Sending Kubernetes Logs and Events
Last updated on 13 June, 2023LogicMonitor provides different methods for sending logs from a monitored Kubernetes cluster to LM Logs.
Recommendation: LogSource is the recommended method to enable LM Logs. To use LogSource, the LM Collector must be version EA 31.200 or later. For more information, see LogSource Overview, or contact your Customer Success Manager. The procedure in the following describes how to enable LM Logs if you are not using LogSource.
The method to use depends on the type of logs that you want to send.
- For Kubernetes logs, use the lm-logs Helm chart configuration which is provided as part of the LogicMonitor Kubernetes integration.
- For Kubernetes events and Pod logs, configure the LogicMonitor Collector to collect and forward the logs from a monitored cluster or cluster group.
Requirements
- LogicMonitor API tokens to authenticate all requests to the log ingestion API.
- LogicMonitor Collector installed and monitoring your Kubernetes cluster.
Sending Kubernetes Logs
You can install and configure the LogicMonitor Kubernetes integration to forward your Kubernetes logs to the LM Logs ingestion API.
Deploying
The Kubernetes configuration for LM Logs is deployed as a Helm chart.
1. Add the LogicMonitor Helm repository:
helm repo add logicmonitor https://logicmonitor.github.io/k8s-helm-chartsIf you already have the LogicMonitor Helm repository, you should update it to get the latest charts:
helm repo update2. Install the lm-logs chart, filling in the required values:
helm install -n <namespace> \
--set lm_company_name="<lm_company_name>" \
--set lm_access_id="<lm_access_id>" \
--set lm_access_key="<lm_access_key>" \
lm-logs logicmonitor/lm-logsConfiguring Deviceless Logs for Kubernetes
Logs can be viewed in LM Logs even if the log is “deviceless” and not associated with an LM-monitored resource. Even without resource mapping, or when there are resource mapping issues, logs are still available for anomaly detection and to view and search.
For deviceless logs, log anomaly detection is done using the “namespace” and “service” fields instead of “Device ID”, when creating log profiles. To enable deviceless logs, set “fluent.device_less_logs” to “true”, when configuring lm-logs helmchart. For more information, see Send Kubernetes Logs to LM Logs.
Collecting and Forwarding Kubernetes Events
You can configure the LogicMonitor Collector to receive and forward Kubernetes Cluster events and Pod logs from a monitored Kubernetes cluster or cluster group.
Note: Use the LM Container Chart services for comprehensive Kubernetes monitoring metrics, logs, and events. For more information, see Installing the LM Container Helm Chart.
Requirements
- EA Collector 30.100 or later installed.
- You have already deployed LogicMonitor’s Kubernetes Monitoring.
- Access to the resources (events or pods) that you want to collect logs from.
Enabling the Events and Logs Collection
The following are options for enabling events and logs collection:
- Recommended—Modify the Helm deployment for Argus to enable events collection.
For more information, see Kubernetes Events and Pod Logs Collection using LogicMonitor Collector. - Alternatively—Manually add the following properties to the monitored Kubernetes cluster group (or individual resources) in LogicMonitor.
| Property | Type | Default Value | Description |
| lmlogs.k8sevent.polling.interval.min | Integer | 1 | Polling interval in minutes for Kubernetes events collection. |
| lmlogs.k8spodlog.polling.interval.min | Integer | 1 | Polling interval in minutes for Kubernetes pod logs collection. |
| lmlogs.thread.count.for.k8s.pod.log.collection | Integer | 10 | The number of threads for Kubernetes pod logs collection. The maximum value is 50. |
Configuring Filters to Remove Logs
Note: Ensure you configure filters to remove log messages that contain sensitive information like credit cards, phone numbers, or personal identifiers so that these are not sent to LogicMonitor. You can also use filters to reduce the volume of non-essential syslog log messages sent to the logs ingestion API queue.
The filtering criteria for Kubernetes Events are based on the fields “message”, “reason”, and “type”. For Kubernetes pod logs, you can filter the message fields. Filtering criteria can be defined using keywords, a regular expression pattern, specific values of fields, and so on. To configure filter criteria, uncomment to enable and then edit the filtering entries in agent.conf.
