description - + *(optional)* Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. - + ===== Type - + * string - + === .kubernetes.event.reportingInstance - + ===== Description - + *(optional)* ID of the controller instance, e.g. `kubelet-xyzf`. - + ===== Type - + * string - + === .kubernetes.event.series - + ===== Description - + *(optional)* Data about the Event series this event represents or nil if it's a singleton Event. - + ===== Type - + * object - + === .kubernetes.event.source - + ===== Description - + *(optional)* The component reporting this event. Should be a short machine understandable string. - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |component - + |string - + a| *(optional)* Component from which the event is generated. - + |host - + |string - + a| *(optional)* Node name on which the event is generated. - + |====================== - + === .kubernetes.event.source.component - + ===== Description - + *(optional)* Component from which the event is generated. - + ===== Type - + * string - + === .kubernetes.event.source.host - + ===== Description - + *(optional)* Node name on which the event is generated. - + ===== Type - + * string - + === .kubernetes.event.type - + ===== Description - + *(optional)* Type of this event (Normal, Warning), new types could be added in the future - + ===== Type - + * string - + === .kubernetes.event.verb - + ===== Description - + Verb is indicates if event was created or updated - + ===== Type - + * string - + === .old_event - + ===== Description - + OldEvent is a core KubernetesEvent that was replaced by kubernetes.event - + ===== Type - + * object - + == Viaq Data Model for journald - + The data model for collected logs from node journal. - + [options="header"] |====================== |Property|Type|Description - + |@timestamp - + |string - + a| A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -3616,61 +3803,61 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + |hostname - + |string - + a| The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + |level - + |string - + a| The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + |log_source - + |string - + a| LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + |log_type - + |string - + a| The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -3679,42 +3866,59 @@ a| The source type of the log. The `log_type` field may contain one of these st ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + |message - + |string - + a| *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + |openshift - + |object - + a| Openshift specific metadata - + |pipeline_metadata - + |object - + a| **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + +|timestamp + +|string + +a| A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + |viaq_index_name - + |string - + a| *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + |viaq_msg_id - + |string - + a| *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -3723,35 +3927,35 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + |_STREAM_ID - + |string - + a| - + |_SYSTEMD_INVOCATION_ID - + |string - + a| - + |systemd - + |object - + a| - + |====================== - + [options="header"] |====================== |Property|Type|Description - + |@timestamp - + |string - + a| A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -3764,61 +3968,61 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + |hostname - + |string - + a| The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + |level - + |string - + a| The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + |log_source - + |string - + a| LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + |log_type - + |string - + a| The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -3827,42 +4031,59 @@ a| The source type of the log. The `log_type` field may contain one of these st ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + |message - + |string - + a| *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + |openshift - + |object - + a| Openshift specific metadata - + |pipeline_metadata - + |object - + a| **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + +|timestamp + +|string + +a| A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + |viaq_index_name - + |string - + a| *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + |viaq_msg_id - + |string - + a| *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -3871,13 +4092,13 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + |====================== - + === .@timestamp - + ===== Description - + A UTC value that marks when the log payload was created. If the creation time is not known when the log payload was first collected. The “@” prefix denotes a @@ -3890,77 +4111,77 @@ format: * yyyy-MM-dd'T'HH:mm:ssZ * dateOptionalTime -example: `2015-01-24 14:06:05.071000000 Z` - +example: `2024-11-24T14:06:05.071000000Z` + ===== Type - + * string - + === .hostname - + ===== Description - + The name of the host where this log message originated. In a Kubernetes cluster, this is the same as `kubernetes.host`. - + ===== Type - + * string - + === .level - + ===== Description - + The normalized log level The logging level from various sources, including `rsyslog(severitytext property)`, python's logging module, and others. - + The following values come from link:http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l74[`syslog.h`], and are preceded by their http://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;h=ee01478c4b19a954426a96448577c5a76e6647c0;hb=HEAD#l51[numeric equivalents]: - + * `0` = `emerg`, system is unusable. - + * `1` = `alert`, action must be taken immediately. - + * `2` = `crit`, critical conditions. - + * `3` = `err`, error conditions. - + * `4` = `warn`, warning conditions. - + * `5` = `notice`, normal but significant condition. - + * `6` = `info`, informational. - + * `7` = `debug`, debug-level messages. - + The two following values are not part of `syslog.h` but are widely used: - + * `8` = `trace`, trace-level messages, which are more verbose than `debug` messages. - + * `9` = `unknown`, when the logging system gets a value it doesn't recognize. - + Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from link:https://docs.python.org/2.7/library/logging.html#logging-levels[python logging], you can match `CRITICAL` with `crit`, `ERROR` with `err`, and so on. - + ===== Type - + * string - + === .log_source - + ===== Description - + LogSource is the source of a log used along with the LogType to distinguish a subcategory of the LogType. Application logs are always sourced from containers Infrastructure logs are sourced from containers or journal logs from the node Audit logs are sourced from: kubernetes and openshift API servers, node auditd, and OVN - + ===== Type - + * string - + === .log_type - + ===== Description - + The source type of the log. The `log_type` field may contain one of these strings, or may have additional dot-separated components, for example "infrastructure.container" or "infrastructure.node". * "application": Container logs generated by user applications running in the cluster, except infrastructure containers. @@ -3969,244 +4190,265 @@ The source type of the log. The `log_type` field may contain one of these string ** Node logs from auditd (/var/log/audit/audit.log) ** Kubernetes and OpenShift apiservers audit logs. ** OVN audit logs - + ===== Type - + * string - + === .message - + ===== Description - + *(optional)* Original log entry text, UTF-8 encoded This field may be absent or empty if a non-empty `structured` field is present. See the description of `structured` for additional details. - + ===== Type - + * string - + === .openshift - + ===== Description - + Openshift specific metadata - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |cluster_id - + |string - + a| ClusterID is the unique id of the cluster where the workload is deployed - + |labels - + |object - + a| *(optional)* Labels is a set of common, static labels that were spec'd for log forwarding to be sent with the log Records - + |sequence - + |string - + a| Sequence is increasing id used in conjunction with the timestamp to estblish a linear timeline of log records. This was added as a workaround for logstores that do not have nano-second precision. - + |====================== - + === .openshift.cluster_id - + ===== Description - + ClusterID is the unique id of the cluster where the workload is deployed - + ===== Type - + * string - + === .openshift.labels - + ===== Description - + *(optional)* Labels is a set of common, static labels that were spec'd for log forwarding to be sent with the log Records - + ===== Type - + * object - + === .openshift.sequence - + ===== Description - + Sequence is increasing id used in conjunction with the timestamp to estblish a linear timeline of log records. This was added as a workaround for logstores that do not have nano-second precision. - + ===== Type - + * string - + === .pipeline_metadata - + ===== Description - + **(DEPRECATED)** *(optional)* Metadata related to ViaQ log collection pipeline. Everything about log collector, normalizers, mappings goes here. Data in this subgroup is forwarded for troubleshooting and tracing purposes. This is only present when deploying fluentd collector implementations - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |collector - + |object - + a| Collector metadata - + |====================== - + === .pipeline_metadata.collector - + ===== Description - + Collector metadata - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |inputname - + |string - + a| **(DEPRECATED)** - + |ipaddr4 - + |string - + a| *(optional)* Ipaddr4 is the ipV4 address of the collector - + |name - + |string - + a| Name is the implementation of the collector agent - + |original_raw_message - + |string - + a| OriginalRawMessage captures the original message for eventrouter logs - + |received_at - + |string - + a| ReceivedAt the time the collector received the log entry - + |version - + |string - + a| Version is collector version information - + |====================== - + === .pipeline_metadata.collector.inputname - + ===== Description - + **(DEPRECATED)** - + ===== Type - + * string - + === .pipeline_metadata.collector.ipaddr4 - + ===== Description - + *(optional)* Ipaddr4 is the ipV4 address of the collector - + ===== Type - + * string - + === .pipeline_metadata.collector.name - + ===== Description - + Name is the implementation of the collector agent - + ===== Type - + * string - + === .pipeline_metadata.collector.original_raw_message - + ===== Description - + OriginalRawMessage captures the original message for eventrouter logs - + ===== Type - + * string - + === .pipeline_metadata.collector.received_at - + ===== Description - + ReceivedAt the time the collector received the log entry - + ===== Type - + * string - + === .pipeline_metadata.collector.version - + ===== Description - + Version is collector version information - + +===== Type + +* string + +=== .timestamp + +===== Description + +A UTC value that marks when the log payload was created. + +Value derived from legacy `@timestamp` for forward compatibility. + +format: + +* yyyy-MM-dd HH:mm:ss,SSSZ +* yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ +* yyyy-MM-dd'T'HH:mm:ssZ +* dateOptionalTime + +example: `2024-11-24T14:06:05.071000000Z` + ===== Type - + * string - + === .viaq_index_name - + ===== Description - + *(optional)* ViaqIndexName used with Elasticsearch 6.x and later, this is a name of a write index alias (e.g. app-write). The value depends on the log type of this message. Detailed documentation is found at https://github.com/openshift/enhancements/blob/master/enhancements/cluster-logging/cluster-logging-es-rollover-data-design.md#data-model. - + ===== Type - + * string - + === .viaq_msg_id - + ===== Description - + *(optional)* ViaqMessageId is a unique ID assigned to each message. The format is not specified. It may be a UUID or a Base64 (e.g. 82f13a8e-882a-4344-b103-f0a6f30fd218), @@ -4215,316 +4457,316 @@ logging store or application other than Elasticsearch, but you still need to cor in Elasticsearch, this field will give you the exact document corresponding to the record. This is only present when deploying fluentd collector implementations - + ===== Type - + * string - + === ._STREAM_ID - + ===== Description - + ===== Type - + * string - + === ._SYSTEMD_INVOCATION_ID - + ===== Description - + ===== Type - + * string - + === .systemd - + ===== Description - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |t - + |object - + a| - + |u - + |object - + a| - + |====================== - + === .systemd.t - + ===== Description - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |BOOT_ID - + |string - + a| - + |CAP_EFFECTIVE - + |string - + a| - + |CMDLINE - + |string - + a| - + |COMM - + |string - + a| - + |EXE - + |string - + a| - + |GID - + |string - + a| - + |MACHINE_ID - + |string - + a| - + |PID - + |string - + a| - + |SELINUX_CONTEXT - + |string - + a| - + |STREAM_ID - + |string - + a| - + |SYSTEMD_CGROUP - + |string - + a| - + |SYSTEMD_INVOCATION_ID - + |string - + a| - + |SYSTEMD_SLICE - + |string - + a| - + |SYSTEMD_UNIT - + |string - + a| - + |TRANSPORT - + |string - + a| - + |UID - + |string - + a| - + |====================== - + === .systemd.t.BOOT_ID - + ===== Description - + ===== Type - + * string - + === .systemd.t.CAP_EFFECTIVE - + ===== Description - + ===== Type - + * string - + === .systemd.t.CMDLINE - + ===== Description - + ===== Type - + * string - + === .systemd.t.COMM - + ===== Description - + ===== Type - + * string - + === .systemd.t.EXE - + ===== Description - + ===== Type - + * string - + === .systemd.t.GID - + ===== Description - + ===== Type - + * string - + === .systemd.t.MACHINE_ID - + ===== Description - + ===== Type - + * string - + === .systemd.t.PID - + ===== Description - + ===== Type - + * string - + === .systemd.t.SELINUX_CONTEXT - + ===== Description - + ===== Type - + * string - + === .systemd.t.STREAM_ID - + ===== Description - + ===== Type - + * string - + === .systemd.t.SYSTEMD_CGROUP - + ===== Description - + ===== Type - + * string - + === .systemd.t.SYSTEMD_INVOCATION_ID - + ===== Description - + ===== Type - + * string - + === .systemd.t.SYSTEMD_SLICE - + ===== Description - + ===== Type - + * string - + === .systemd.t.SYSTEMD_UNIT - + ===== Description - + ===== Type - + * string - + === .systemd.t.TRANSPORT - + ===== Description - + ===== Type - + * string - + === .systemd.t.UID - + ===== Description - + ===== Type - + * string - + === .systemd.u - + ===== Description - + ===== Type - + * object - + [options="header"] |====================== |Property|Type|Description - + |SYSLOG_IDENTIFIER - + |string - + a| - + |====================== - + === .systemd.u.SYSLOG_IDENTIFIER - + ===== Description - + ===== Type - + * string - + diff --git a/hack/logsamples/viaq_audit_host.json b/hack/logsamples/viaq_audit_host.json index 2ca270c426..f0569cba49 100644 --- a/hack/logsamples/viaq_audit_host.json +++ b/hack/logsamples/viaq_audit_host.json @@ -1,5 +1,6 @@ { "@timestamp": "2024-07-01T15:53:19.623+00:00", + "timestamp": "2024-07-01T15:53:19.623+00:00", "audit.linux": { "record_id": "5654", "type": "BPF" diff --git a/hack/logsamples/viaq_audit_kubernetes.json b/hack/logsamples/viaq_audit_kubernetes.json index 0c961e2183..c4040a519f 100644 --- a/hack/logsamples/viaq_audit_kubernetes.json +++ b/hack/logsamples/viaq_audit_kubernetes.json @@ -1,5 +1,6 @@ { "@timestamp": "2023-10-18T17:32:47.415928452Z", + "timestamp": "2023-10-18T17:32:47.415928452Z", "annotations": { "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason": "" diff --git a/hack/logsamples/viaq_audit_openshift.json b/hack/logsamples/viaq_audit_openshift.json index 7d08d484fe..d33f609bd5 100644 --- a/hack/logsamples/viaq_audit_openshift.json +++ b/hack/logsamples/viaq_audit_openshift.json @@ -1,5 +1,6 @@ { "@timestamp": "2023-10-18T17:34:31.892301560Z", + "timestamp": "2023-10-18T17:34:31.892301560Z", "annotations": { "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason": "" diff --git a/hack/logsamples/viaq_container.json b/hack/logsamples/viaq_container.json index 2c0c791c55..850535002e 100644 --- a/hack/logsamples/viaq_container.json +++ b/hack/logsamples/viaq_container.json @@ -1,5 +1,6 @@ { "@timestamp": "2023-10-17T20:35:14.908544681Z", + "timestamp": "2023-10-17T20:35:14.908544681Z", "hostname": "ip-10-0-1-167.ec2.internal", "kubernetes": { "annotations": { diff --git a/hack/logsamples/viaq_journal.json b/hack/logsamples/viaq_journal.json index d8f594fa8e..0469a446ac 100644 --- a/hack/logsamples/viaq_journal.json +++ b/hack/logsamples/viaq_journal.json @@ -1,5 +1,5 @@ { - "@timestamp": "2023-10-17T20:46:29.048949Z", + "timestamp": "2023-10-17T20:46:29.048949Z", "SYSLOG_TIMESTAMP": "Oct 17 20:46:29 ", "_RUNTIME_SCOPE": "system", "_SYSTEMD_INVOCATION_ID": "7c6f11847b8548d4b1bf7dc417a97819", diff --git a/internal/generator/vector/conf/complex.toml b/internal/generator/vector/conf/complex.toml index 4d6bd846ac..1006137bbd 100644 --- a/internal/generator/vector/conf/complex.toml +++ b/internal/generator/vector/conf/complex.toml @@ -182,10 +182,11 @@ if .log_type == "audit" && .log_source == "auditd" { if err == null { sp, err = split(match2.ts_record,":") if err == null && length(sp) == 2 { - ts = parse_timestamp(sp[0],"%s.%3f") ?? "" - envelop |= {"record_id": sp[1]} - . |= {"audit.linux" : envelop} - . |= {"@timestamp" : format_timestamp(ts,"%+") ?? ""} + ts = parse_timestamp(sp[0],"%s.%3f") ?? "" + if ts != "" { .timestamp = ts } + ."@timestamp" = format_timestamp(.timestamp, "%+") ?? .timestamp + envelop |= {"record_id": sp[1]} + . |= {"audit.linux" : envelop} } } else { log("could not parse host audit msg. err=" + err, rate_limit_secs: 0) @@ -193,7 +194,7 @@ if .log_type == "audit" && .log_source == "auditd" { .level = "default" .hostname = get_env_var("VECTOR_SELF_NODE_NAME") ?? "" - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_type == "audit" && .log_source == "kubeAPI" { @@ -205,7 +206,7 @@ if .log_type == "audit" && .log_source == "kubeAPI" { del(.message) .k8s_audit_level = .level .hostname = get_env_var("VECTOR_SELF_NODE_NAME") ?? "" - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_type == "audit" && .log_source == "openshiftAPI" { @@ -217,7 +218,7 @@ if .log_type == "audit" && .log_source == "openshiftAPI" { del(.message) .openshift_audit_level = .level .hostname = get_env_var("VECTOR_SELF_NODE_NAME") ?? "" - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_type == "audit" && .log_source == "ovn" { @@ -275,7 +276,7 @@ if .log_type == "audit" && .log_source == "ovn" { } } .hostname = get_env_var("VECTOR_SELF_NODE_NAME") ?? "" - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_source == "container" { @@ -359,7 +360,7 @@ if .log_source == "container" { del(.kubernetes.pod_ips) del(.kubernetes.node_labels) del(.timestamp_end) - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_source == "node" { @@ -442,7 +443,7 @@ if .log_source == "node" { .time = format_timestamp!(.timestamp, format: "%FT%T%:z") - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } ''' diff --git a/internal/generator/vector/conf/complex_http_receiver.toml b/internal/generator/vector/conf/complex_http_receiver.toml index d61c9fab39..3ae6525dba 100644 --- a/internal/generator/vector/conf/complex_http_receiver.toml +++ b/internal/generator/vector/conf/complex_http_receiver.toml @@ -216,10 +216,11 @@ if .log_type == "audit" && .log_source == "auditd" { if err == null { sp, err = split(match2.ts_record,":") if err == null && length(sp) == 2 { - ts = parse_timestamp(sp[0],"%s.%3f") ?? "" - envelop |= {"record_id": sp[1]} - . |= {"audit.linux" : envelop} - . |= {"@timestamp" : format_timestamp(ts,"%+") ?? ""} + ts = parse_timestamp(sp[0],"%s.%3f") ?? "" + if ts != "" { .timestamp = ts } + ."@timestamp" = format_timestamp(.timestamp, "%+") ?? .timestamp + envelop |= {"record_id": sp[1]} + . |= {"audit.linux" : envelop} } } else { log("could not parse host audit msg. err=" + err, rate_limit_secs: 0) @@ -227,7 +228,7 @@ if .log_type == "audit" && .log_source == "auditd" { .level = "default" .hostname = get_env_var("VECTOR_SELF_NODE_NAME") ?? "" - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_type == "audit" && .log_source == "kubeAPI" { @@ -239,7 +240,7 @@ if .log_type == "audit" && .log_source == "kubeAPI" { del(.message) .k8s_audit_level = .level .hostname = get_env_var("VECTOR_SELF_NODE_NAME") ?? "" - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_type == "audit" && .log_source == "openshiftAPI" { @@ -251,7 +252,7 @@ if .log_type == "audit" && .log_source == "openshiftAPI" { del(.message) .openshift_audit_level = .level .hostname = get_env_var("VECTOR_SELF_NODE_NAME") ?? "" - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_type == "audit" && .log_source == "ovn" { @@ -309,7 +310,7 @@ if .log_type == "audit" && .log_source == "ovn" { } } .hostname = get_env_var("VECTOR_SELF_NODE_NAME") ?? "" - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_source == "container" { @@ -393,7 +394,7 @@ if .log_source == "container" { del(.kubernetes.pod_ips) del(.kubernetes.node_labels) del(.timestamp_end) - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_source == "node" { @@ -476,7 +477,7 @@ if .log_source == "node" { .time = format_timestamp!(.timestamp, format: "%FT%T%:z") - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } ''' diff --git a/internal/generator/vector/conf/container.toml b/internal/generator/vector/conf/container.toml index 3dccec48ed..cf0f15c6b0 100644 --- a/internal/generator/vector/conf/container.toml +++ b/internal/generator/vector/conf/container.toml @@ -155,7 +155,7 @@ if .log_source == "container" { del(.kubernetes.pod_ips) del(.kubernetes.node_labels) del(.timestamp_end) - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } ''' diff --git a/internal/generator/vector/filter/openshift/viaq/audit.go b/internal/generator/vector/filter/openshift/viaq/audit.go index cbde65711c..799bbcd5ab 100644 --- a/internal/generator/vector/filter/openshift/viaq/audit.go +++ b/internal/generator/vector/filter/openshift/viaq/audit.go @@ -22,9 +22,10 @@ if err == null { sp, err = split(match2.ts_record,":") if err == null && length(sp) == 2 { ts = parse_timestamp(sp[0],"%s.%3f") ?? "" + if ts != "" { .timestamp = ts } + ."@timestamp" = format_timestamp(.timestamp, "%+") ?? .timestamp envelop |= {"record_id": sp[1]} . |= {"audit.linux" : envelop} - . |= {"@timestamp" : format_timestamp(ts,"%+") ?? ""} } } else { log("could not parse host audit msg. err=" + err, rate_limit_secs: 0) diff --git a/internal/generator/vector/filter/openshift/viaq/common.go b/internal/generator/vector/filter/openshift/viaq/common.go index b43cc47fb7..5c76f4171e 100644 --- a/internal/generator/vector/filter/openshift/viaq/common.go +++ b/internal/generator/vector/filter/openshift/viaq/common.go @@ -2,7 +2,7 @@ package viaq const ( ClusterID = `.openshift.cluster_id = "${OPENSHIFT_CLUSTER_ID:-}"` - FixTimestampField = `ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts}` + FixTimestampField = `if !exists(."@timestamp") {."@timestamp" = .timestamp}` InternalContext = `._internal.message = .message` VRLOpenShiftSequence = `.openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds")` ) diff --git a/internal/generator/vector/pipeline/adapter_test_drop_filter.toml b/internal/generator/vector/pipeline/adapter_test_drop_filter.toml index fd6ce84733..f57f80879c 100644 --- a/internal/generator/vector/pipeline/adapter_test_drop_filter.toml +++ b/internal/generator/vector/pipeline/adapter_test_drop_filter.toml @@ -91,7 +91,7 @@ if .log_source == "container" { del(.kubernetes.pod_ips) del(.kubernetes.node_labels) del(.timestamp_end) - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } if .log_source == "node" { @@ -174,7 +174,7 @@ if .log_source == "node" { .time = format_timestamp!(.timestamp, format: "%FT%T%:z") - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } ''' diff --git a/internal/generator/vector/pipeline/adapter_test_kube_api_filter.toml b/internal/generator/vector/pipeline/adapter_test_kube_api_filter.toml index 3beaa19d0e..dec35dfb0d 100644 --- a/internal/generator/vector/pipeline/adapter_test_kube_api_filter.toml +++ b/internal/generator/vector/pipeline/adapter_test_kube_api_filter.toml @@ -11,7 +11,7 @@ if .log_type == "audit" && .log_source == "kubeAPI" { del(.message) .k8s_audit_level = .level .hostname = get_env_var("VECTOR_SELF_NODE_NAME") ?? "" - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } ''' diff --git a/internal/generator/vector/pipeline/adapter_test_prune_inNotIn_filter.toml b/internal/generator/vector/pipeline/adapter_test_prune_inNotIn_filter.toml index 5703218b0c..e26aac00ab 100644 --- a/internal/generator/vector/pipeline/adapter_test_prune_inNotIn_filter.toml +++ b/internal/generator/vector/pipeline/adapter_test_prune_inNotIn_filter.toml @@ -83,7 +83,7 @@ if .log_source == "container" { del(.kubernetes.pod_ips) del(.kubernetes.node_labels) del(.timestamp_end) - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } ''' diff --git a/internal/generator/vector/pipeline/adapter_test_prune_inOnly_filter.toml b/internal/generator/vector/pipeline/adapter_test_prune_inOnly_filter.toml index 7f82ba0a9b..4e9b3a4369 100644 --- a/internal/generator/vector/pipeline/adapter_test_prune_inOnly_filter.toml +++ b/internal/generator/vector/pipeline/adapter_test_prune_inOnly_filter.toml @@ -83,7 +83,7 @@ if .log_source == "container" { del(.kubernetes.pod_ips) del(.kubernetes.node_labels) del(.timestamp_end) - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } ''' diff --git a/internal/generator/vector/pipeline/adapter_test_prune_notIn_only_filter.toml b/internal/generator/vector/pipeline/adapter_test_prune_notIn_only_filter.toml index 4a5e7a84c8..80ed8e390e 100644 --- a/internal/generator/vector/pipeline/adapter_test_prune_notIn_only_filter.toml +++ b/internal/generator/vector/pipeline/adapter_test_prune_notIn_only_filter.toml @@ -83,7 +83,7 @@ if .log_source == "container" { del(.kubernetes.pod_ips) del(.kubernetes.node_labels) del(.timestamp_end) - ts = del(.timestamp); if !exists(."