RHDEVDOCS-4064-loki final review - SMEs & Peer v2

Author: libander

_topic_maps/_topic_map.yml

@@ -76,7 +76,7 @@ Topics:
 - Name: Installation and update
   Distros: openshift-enterprise,openshift-origin
   File: architecture-installation
-- Name: Red Hat OpenShift Cluster Manager 
+- Name: Red Hat OpenShift Cluster Manager
   Distros: openshift-enterprise
   File: ocm-overview-ocp
 - Name: Control plane architecture
@@ -2117,6 +2117,8 @@ Topics:
     File: cluster-logging-systemd
   - Name: Maintenance and support
     File: cluster-logging-maintenance-support
+- Name: Logging with the LokiStack
+  File: cluster-logging-loki
 - Name: Viewing logs for a specific resource
   File: viewing-resource-logs
 - Name: Viewing cluster logs in Kibana

logging/cluster-logging-external.adoc

@@ -42,6 +42,7 @@ include::modules/cluster-logging-collector-log-forward-syslog.adoc[leveloffset=+
 include::modules/cluster-logging-collector-log-forward-cloudwatch.adoc[leveloffset=+1]
 
 include::modules/cluster-logging-collector-log-forward-loki.adoc[leveloffset=+1]
+
 include::modules/cluster-logging-troubleshooting-loki-entry-out-of-order-errors.adoc[leveloffset=+2]
 
 

logging/cluster-logging-loki.adoc

@@ -0,0 +1,23 @@
+:_content-type: ASSEMBLY
+:context: cluster-logging-loki
+[id="cluster-logging-loki"]
+= Loki
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+include::modules/cluster-logging-loki-about.adoc[leveloffset=+1]
+
+include::modules/cluster-logging-loki-deploy.adoc[leveloffset=+1]
+
+include::modules/cluster-logging-forwarding-lokistack.adoc[leveloffset=+1]
+
+include::modules/cluster-logging-troubleshooting-loki-entry-out-of-order-errors.adoc[leveloffset=+2]
+
+include::modules/cluster-logging-feature-reference.adoc[leveloffset=+1]
+
+== Additional Resources
+* link:https://grafana.com/docs/loki/latest/logql/[Loki Query Language (LogQL) Documentation]
+* link:https://loki-operator.dev/docs/howto_connect_grafana.md/[Grafana Dashboard Documentation]
+* link:https://loki-operator.dev/docs/object_storage.md/[Loki Object Storage Documentation]
+* link:https://grafana.com/docs/loki/latest/operations/storage/schema/#changing-the-schema[Loki Storage Schema Documentation]

modules/cluster-logging-collector-log-forward-loki.adoc

@@ -16,44 +16,47 @@ To configure log forwarding to Loki, you must create a `ClusterLogForwarder` cus
 +
 [source,yaml]
 ----
-apiVersion: "logging.openshift.io/v1"
-kind: ClusterLogForwarder
-metadata:
-  name: instance <1>
-  namespace: openshift-logging <2>
-spec:
-  outputs:
-   - name: loki-insecure <3>
-     type: "loki" <4>
-     url: http://loki.insecure.com:9200 <5>
-   - name: loki-secure
-     type: "loki"
-     url: https://loki.secure.com:9200 <6>
-     secret:
-        name: loki-secret <7>
-  pipelines:
-   - name: application-logs <8>
-     inputRefs: <9>
-     - application
-     - audit
-     outputRefs:
-     - loki-secure <10>
-     loki:
-       tenantKey: kubernetes.namespace_name <11>
-       labelKeys: kubernetes.labels.foo   <12>
+  apiVersion: "logging.openshift.io/v1"
+  kind: ClusterLogForwarder
+  metadata:
+    name: instance <1>
+    namespace: openshift-logging <2>
+  spec:
+    outputs:
+     - name: loki-insecure <3>
+       type: "loki" <4>
+       url: http://loki.insecure.com:3100 <5>
+       loki:
+          tenantKey: kubernetes.namespace_name
+          labelKeys: kubernetes.labels.foo
+     - name: loki-secure <6>
+       type: "loki"
+       url: https://loki.secure.com:3100
+       secret:
+          name: loki-secret <7>
+       loki:
+          tenantKey: kubernetes.namespace_name <8>
+          labelKeys: kubernetes.labels.foo <9>
+    pipelines:
+     - name: application-logs <10>
+       inputRefs:  <11>
+       - application
+       - audit
+       outputRefs: <12>
+       - loki-secure
 ----
 <1> The name of the `ClusterLogForwarder` CR must be `instance`.
 <2> The namespace for the `ClusterLogForwarder` CR must be `openshift-logging`.
 <3> Specify a name for the output.
 <4> Specify the type as `"loki"`.
-<5> Specify the URL and port of the Loki system as a valid absolute URL. You can use the `http` (insecure) or `https` (secure HTTP) protocol. If the cluster-wide proxy using the CIDR annotation is enabled, the output must be a server name or FQDN, not an IP Address.
+<5> Specify the URL and port of the Loki system as a valid absolute URL. You can use the `http` (insecure) or `https` (secure HTTP) protocol. If the cluster-wide proxy using the CIDR annotation is enabled, the output must be a server name or FQDN, not an IP Address. Loki's default port for HTTP(S) communication is 3100.
 <6> For a secure connection, you can specify an `https` or `http` URL that you authenticate by specifying a `secret`.
 <7> For an `https` prefix, specify the name of the secret required by the endpoint for TLS communication. The secret must exist in the `openshift-logging` project, and must have keys of: *tls.crt*, *tls.key*, and *ca-bundle.crt* that point to the respective certificates that they represent. Otherwise, for `http` and `https` prefixes, you can specify a secret that contains a username and password. For more information, see the following "Example: Setting secret that contains a username and password."
-<8> Optional: Specify a name for the pipeline.
-<9> Specify which log types to forward by using the pipeline: `application,` `infrastructure`, or `audit`.
-<10> Specify the name of the output to use when forwarding logs with this pipeline.
-<11> Optional: Specify a meta-data key field to generate values for the `TenantID` field in Loki. For example, setting `tenantKey: kubernetes.namespace_name` uses the names of the Kubernetes namespaces as values for tenant IDs in Loki. To see which other log record fields you can specify, see the "Log Record Fields" link in the following "Additional resources" section.
-<12> Optional: Specify a list of meta-data field keys to replace the default Loki labels. Loki label names must match the regular expression `[a-zA-Z_:][a-zA-Z0-9_:]*`. Illegal characters in meta-data keys are replaced with `_` to form the label name. For example, the `kubernetes.labels.foo` meta-data key becomes Loki label `kubernetes_labels_foo`. If you do not set `labelKeys`, the default value is: `[log_type, kubernetes.namespace_name, kubernetes.pod_name, kubernetes_host]`. Keep the set of labels small because Loki limits the size and number of labels allowed. See link:https://grafana.com/docs/loki/latest/configuration/#limits_config[Configuring Loki, limits_config]. You can still query based on any log record field using query filters.
+<8> Optional: Specify a meta-data key field to generate values for the `TenantID` field in Loki. For example, setting `tenantKey: kubernetes.namespace_name` uses the names of the Kubernetes namespaces as values for tenant IDs in Loki. To see which other log record fields you can specify, see the "Log Record Fields" link in the following "Additional resources" section.
+<9> Optional: Specify a list of meta-data field keys to replace the default Loki labels. Loki label names must match the regular expression `[a-zA-Z_:][a-zA-Z0-9_:]*`. Illegal characters in meta-data keys are replaced with `_` to form the label name. For example, the `kubernetes.labels.foo` meta-data key becomes Loki label `kubernetes_labels_foo`. If you do not set `labelKeys`, the default value is: `[log_type, kubernetes.namespace_name, kubernetes.pod_name, kubernetes_host]`. Keep the set of labels small because Loki limits the size and number of labels allowed. See link:https://grafana.com/docs/loki/latest/configuration/#limits_config[Configuring Loki, limits_config]. You can still query based on any log record field using query filters.
+<10> Optional: Specify a name for the pipeline.
+<11> Specify which log types to forward by using the pipeline: `application,` `infrastructure`, or `audit`.
+<12> Specify the name of the output to use when forwarding logs with this pipeline.
 +
 [NOTE]
 ====

modules/cluster-logging-feature-reference.adoc

@@ -0,0 +1,107 @@
+// Module is included in the following assemblies:
+//cluster-logging-loki.adoc
+:_content-type: REFERENCE
+[id="logging-feature-ref_{context}"]
+= Collector features
+
+.Log Sources
+[options="header"]
+|===============================================================
+| Feature                   | Fluentd  | Vector
+| App container logs        | ✓ | ✓
+| App-specific routing      | ✓ | ✓
+| App-specific routing by namespace | ✓ | ✓
+| Infra container logs      | ✓ | ✓
+| Infra journal logs        | ✓ | ✓
+| Kube API audit logs       | ✓ | ✓
+| Openshift API audit logs  | ✓ | ✓
+| Open Virtual Network (OVN) audit logs| ✓ | ✓
+|===============================================================
+
+.Outputs
+[options="header"]
+|==========================================================
+| Feature              | Fluentd  | Vector
+| Elasticsearch v5-v7  | ✓ | ✓
+| Fluent forward       | ✓ |
+| Syslog RFC3164       | ✓ |
+| Syslog RFC5424       | ✓ |
+| Kafka                | ✓ | ✓
+| Cloudwatch           | ✓ | ✓
+| Loki                 | ✓ | ✓
+|==========================================================
+
+.Authorization and Authentication
+[options="header"]
+|=================================================================
+| Feature                     | Fluentd  | Vector
+| Elasticsearch certificates  | ✓ | ✓
+| Elasticsearch username / password | ✓ | ✓
+| Cloudwatch keys             | ✓ | ✓
+| Cloudwatch STS              | ✓ |
+| Kafka certificates          | ✓ | ✓
+| Kafka username / password   | ✓ | ✓
+| Kafka SASL                  | ✓ | ✓
+| Loki bearer token           | ✓ | ✓
+|=================================================================
+
+.Normalizations and Transformations
+[options="header"]
+|============================================================================
+| Feature                                | Fluentd  | Vector
+| Viaq data model - app                  | ✓ | ✓
+| Viaq data model - infra                | ✓ | ✓
+| Viaq data model - infra(journal)       | ✓ | ✓
+| Viaq data model - Linux audit          | ✓ | ✓
+| Viaq data model - kube-apiserver audit | ✓ | ✓
+| Viaq data model - OpenShift API audit  | ✓ | ✓
+| Viaq data model - OVN                  | ✓ | ✓
+| Loglevel Normalization                 | ✓ | ✓
+| JSON parsing                           | ✓ | ✓
+| Structured Index                       | ✓ | ✓
+| Multiline error detection              | ✓ |
+| Multicontainer / split indices         | ✓ | ✓
+| Flatten labels                         | ✓ | ✓
+| CLF static labels                      | ✓ | ✓
+|============================================================================
+
+.Tuning
+[options="header"]
+|==========================================================
+| Feature                | Fluentd  | Vector
+| Fluentd readlinelimit  | ✓ |
+| Fluentd buffer         | ✓ |
+| - chunklimitsize       | ✓ |
+| - totallimitsize       | ✓ |
+| - overflowaction       | ✓ |
+| - flushthreadcount     | ✓ |
+| - flushmode            | ✓ |
+| - flushinterval        | ✓ |
+| - retrywait            | ✓ |
+| - retrytype            | ✓ |
+| - retrymaxinterval     | ✓ |
+| - retrytimeout         | ✓ |
+|==========================================================
+
+.Visibility
+[options="header"]
+|=====================================================
+| Feature         | Fluentd  | Vector
+| Metrics         | ✓ | ✓
+| Dashboard       | ✓ | ✓
+| Alerts          | ✓ |
+|=====================================================
+
+.Miscellaneous
+[options="header"]
+|===========================================================
+| Feature               | Fluentd  | Vector
+| Global proxy support  | ✓ | ✓
+| x86 support           | ✓ | ✓
+| ARM support           | ✓ | ✓
+| PowerPC support       | ✓ | ✓
+| IBM Z support         | ✓ | ✓
+| IPV6 support          | ✓ | ✓
+| Log event buffering   | ✓ |
+| Disconnected Cluster  | ✓ | ✓
+|===========================================================

modules/cluster-logging-forwarding-lokistack.adoc

@@ -0,0 +1,32 @@
+// Module is included in the following assemblies:
+//cluster-logging-loki.adoc
+:_content-type: PROCEDURE
+[id="cluster-logging-forwarding-lokistack_{context}"]
+= Forwarding logs to LokiStack
+
+To configure log forwarding to the LokiStack gateway, you must create a ClusterLogging custom resource (CR).
+
+.Prerequisites
+
+* {logging-title-uc}: 5.5 and later
+* `LokiOperator` Operator
+
+.Procedure
+
+. Create or edit a YAML file that defines the `ClusterLogging` custom resource (CR):
+
+[source,yaml]
+----
+apiVersion: logging.openshift.io/v1
+kind: ClusterLogging
+metadata:
+  name: instance
+  namespace: openshift-logging
+spec:
+  logStore:
+    type: lokistack
+    lokistack:
+      name: lokistack-dev
+  collection:
+    type: vector
+----