For example:
- To filter out INFO level pod logs to LogicMonitor, uncomment or add the line: logsource.k8spodlog.filter.1.message.notcontain=INFO
- To send Kubernetes events of type=Normal, comment out the line: logsource.k8sevent.filter.1.type.notequal=Normal
For more information, see Kubernetes Events and Pod Logs Collection using LogicMonitor Collector.
To configure filter criteria, configure the following agent.conf entries as applicable.
Collector agent.conf configurations
| Property | Type | Description |
| logsource.k8sevent.filter.1.message.equal | String | Defines the contents of the message that equals to the value provided in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.2.message.notequal | String | Defines the contents of the message that do not equal to the value provided in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.3.message.contain | String | Defines the content of the message has value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.4.message.notcontain | String | Defines the content of the message that does not contain the value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.5.message.regexmatch | String | Defines the contents of the message containing regular expression patterns to match the value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.6.message.regexnotmatch | String | Defines the contents of the message containing regular expression patterns that do not match the value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.7.reason.equal | String | Defines the contents of the reason equals to the value provided in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.8.reason.notequal | String | Defines the contents of the reason does not equal to the value provided in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.9.reason.contain | String | Defines the content of the message contains the value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.10.reason.notcontain | String | Defines the content of the reason that does not contain the value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.11.reason.regexmatch | String | Defines the contents of the reason containing regular expression patterns that match the value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.12.reason.regexnotmatch | String | Defines the contents of the reason containing regular expression patterns that do not match the value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.13.type.equal | String | Defines the contents of the type equals to the value provided in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.14.type.notequal | String | Defines the contents of the type does not equal to the value provided in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.15.type.contain | String | Defines the content of the type that has value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.16.type.notcontain | String | Defines the content of the type do not contain the value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.17.type.regexmatch | String | Defines the contents of the type containing regular expression patterns that match the value in the filter field for the Kubernetes events. |
| logsource.k8sevent.filter.18.type.regexnotmatch | String | Defines the contents of the type containing regular expression patterns that do not match the value in the filter field for the Kubernetes events. |
| logsource.k8spodlog.filter.1.message.equal | String | Defines the contents of the message equals to the value provided in the filter field for the Kubernetes pod logs. |
| logsource.k8spodlog.filter.2.message.notequal | String | Defines the contents of the message do not equal to the value provided in the filter field for the Kubernetes pod logs. |
| logsource.k8spodlog.filter.3.message.contain | String | Defines the content of the message that has the value in the filter field for the Kubernetes pod logs. |
| logsource.k8spodlog.filter.4.message.notcontain | String | Defines the content of the message that does not contain the value in the filter field for the Kubernetes pod logs. |
Helm-chart configurations
| Property | Description |
| lmlogs.k8sevent.enable=true | Sends events from pods, deployments, services, nodes, and so on to LM Logs. When false, ignores events. |
| lmlogs.k8spodlog.enable=true | Sends pod logs to LM Logs. When false, ignores logs from pods. |
Troubleshooting
Kubernetes Logs
- If you are not seeing Kubernetes logs in your LM Portal after a few minutes, it may be a resource mapping issue. Resource mapping for Kubernetes is handled by the Fluentd plugin.
- If mapping is correct, verify that the log file path is mounted. If the log file path is not mounted, edit the
/k8s-helm-charts/lm-logs/templates/deamonset.yamlfile to add the file path and volume.
For example, if the path to mount is/mnt/ephemeral/docker/containers/, make the following edits:
- Add the file path:
name: ephemeraldockercontainers
mountPath: /mnt/ephemeral/docker/containers/
readOnly: true- Add under volumes:
name: ephemeraldockercontainers
hostPath:
path: /mnt/ephemeral/docker/containers/Kubernetes Pod Logs
If you have enabled pod logs collection and forwarding, but you are not receiving pod logs in LM Logs, restart the Collector and increase the polling interval to 3-5 minutes.