@timestamp") {."@timestamp" = ts} + if !exists(."@timestamp") {."@timestamp" = .timestamp} .openshift.sequence = to_unix_timestamp(now(), unit: "nanoseconds") } ''' diff --git a/test/framework/functional/message_templates.go b/test/framework/functional/message_templates.go index 2c4fbd1132..8fa84301bb 100644 --- a/test/framework/functional/message_templates.go +++ b/test/framework/functional/message_templates.go @@ -54,13 +54,14 @@ var ( func NewApplicationLogTemplate() types.ApplicationLog { return types.ApplicationLog{ ViaQCommon: types.ViaQCommon{ - Timestamp: time.Time{}, - Message: "*", - LogType: "application", - LogSource: "container", - Level: "*", - Hostname: "*", - ViaqMsgID: "**optional**", + TimestampLegacy: time.Time{}, + Timestamp: time.Time{}, + Message: "*", + LogType: "application", + LogSource: "container", + Level: "*", + Hostname: "*", + ViaqMsgID: "**optional**", Openshift: types.OpenshiftMeta{ Labels: map[string]string{"*": "*"}, Sequence: types.NewOptionalInt(""), @@ -79,13 +80,14 @@ func NewApplicationLogTemplate() types.ApplicationLog { func NewContainerInfrastructureLogTemplate() types.ApplicationLog { return types.ApplicationLog{ ViaQCommon: types.ViaQCommon{ - Timestamp: time.Time{}, - Message: "*", - LogType: "infrastructure", - LogSource: "container", - Level: "*", - Hostname: "*", - ViaqMsgID: "**optional**", + TimestampLegacy: time.Time{}, + Timestamp: time.Time{}, + Message: "*", + LogType: "infrastructure", + LogSource: "container", + Level: "*", + Hostname: "*", + ViaqMsgID: "**optional**", Openshift: types.OpenshiftMeta{ Labels: map[string]string{"*": "*"}, Sequence: types.NewOptionalInt(""), @@ -104,7 +106,7 @@ func NewContainerInfrastructureLogTemplate() types.ApplicationLog { func NewJournalInfrastructureLogTemplate() types.JournalLog { return types.JournalLog{ ViaQCommon: types.ViaQCommon{ - + TimestampLegacy: time.Time{}, Timestamp: time.Time{}, Message: "*", LogSource: "node", diff --git a/test/framework/functional/output_http.go b/test/framework/functional/output_http.go index a5be84074c..fc0445e1fc 100644 --- a/test/framework/functional/output_http.go +++ b/test/framework/functional/output_http.go @@ -92,7 +92,6 @@ type = "remap" inputs = ["my_source"] source = ''' del(.source_type) - del(.timestamp) ''' [sinks.my_sink] diff --git a/test/functional/filters/prune/prune_filter_test.go b/test/functional/filters/prune/prune_filter_test.go index 34a831a8e1..129f80fbda 100644 --- a/test/functional/filters/prune/prune_filter_test.go +++ b/test/functional/filters/prune/prune_filter_test.go @@ -67,6 +67,7 @@ var _ = Describe("[Functional][Filters][Prune] Prune filter", func() { Expect(log.Kubernetes).ToNot(BeNil()) Expect(log.Openshift).ToNot(BeNil()) Expect(log.Timestamp).ToNot(BeNil()) + Expect(log.TimestampLegacy).ToNot(BeNil()) Expect(log.Kubernetes.Annotations).ToNot(BeNil()) Expect(log.Kubernetes.PodName).ToNot(BeNil()) Expect(log.Kubernetes.Labels).ToNot(ContainElement("foo-bar_baz")) diff --git a/test/functional/normalization/audit_logs_format_test.go b/test/functional/normalization/audit_logs_format_test.go index 380825cb4a..2d41856a30 100644 --- a/test/functional/normalization/audit_logs_format_test.go +++ b/test/functional/normalization/audit_logs_format_test.go @@ -45,6 +45,7 @@ var _ = Describe("[Functional][LogForwarding][Normalization] message format test LogType: "audit", Level: "Metadata", Timestamp: time.Time{}, + TimestampLegacy: time.Time{}, PipelineMetadata: functional.TemplateForAnyPipelineMetadata, OpenshiftLabels: types.OpenshiftMeta{ ClusterID: "*", @@ -82,6 +83,7 @@ var _ = Describe("[Functional][LogForwarding][Normalization] message format test LogType: "audit", Level: "Metadata", Timestamp: time.Time{}, + TimestampLegacy: time.Time{}, PipelineMetadata: functional.TemplateForAnyPipelineMetadata, OpenshiftLabels: types.OpenshiftMeta{ ClusterID: "*", @@ -108,7 +110,7 @@ var _ = Describe("[Functional][LogForwarding][Normalization] message format test }) It("should parse linux audit log format correctly", func() { // Log message data - timestamp := "2013-03-28T14:36:03.243000+00:00" + timestamp := "2024-03-28T14:36:03.243000+00:00" testTime, _ := time.Parse(time.RFC3339Nano, timestamp) auditLogLine := functional.NewAuditHostLog(testTime) // Template expected as output Log @@ -123,6 +125,7 @@ var _ = Describe("[Functional][LogForwarding][Normalization] message format test RecordID: "*", }, Timestamp: testTime, + TimestampLegacy: testTime, PipelineMetadata: functional.TemplateForAnyPipelineMetadata, Openshift: types.OpenshiftMeta{ ClusterID: "*", @@ -149,12 +152,13 @@ var _ = Describe("[Functional][LogForwarding][Normalization] message format test // Template expected as output Log var outputLogTemplate = types.OVNAuditLog{ - Message: ovnLogLine, - Level: level, - Hostname: framework.Pod.Spec.NodeName, - Timestamp: time.Time{}, - LogSource: "*", - LogType: "audit", + Message: ovnLogLine, + Level: level, + Hostname: framework.Pod.Spec.NodeName, + Timestamp: time.Time{}, + TimestampLegacy: time.Time{}, + LogSource: "*", + LogType: "audit", Openshift: types.OpenshiftMeta{ Sequence: types.NewOptionalInt(""), ClusterID: "*", diff --git a/test/functional/normalization/eventrouter_test.go b/test/functional/normalization/eventrouter_test.go index 804b0f1b8e..de4922b8a5 100644 --- a/test/functional/normalization/eventrouter_test.go +++ b/test/functional/normalization/eventrouter_test.go @@ -48,6 +48,7 @@ var _ = Describe("[Functional][Normalization] Messages from EventRouter", func() Hostname: types.AnyString, PipelineMetadata: types.PipelineMetadata{}, Timestamp: time.Time{}, + TimestampLegacy: time.Time{}, LogSource: string(obs.InfrastructureSourceContainer), LogType: string(obs.InputTypeApplication), Openshift: types.OpenshiftMeta{ diff --git a/test/functional/normalization/loglevel/container_logs_test.go b/test/functional/normalization/loglevel/container_logs_test.go index f6ba0185b7..ef23ffba1c 100644 --- a/test/functional/normalization/loglevel/container_logs_test.go +++ b/test/functional/normalization/loglevel/container_logs_test.go @@ -40,6 +40,7 @@ var _ = Describe("[functional][normalization][loglevel] tests for message format // Template expected as output Log var outputLogTemplate = functional.NewApplicationLogTemplate() + outputLogTemplate.TimestampLegacy = nanoTime outputLogTemplate.Timestamp = nanoTime outputLogTemplate.Message = message outputLogTemplate.Level = expLevel diff --git a/test/functional/normalization/message_format_test.go b/test/functional/normalization/message_format_test.go index 34caa15bd3..75a11de574 100644 --- a/test/functional/normalization/message_format_test.go +++ b/test/functional/normalization/message_format_test.go @@ -39,12 +39,13 @@ var _ = Describe("[Functional][LogForwarding][Normalization] tests for message f // Log message data message := "Functional test message" - timestamp := "2020-11-04T18:13:59.061892+00:00" + timestamp := "2024-11-04T18:13:59.061892+00:00" nanoTime, _ := time.Parse(time.RFC3339Nano, timestamp) // Template expected as output Log var outputLogTemplate = functional.NewApplicationLogTemplate() outputLogTemplate.Timestamp = nanoTime + outputLogTemplate.TimestampLegacy = nanoTime outputLogTemplate.Message = fmt.Sprintf("regex:^%s.*$", message) outputLogTemplate.Level = "*" @@ -74,6 +75,7 @@ var _ = Describe("[Functional][LogForwarding][Normalization] tests for message f // Template expected as output Log var outputLogTemplate = functional.NewApplicationLogTemplate() outputLogTemplate.Timestamp = nanoTime + outputLogTemplate.TimestampLegacy = nanoTime outputLogTemplate.Message = fmt.Sprintf("regex:^%s.*$", message) outputLogTemplate.Level = "*" diff --git a/test/functional/outputs/azuremonitor/forward_to_azuremonitor_test.go b/test/functional/outputs/azuremonitor/forward_to_azuremonitor_test.go index d7f81199e5..3be90558f7 100644 --- a/test/functional/outputs/azuremonitor/forward_to_azuremonitor_test.go +++ b/test/functional/outputs/azuremonitor/forward_to_azuremonitor_test.go @@ -60,7 +60,7 @@ var _ = Describe("Forwarding to Azure Monitor Log ", func() { nanoTime, _ := time.Parse(time.RFC3339Nano, timestamp) message := "This is my new test message" var appLogTemplate = functional.NewApplicationLogTemplate() - appLogTemplate.Timestamp = nanoTime + appLogTemplate.TimestampLegacy = nanoTime appLogTemplate.Message = message appLogTemplate.Level = "default" appLogTemplate.Kubernetes.PodName = framework.Pod.Name diff --git a/test/functional/outputs/cloudwatch/forward_to_cloudwatch_test.go b/test/functional/outputs/cloudwatch/forward_to_cloudwatch_test.go index 77e9069159..4cbca09887 100644 --- a/test/functional/outputs/cloudwatch/forward_to_cloudwatch_test.go +++ b/test/functional/outputs/cloudwatch/forward_to_cloudwatch_test.go @@ -36,6 +36,7 @@ var _ = Describe("[Functional][Outputs][CloudWatch] Forward Output to CloudWatch BeforeEach(func() { framework = functional.NewCollectorFunctionalFramework() + framework.MaxReadDuration = utils.GetPtr(time.Second * 45) log.V(2).Info("Creating secret cloudwatch with AWS example credentials") secret = runtime.NewSecret(framework.Namespace, functional.CloudwatchSecret, @@ -197,7 +198,8 @@ var _ = Describe("[Functional][Outputs][CloudWatch] Forward Output to CloudWatch Expect(framework.Deploy()).To(BeNil()) // Write audit logs - tstamp, _ := time.Parse(time.RFC3339Nano, "2021-03-28T14:36:03.243000+00:00") + ts := functional.CRIOTime(time.Now().Add(-12 * time.Hour)) // must be less than 14 days old + tstamp, _ := time.Parse(time.RFC3339Nano, ts) auditLogLine := functional.NewAuditHostLog(tstamp) writeAuditLogs := framework.WriteMessagesToAuditLog(auditLogLine, numLogsSent) Expect(writeAuditLogs).To(BeNil(), "Expect no errors writing logs") diff --git a/test/functional/outputs/elasticsearch/forward_to_elasticsearch_test.go b/test/functional/outputs/elasticsearch/forward_to_elasticsearch_test.go index 31eeb45df4..54efd7d72b 100644 --- a/test/functional/outputs/elasticsearch/forward_to_elasticsearch_test.go +++ b/test/functional/outputs/elasticsearch/forward_to_elasticsearch_test.go @@ -60,7 +60,7 @@ var _ = Describe("[Functional][Outputs][ElasticSearch] Logforwarding to ElasticS Expect(len(logs)).To(Equal(2)) //sort log by time before matching sort.Slice(logs, func(i, j int) bool { - return logs[i].Timestamp.Before(logs[j].Timestamp) + return logs[i].TimestampLegacy.Before(logs[j].TimestampLegacy) }) Expect(logs[0].Message).To(Equal(ukr + jp + ch)) diff --git a/test/functional/outputs/loki/application_logs_vector_test.go b/test/functional/outputs/loki/application_logs_vector_test.go index d3afa4899b..320477d878 100644 --- a/test/functional/outputs/loki/application_logs_vector_test.go +++ b/test/functional/outputs/loki/application_logs_vector_test.go @@ -44,13 +44,14 @@ var _ = Describe("[Functional][Outputs][Loki] Forwarding to Loki", func() { }) It("should accept not ordered event", func() { now := time.Now() + ts := functional.CRIOTime(now.Add(-5 * time.Minute)) + msg := functional.NewFullCRIOLogMessage(ts, "A few minutes ago...") + + tsThen := functional.CRIOTime(now.Add(-50 * time.Minute)) + msgOld := functional.NewFullCRIOLogMessage(tsThen, "A little while ago in a galaxy far, far away....") + tsNow := functional.CRIOTime(now) - duration, _ := time.ParseDuration("-5.5h") //time back - then := now.Add(duration) - tsThen := then.UTC().Format(time.RFC3339Nano) - msg := functional.NewFullCRIOLogMessage(tsNow, "Present days") - msgOld := functional.NewFullCRIOLogMessage(tsThen, "A long time ago in a galaxy far, far away....") - msgNew := functional.NewFullCRIOLogMessage(functional.CRIOTime(time.Now()), "Present days") + msgNew := functional.NewFullCRIOLogMessage(tsNow, "Present time") Expect(f.WriteMessagesToApplicationLog(msg, 1)).To(Succeed()) Expect(f.WriteMessagesToApplicationLog(msgOld, 1)).To(Succeed()) Expect(f.WriteMessagesToApplicationLog(msgNew, 1)).To(Succeed()) @@ -58,16 +59,15 @@ var _ = Describe("[Functional][Outputs][Loki] Forwarding to Loki", func() { query := fmt.Sprintf(`{kubernetes_namespace_name=%q, kubernetes_pod_name=%q}`, f.Namespace, f.Name) result, err := l.QueryUntil(query, "", 3) Expect(err).To(BeNil()) - Expect(result).NotTo(BeNil()) Expect(len(result)).To(Equal(1)) + lines := result[0].Lines() Expect(len(lines)).To(Equal(3)) - Expect(strings.Contains(lines[0], "Present days")).To(BeTrue()) - Expect(strings.Contains(lines[1], "A long time ago in a galaxy far, far away....")).To(BeTrue()) - Expect(strings.Contains(lines[2], "Present days")).To(BeTrue()) + Expect(strings.Contains(lines[0], "A little while ago in a galaxy far, far away....")).To(BeTrue()) + Expect(strings.Contains(lines[1], "A few minutes ago...")).To(BeTrue()) + Expect(strings.Contains(lines[2], "Present time")).To(BeTrue()) }) }) - Context("labelKeys", func() { const myValue = "foobarvalue" It("should handle the configuration so the collector starts when label keys are defined that include slashes and dashes. Ref(LOG-4095, LOG-4460)", func() { @@ -103,8 +103,11 @@ var _ = Describe("[Functional][Outputs][Loki] Forwarding to Loki", func() { "kubernetes_labels_prefix_cloud_com_platform_stage": "dev", "kubernetes_host": f.Pod.Spec.NodeName, } + // quick fix since unable to disable service_name discovery via functional test arguments + want["service_name"] = "unknown_service" + labels := result[0].Stream - Expect(len(labels)).To(Equal(8)) + Expect(len(labels)).To(Equal(9)) Expect(labels).To(BeEquivalentTo(want)) }) @@ -135,8 +138,12 @@ var _ = Describe("[Functional][Outputs][Loki] Forwarding to Loki", func() { "log_type": string(obs.InputTypeApplication), "openshift_log_type": string(obs.InputTypeApplication), } + + // quick fix since unable to disable service_name discovery via functional test arguments + want["service_name"] = f.Pod.Spec.Containers[0].Name + labels := result[0].Stream - Expect(len(labels)).To(Equal(10)) + Expect(len(labels)).To(Equal(11)) Expect(labels).To(BeEquivalentTo(want)) }) }) diff --git a/test/functional/outputs/loki/audit_logs_vector_test.go b/test/functional/outputs/loki/audit_logs_vector_test.go index 7f37a29c16..fce1310203 100644 --- a/test/functional/outputs/loki/audit_logs_vector_test.go +++ b/test/functional/outputs/loki/audit_logs_vector_test.go @@ -54,6 +54,9 @@ var _ = Describe("[Functional][Outputs][Loki] Forwarding to Loki", func() { "openshift_log_type": string(obs.InputTypeAudit), "k8s_node_name": f.Pod.Spec.NodeName, } + // quick fix since unable to disable service_name discovery via functional test arguments + expLabels["service_name"] = "unknown_service" + actualLabels := r[0].Stream Expect(actualLabels).To(BeEquivalentTo(expLabels), "Exp. labels to be added to the log record") } diff --git a/test/functional/outputs/multiple/multiple_test.go b/test/functional/outputs/multiple/multiple_test.go index b53de3a5b1..29f0c8ac16 100644 --- a/test/functional/outputs/multiple/multiple_test.go +++ b/test/functional/outputs/multiple/multiple_test.go @@ -63,7 +63,7 @@ var _ = Describe("[Functional][Outputs][Multiple] tests", func() { // Compare to expected template Expect(logs).To(HaveLen(2), "Expected Elasticsearch to have received all the records") sort.Slice(logs, func(i, j int) bool { - return logs[i].Timestamp.Before(logs[j].Timestamp) + return logs[i].TimestampLegacy.Before(logs[j].TimestampLegacy) }) Expect(logs[1].Message).To(Equal(appMsg)) }) diff --git a/test/helpers/loki/receiver.go b/test/helpers/loki/receiver.go index 8c120d6dd5..9596268c2e 100644 --- a/test/helpers/loki/receiver.go +++ b/test/helpers/loki/receiver.go @@ -26,7 +26,7 @@ import ( ) const ( - Image = "grafana/loki:2.8.4" + Image = "grafana/loki:3.3.2" Port = int32(3100) lokiReceiver = "loki-receiver" ) @@ -51,6 +51,8 @@ func NewReceiver(ns, name string) *Receiver { ready: make(chan struct{}), } runtime.Labels(r.Pod)[lokiReceiver] = name + // TODO: need a custom config in order to disable service_name discovery + // "-validation.discover-service-name=" empty list does not work as expected using flag r.Pod.Spec.Containers = []corev1.Container{{ Name: name, Image: Image, @@ -61,6 +63,7 @@ func NewReceiver(ns, name string) *Receiver { "-server.grpc-max-recv-msg-size-bytes", "20971520", "-distributor.ingestion-rate-limit-mb", "200", "-distributor.ingestion-burst-size-mb", "200", + "-validation.discover-log-levels=false", }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: utils.GetPtr(false), @@ -230,7 +233,7 @@ func (sv StreamValues) Lines() (lines []string) { } // Records extracts log lines and parses as JSON maps. -// Lines that are not valid JSON are are returned as: {"INVALID ": "original line"} +// Lines that are not valid JSON are returned as: {"INVALID ": "original line"} func (sv StreamValues) Records() (records []map[string]interface{}) { for _, l := range sv.Lines() { m := map[string]interface{}{} diff --git a/test/helpers/types/types.go b/test/helpers/types/types.go index 26f9f0dfe2..9e4a345efc 100644 --- a/test/helpers/types/types.go +++ b/test/helpers/types/types.go @@ -190,8 +190,22 @@ type ViaQCommon struct { // * yyyy-MM-dd'T'HH:mm:ssZ // * dateOptionalTime // - // example: `2015-01-24 14:06:05.071000000 Z` - Timestamp time.Time `json:"@timestamp,omitempty"` + // example: `2024-11-24T14:06:05.071000000Z` + TimestampLegacy time.Time `json:"@timestamp,omitempty"` + + // A UTC value that marks when the log payload was created. + // + // Value derived from legacy `@timestamp` for forward compatibility. + // + // format: + // + // * yyyy-MM-dd HH:mm:ss,SSSZ + // * yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ + // * yyyy-MM-dd'T'HH:mm:ssZ + // * dateOptionalTime + // + // example: `2024-11-24T14:06:05.071000000Z` + Timestamp time.Time `json:"timestamp,omitempty"` // Original log entry text, UTF-8 encoded // @@ -311,7 +325,8 @@ type InfraLog struct { Level string `json:"level,omitempty"` Hostname string `json:"hostname,omitempty"` PipelineMetadata PipelineMetadata `json:"pipeline_metadata,omitempty"` - Timestamp time.Time `json:"@timestamp,omitempty"` + TimestampLegacy time.Time `json:"@timestamp,omitempty"` + Timestamp time.Time `json:"timestamp,omitempty"` LogType string `json:"log_type,omitempty"` ViaqIndexName string `json:"viaq_index_name,omitempty"` ViaqMsgID string `json:"viaq_msg_id,omitempty"` @@ -335,7 +350,8 @@ type LinuxAuditLog struct { AuditLinux AuditLinux `json:"audit.linux"` Message string `json:"message,omitempty"` PipelineMetadata PipelineMetadata `json:"pipeline_metadata"` - Timestamp time.Time `json:"@timestamp"` + TimestampLegacy time.Time `json:"@timestamp,omitempty"` + Timestamp time.Time `json:"timestamp,omitempty"` LogSource string `json:"log_source,omitempty"` LogType string `json:"log_type,omitempty"` ViaqIndexName string `json:"viaq_index_name"` @@ -356,7 +372,8 @@ type OVNAuditLog struct { Hostname string `json:"hostname"` Message string `json:"message,omitempty"` PipelineMetadata PipelineMetadata `json:"pipeline_metadata"` - Timestamp time.Time `json:"@timestamp"` + TimestampLegacy time.Time `json:"@timestamp,omitempty"` + Timestamp time.Time `json:"timestamp,omitempty"` LogType string `json:"log_type,omitempty"` LogSource string `json:"log_source,omitempty"` ViaqIndexName string `json:"viaq_index_name"` @@ -386,7 +403,8 @@ type AuditLogCommon struct { Message interface{} `json:"message,omitempty"` Hostname string `json:"hostname,omitempty"` PipelineMetadata PipelineMetadata `json:"pipeline_metadata,omitempty"` - Timestamp time.Time `json:"@timestamp,omitempty"` + TimestampLegacy time.Time `json:"@timestamp,omitempty"` + Timestamp time.Time `json:"timestamp,omitempty"` LogSource string `json:"log_source,omitempty"` LogType string `json:"log_type,omitempty"` ViaqIndexName string `json:"viaq_index_name,omitempty"` @@ -436,7 +454,8 @@ type AuditLog struct { AuditLinux AuditLinux `json:"audit.linux,omitempty"` Message string `json:"message,omitempty"` PipelineMetadata PipelineMetadata `json:"pipeline_metadata"` - Timestamp time.Time `json:"@timestamp,omitempty"` + TimestampLegacy time.Time `json:"@timestamp,omitempty"` + Timestamp time.Time `json:"timestamp,omitempty"` Docker Docker `json:"docker,omitempty"` LogType string `json:"log_type,omitempty"` ViaqIndexName string `json:"viaq_index_name,omitempty"` diff --git a/test/helpers/types/types_test.go b/test/helpers/types/types_test.go index 2c34f0bfc2..06483e0e0c 100644 --- a/test/helpers/types/types_test.go +++ b/test/helpers/types/types_test.go @@ -44,6 +44,7 @@ const ( "version": "1.7.4 1.6.0" } }, + "timestamp": "2020-11-27T18:32:57.600159+00:00", "@timestamp": "2020-11-27T18:32:57.600159+00:00", "viaq_index_name": "app-write", "viaq_msg_id": "M2QxNzM0MmQtMmVmMy00NjM1LWE1YzAtYjE1MWMxOWE5MTM2" @@ -81,6 +82,7 @@ const ( "version": "1.7.4 1.6.0" } }, + "timestamp": "2020-11-29T13:27:47.955953+00:00", "@timestamp": "2020-11-29T13:27:47.955953+00:00", "viaq_index_name": "infra-write", "viaq_msg_id": "MjFlMWIxNGItMTljMi00NjA2LWFhNzUtNDg2OTYzYjQxYzUx" @@ -125,6 +127,7 @@ const ( "version": "1.7.4 1.6.0" } }, + "timestamp": "2020-11-28T18:18:17.286517+00:00", "@timestamp": "2020-11-28T18:18:17.286517+00:00", "viaq_index_name": "infra-write", "viaq_msg_id": "ZDY0ZjE4NTAtNGU3ZC00YmQ4LWJjYjctNzVjMTEwMzdlYWIz" @@ -147,6 +150,7 @@ const ( "version": "1.7.4 1.6.0" } }, + "timestamp": "2020-11-29T13:16:48.785000+00:00", "@timestamp": "2020-11-29T13:16:48.785000+00:00", "viaq_index_name": "audit-write", "viaq_msg_id": "Y2M1NThmYzUtODYxYS00MzY5LWJmZDQtN2FkYjk4ZDlmYjE3", @@ -204,6 +208,7 @@ const ( "version": "1.7.4 1.6.0" } }, + "timestamp": "2020-11-27T19:55:01.798728+00:00", "@timestamp": "2020-11-27T19:55:01.798728+00:00", "viaq_index_name": "audit-write", "viaq_msg_id": "OWU1OGU0MzYtOGQ4YS00MTBhLWIwZGQtMzM1ZDc3ZmIzOTc4", @@ -261,6 +266,7 @@ const ( "version": "1.7.4 1.6.0" } }, + "timestamp": "2020-11-29T13:26:56.978921+00:00", "@timestamp": "2020-11-29T13:26:56.978921+00:00", "viaq_index_name": "audit-write", "viaq_msg_id": "ZTRjMDQ4ZWEtMmVkMy00YTJmLTk0NTUtYTk4YzNjNDFlYjM5", @@ -280,6 +286,7 @@ const ( "version": "1.7.4 1.6.0" } }, + "timestamp": "2021-07-06T08:26:58.687000+00:00", "@timestamp": "2021-07-06T08:26:58.687000+00:00", "viaq_index_name": "audit-write", "viaq_msg_id": "Y2M1NThmYzUtODYxYS00MzY5LWJmZDQtN2FkYjk4ZDlmYjE3", diff --git a/test/matchers/log_format_test.go b/test/matchers/log_format_test.go index 7824f388c4..74b8c56888 100644 --- a/test/matchers/log_format_test.go +++ b/test/matchers/log_format_test.go @@ -53,14 +53,14 @@ var _ = Describe("Log Format matcher tests", func() { It("match same time value", func() { timestamp := "2013-03-28T14:36:03.243000+00:00" nanoTime, _ := time.Parse(time.RFC3339Nano, timestamp) - Expect(types.AllLog{ContainerLog: types.ContainerLog{ViaQCommon: types.ViaQCommon{Timestamp: nanoTime}}}). - To(FitLogFormatTemplate(types.AllLog{ContainerLog: types.ContainerLog{ViaQCommon: types.ViaQCommon{Timestamp: nanoTime}}})) + Expect(types.AllLog{ContainerLog: types.ContainerLog{ViaQCommon: types.ViaQCommon{TimestampLegacy: nanoTime}}}). + To(FitLogFormatTemplate(types.AllLog{ContainerLog: types.ContainerLog{ViaQCommon: types.ViaQCommon{TimestampLegacy: nanoTime}}})) }) It("match empty time value", func() { timestamp := "2013-03-28T14:36:03.243000+00:00" nanoTime, _ := time.Parse(time.RFC3339Nano, timestamp) - Expect(types.AllLog{ContainerLog: types.ContainerLog{ViaQCommon: types.ViaQCommon{Timestamp: nanoTime}}}). + Expect(types.AllLog{ContainerLog: types.ContainerLog{ViaQCommon: types.ViaQCommon{TimestampLegacy: nanoTime}}}). To(FitLogFormatTemplate(types.AllLog{})) }) Context("for optional ints", func() { @@ -114,8 +114,8 @@ var _ = Describe("Log Format matcher tests", func() { nanoTime1, _ := time.Parse(time.RFC3339Nano, timestamp1) timestamp2 := "2014-04-28T14:36:03.243000+00:00" nanoTime2, _ := time.Parse(time.RFC3339Nano, timestamp2) - Expect(types.AllLog{ContainerLog: types.ContainerLog{ViaQCommon: types.ViaQCommon{Timestamp: nanoTime1}}}). - To(Not(FitLogFormatTemplate(types.AllLog{ContainerLog: types.ContainerLog{ViaQCommon: types.ViaQCommon{Timestamp: nanoTime2}}}))) + Expect(types.AllLog{ContainerLog: types.ContainerLog{ViaQCommon: types.ViaQCommon{TimestampLegacy: nanoTime1}}}). + To(Not(FitLogFormatTemplate(types.AllLog{ContainerLog: types.ContainerLog{ViaQCommon: types.ViaQCommon{TimestampLegacy: nanoTime2}}}))) }) })