You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pipeline/outputs/gelf.md
+60-4Lines changed: 60 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -46,7 +46,54 @@ For more details about the properties available and general configuration, see [
46
46
47
47
If you're using Fluent Bit for shipping Kubernetes logs, you can use something like this as your configuration file:
48
48
49
+
{% tabs %}
50
+
{% tab title="fluent-bit.yaml" %}
51
+
52
+
```yaml
53
+
parsers:
54
+
- name: docker
55
+
format: json
56
+
time_key: time
57
+
time_format: '%Y-%m-%dT%H:%M:%S.%L'
58
+
time_keep: off
59
+
60
+
pipeline:
61
+
inputs:
62
+
- name: tail
63
+
tag: kube.*
64
+
path: /var/log/containers/*.log
65
+
parser: docker
66
+
db: /var/log/flb_kube.db
67
+
mem_buf_limit: 5MB
68
+
refresh_interval: 10
69
+
70
+
filters:
71
+
- name: kubernetes
72
+
match: 'kube.*'
73
+
merge_log_key: log
74
+
merge_log: on
75
+
keep_log: off
76
+
annotations: off
77
+
labels: off
78
+
79
+
- name: nest
80
+
match: '*'
81
+
operation: lift
82
+
nested_under: log
83
+
84
+
outputs:
85
+
- name: gelf
86
+
match: 'kube.*'
87
+
host: <your-graylog-server>
88
+
port: 12201
89
+
mode: tcp
90
+
gelf_short_message_key: data
49
91
```
92
+
93
+
{% endtab %}
94
+
{% tab title="fluent-bit.conf" %}
95
+
96
+
```text
50
97
[INPUT]
51
98
Name tail
52
99
Tag kube.*
@@ -87,16 +134,23 @@ If you're using Fluent Bit for shipping Kubernetes logs, you can use something l
87
134
Time_Keep Off
88
135
```
89
136
137
+
{% endtab %}
138
+
{% endtabs %}
139
+
90
140
By default, GELF tcp uses port 12201 and Docker places your logs in `/var/log/containers` directory. The logs are placed in value of the `log` key. For example, this is a log saved by Docker:
91
141
92
-
```javascript
142
+
```text
143
+
...
93
144
{"log":"{\"data\": \"This is an example.\"}","stream":"stderr","time":"2019-07-21T12:45:11.273315023Z"}
145
+
...
94
146
```
95
147
96
148
If you use [Tail Input](../inputs/tail.md) and use a Parser like the `docker` parser shown above, it decodes your message and extracts `data` (and any other present) field. This is how this log in [stdout](standard-output.md) looks like after decoding:
97
149
98
-
```
150
+
```text
151
+
...
99
152
[0] kube.log: [1565770310.000198491, {"log"=>{"data"=>"This is an example."}, "stream"=>"stderr", "time"=>"2019-07-21T12:45:11.273315023Z"}]
153
+
...
100
154
```
101
155
102
156
Now, this is what happens to this log:
@@ -110,6 +164,8 @@ Now, this is what happens to this log:
110
164
111
165
Finally, this is what our Graylog server input sees:
112
166
113
-
```javascript
167
+
```text
168
+
...
114
169
{"version":"1.1", "short_message":"This is an example.", "host": "<Your Node Name>", "_stream":"stderr", "timestamp":1565770310.000199}
0 commit comments