modules/cluster-logging-logcli-reference.adoc

@@ -0,0 +1,31 @@
+// Module is included in the following assemblies:
+//cluster-logging-loki.adoc
+:_content-type: REFERENCE
+[id="logging-logcli-about_{context}"]
+
+= Querying Loki
+
+You can use Loki's command-line interface `logcli` to query logs.
+
+.Example Application Log Query
+[source,terminal]
+----
+$ oc extract cm/lokistack-sample-ca-bundle --to=lokistack --confirm
+$ cat lokistack/*.crt >lokistack_ca.crt
+$ logcli -o raw --bearer-token="${bearer_token}" --ca-cert="lokistack_ca.crt" --addr xxxxxx
+----
+
+.Example Infrastructure Log Query
+[source,terminal]
+----
+$ logcli --bearer-token="$(oc whoami -t)" --addr https://lokistack-dev-openshift-logging.apps.devcluster.openshift.com/api/logs/v1/infrastructure labels
+----
+
+.Example Audit log Query
+[source,terminal]
+----
+$ logcli --bearer-token="$(oc whoami -t)" --addr https://lokistack-dev-openshift-logging.apps.devcluster.openshift.com/api/logs/v1/audit labels
+----
+
+.Additional Resources
+* link:https://grafana.com/docs/loki/latest/tools/logcli/[LogCLI Documentation]

modules/cluster-logging-loki-about.adoc

@@ -0,0 +1,41 @@
+// Module is included in the following assemblies:
+//cluster-logging-loki.adoc
+:_content-type: CONCEPT
+[id="about-logging-loki_{context}"]
+= About the LokiStack
+
+In {logging} documentation, *LokiStack* refers to the {logging} supported combination of Loki, and web proxy with {product-title} authentication integration. LokiStack's proxy uses {product-title} authentication to enforce multi-tenancy. *Loki* refers to the log store as either the individual component or an external store.
+
+Loki is a horizontally scalable, highly available, multi-tenant log aggregation system currently offered as an alternative to Elasticsearch as a log store for the {logging}. Elasticsearch indexes incoming log records completely during ingestion. Loki only indexes a few fixed labels during ingestion, and defers more complex parsing until after the logs have been stored. This means Loki can collect logs more quickly. As with Elasticsearch, you can query Loki link:https://grafana.com/docs/loki/latest/[using JSON paths or regular expressions].
+
+[id="deployment-sizing_{context}"]
+== Deployment Sizing
+Sizing for Loki follows the format of `N<x>._<size>_` where the value `<N>` is number of instances and `<size>` specifies performance capabilities.
+
+.Loki Sizing
+[options="header"]
+|========================================================================================
+|                              | 1x.extra-small  | 1x.small            | 1x.medium
+| *Data transfer*              | Demo use only.  | 500GB/day           | 2TB/day
+| *Queries per second (QPS)*   | Demo use only.  | 25-50 QPS at 200ms  | 25-75 QPS at 200ms
+| *Replication factor*         | None            | 2                   | 3
+| *Total CPU requests*         | 5 vCPUs         | 36 vCPUs            | 54 vCPUs
+| *Total Memory requests*      | 7.5Gi           | 63Gi                | 139Gi
+| *Total Disk requests*        | 150Gi           | 300Gi               | 450Gi
+|========================================================================================
+
+[id="CRD-API-support_{context}"]
+== Supported API Custom Resource Definitions
+LokiStack development is ongoing, not all APIs are supported currently supported.
+
+[options="header"]
+|=====================================================================
+| CustomResourceDefinition (CRD)| ApiVersion           | Support state
+| LokiStack      | lokistack.loki.grafana.com/v1       | Supported in 5.5
+| RulerConfig    | rulerconfig.loki.grafana/v1beta1    | Technology Preview
+| AlertingRule   | alertingrule.loki.grafana/v1beta1   | Technology Preview
+| RecordingRule  | recordingrule.loki.grafana/v1beta1  | Technology Preview
+|=====================================================================
+
+:FeatureName: Usage of `RulerConfig`, `AlertingRule` and `RecordingRule` custom resource definitions (CRDs).
+include::snippets/technology-preview.adoc[]