SUSE Support

Here When You Need Us

Collecting file logs with Host Tailer on the Logging Operator

This document (000020992) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Rancher 2.6.9
SUSE Rancher 2.7.x

Situation

Pre-requisites To retrieve logs not written to the stdout (e.g. kube-audit logs), one can use the Banzai  Host Tailer CRD provided by https://banzaicloud.com/.  From the documentation: "HostTailer’s main goal is to tail custom files and transmit their changes to stdout". This way, the logging-operator can process them. Example usage is here. Similarly, you can use the file-tailer if you know the log file name.

Resolution



1. Create a HostTailer to retrieve the audit logs
apiVersion: logging-extensions.banzaicloud.io/v1alpha1
kind: HostTailer
metadata:
  name: kubeaudit-hosttailer-sample
spec:
  fileTailers:
    - name: kube-audit
      path: /var/log/kube-audit/audit-log.json
      disabled: false
Note: It will be created in the "default" namespace if none is specified.

1.2 Verify the HostTailer object
kubectl get hosttailer -n  default
1.3  Verify  the daemonset created by the HostTailer
kubectl get daemonsets -n default 
1.4  Verify the HostTailer pod labels
$ kubectl get pods --show-labels -n default | grep -i hosttailer
kubeaudit-hosttailer-sample-host-tailer-n8h8q   1/1     Running   0          9d    app.kubernetes.io/instance=kubeaudit-hosttailer-sample-host-tailer,app.kubernetes.io/name=host-tailer
The label “app.kubernetes.io/name=host-tailer” will be used in the ClusterFlow object.

 2. Modify or update if there is a ClusterFlow in place.
  match:
  - select:
      labels:
        app.kubernetes.io/name: host-tailer

Otherwise, create a new ClusterFlow and ClusterOutput following these examples.

2.1 Create ClusterFlow
apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterFlow
metadata:
  name: flowhostfile
  namespace: cattle-logging-system
spec:
  globalOutputRefs:
  - output-test-hostfile
  match:
  - select:
      labels:
        app.kubernetes.io/name: host-tailer
For testing purposes, the ClusterOutput will output on a file on the Fluentd container.
apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterOutput
metadata:
  name: output-test-hostfile
  namespace: cattle-logging-system
spec:
  file:
    path: /tmp/${tag}
Note the ${tag} on the path, required by Fluentd. In this case, the logs will be available on the /tmp folder of the pod rancher-logging-root-fluentd-0 in the cattle-logging-system namespace.

 

Cause

The underlying issue is that kube-audit logs are not written to stdout so the logging operator cant process them. This is why the Banzai  Host Tailer CRD is needed to tail custom files and transmit their changes to stdout.

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020992
  • Creation Date: 28-Feb-2023
  • Modified Date:03-Apr-2024
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.