Continental Innovates with Rancher and Kubernetes
Starting in v2.5, the logging feature available within Rancher has been completely overhauled. The logging operator from Banzai Cloud has been adopted; Rancher configures this tooling for use when deploying logging.
Among the many features and changes in the new logging functionality is the removal of project-specific logging configurations. Instead, one now configures logging at the namespace level. Cluster-level logging remains available, but configuration options differ.
Note: The pre-v2.5 user interface is now referred to as the Cluster Manager. The v2.5+ dashboard is referred to as the Cluster Explorer.
To install logging in Rancher v2.5+, refer to installation instructions.
In v2.5, logging configuration is centralized under a Logging menu option available in the Cluster Explorer. It is from this menu option that logging for both cluster and namespace is configured.
Note: Logging is installed on a per-cluster basis. You will need to navigate between clusters to configure logging for each cluster.
There are four key concepts to understand for v2.5+ logging:
Outputs
Outputs are a configuration resource that determine a destination for collected logs. This is where settings for aggregators such as ElasticSearch, Kafka, etc. are stored. Outputs are namespaced resources.
Flows
Flows are a configuration resource that determine collection, filtering, and destination rules for logs. It is within a flow that one will configure what logs to collect, how to mutate or filter them, and which outputs to send the logs to. Flows are namespaced resources, and can connect either to an Output in the same namespace, or a ClusterOutput.
ClusterOutputs
ClusterOutputs serve the same functionality as Outputs, except they are a cluster-scoped resource. ClusterOutputs are necessary when collecting logs cluster-wide, or if you wish to provide an output to all namespaces in your cluster.
ClusterFlows
ClusterFlows serve the same function as Flows, but at the cluster level. They are used to configure log collection for an entire cluster, instead of on a per-namespace level. ClusterFlows are also where mutations and filters are defined, same as Flows (in functionality).
To configure cluster-wide logging for v2.5+ logging, one needs to setup a ClusterFlow. This object defines the source of logs, any transformations or filters to be applied, and finally the output(s) for the logs.
Important: ClusterFlows must be defined within the cattle-logging-system namespace. ClusterFlows will not work if defined in any other namespace.
cattle-logging-system
In legacy logging, in order to collect logs from across the entire cluster, one only needed to enable cluster-level logging and define the desired output. This basic approach remains in v2.5+ logging. To replicate legacy cluster-level logging, follow these steps:
This will result in logs from all sources in the cluster (all pods, and all system components) being collected and sent to the output(s) you defined in the ClusterFlow.
Logging in v2.5+ is not project-aware. This means that in order to collect logs from pods running in project namespaces, you will need to define Flows for those namespaces.
To collect logs from a specific namespace, follow these steps:
This will result in logs from all sources in the namespace (pods) being collected and sent to the output(s) you defined in your Flow.
To collect logs from a project, repeat the above steps for every namespace within the project. Alternatively, you can label your project workloads with a common label (e.g. project=my-project) and use a ClusterFlow to collect logs from all pods matching this label.
project=my-project
In legacy logging, there are five logging destinations to choose from: Elasticsearch, Splunk, Kafka, Fluentd, and Syslog. With the exception of Syslog, all of these destinations are available in logging v2.5+.
In legacy logging, indices were automatically created according to the format in the “Index Patterns” section. In v2.5 logging, default behavior has been changed to logging to a single index. You can still configure index pattern functionality on the output object by editing as YAML and inputting the following values:
... spec: elasticsearch: ... logstash_format: true logstash_prefix: <desired prefix> logstash_dateformat: "%Y-%m-%d"
Replace <desired prefix> with the prefix for the indices that will be created. In legacy logging, this defaulted to the name of the cluster.
<desired prefix>
index
spec.splunkHec
source
client_key
client_cert
ca_file
ca_path
(1) client_key and client_cert values must be paths to the key and cert files, respectively. These files must be mounted into the rancher-logging-fluentd pod in order to be used.
rancher-logging-fluentd
(2) Users can configure either ca_file (a path to a PEM-encoded CA certificate) or ca_path (a path to a directory containing CA certificates in PEM format). These files must be mounted into the rancher-logging-fluentd pod in order to be used.
As of v2.5.2, it is only possible to add a single Fluentd server using the “Edit as Form” option. To add multiple servers, edit the output as YAML and input multiple servers.
host
spec.forward.servers[n]
weight
tls_private_key_path
spec.forward
tls_client_cert_path
tls_client_private_key_passphrase
tls_insecure_mode
false
tls_cert_path
(1) These values are to be specified as paths to files. Those files must be mounted into the rancher-logging-fluentd pod in order to be used.
As of v2.5.2, syslog is not currently supported as an output using v2.5+ logging.
In order to add custom log fields, you will need to add the following YAML to your flow configuration:
... spec: filters: - record_modifier: records: - foo: "bar"
(replace foo: "bar" with custom log fields you wish to add)
foo: "bar"
In legacy logging, collecting logs from system components was accomplished by checking a box labeled “Include System Log” when setting up cluster logging. In v2.5+ logging, system logs are gathered in one of two ways: