Docs » Get started with the Splunk Distribution of the OpenTelemetry Collector » Get started with the Collector for Kubernetes » Configure logs and events for Kubernetes

Configure logs and events for Kubernetes πŸ”—

Note

See how to configure the Collector for Kubernetes at Configure the Collector for Kubernetes with Helm and Advanced configuration for Kubernetes.

Starting on version 0.86.0, the Splunk Distribution of Collector for Kubernetes collects native OpenTelemetry logs by default.

The following applies:

  • Use version 0.80.0 (or higher) of the Splunk OpenTelemetry Collector to correlate logs and traces in Istio environments.

    • If you’re unable to upgrade the Collector to the required version, use Fluentd for log collection and deploy the Helm chart with autodetect.istio=true. See Splunk OpenTelemetry collector version 0.80.0 for more information.

  • The Collector cannot collect Journald logs natively.

  • Log collection is not supported in GKE Autopilot.

  • See also other rules and limitations for metrics and dimensions. For instance, you can have up to 36 dimensions per MTS, otherwise the data point is dropped.

Use Fluentd to collect logs πŸ”—

You can also use Fluentd to collect Kubernetes logs and send them through the Collector, which does all of the necessary metadata enrichment.

Add the following line to your configuration to use Fluentd to collect logs.

logsEngine: fluentd

Add log files from Kubernetes host machines or volumes πŸ”—

To add additional log files to be ingested from Kubernetes host machines and Kubernetes volumes, use agent.extraVolumes, agent.extraVolumeMounts, and logsCollection.extraFileLogs in the values.yaml file used to deploy the Collector for Kubernetes.

The following example shows how to add logs from Kubernetes host machines:

logsCollection:
  extraFileLogs:
    filelog/audit-log:
      include: [/var/log/kubernetes/apiserver/audit.log]
      start_at: beginning
      include_file_path: true
      include_file_name: false
      resource:
        com.splunk.source: /var/log/kubernetes/apiserver/audit.log
        host.name: 'EXPR(env("K8S_NODE_NAME"))'
        com.splunk.sourcetype: kube:apiserver-audit
agent:
  extraVolumeMounts:
    - name: audit-log
      mountPath: /var/log/kubernetes/apiserver
  extraVolumes:
    - name: audit-log
      hostPath:
        path: /var/log/kubernetes/apiserver

Process multi-line logs πŸ”—

The Splunk Distribution of OpenTelemetry Collector for Kubernetes supports parsing of multi-line logs to help read, understand, and troubleshoot the multi-line logs in a better way.

To process multi-line logs, add the following section to your values.yaml configuration:

logsCollection:
  containers:
    multilineConfigs:
      - namespaceName:
          value: default
        podName:
          value: buttercup-app-.*
          useRegexp: true
        containerName:
          value: server
          firstEntryRegex: ^[^\s].*

Use regex101 to find a Golang regex that works for your format and specify it in the config file for the config option firstEntryRegex.

Manage log ingestion using annotations πŸ”—

Use the splunk.com/index annotation on pods or namespaces to indicate which Splunk platform indexes you want to send logs to. Pod annotation will take precedence over namespace annotation when both are annotated.

For example, to send logs from the kube-system namespace to the k8s_events index, use the command:

kubectl annotate namespace kube-system splunk.com/index=k8s_events

Filter logs using pod or namespace annotations πŸ”—

If logsCollection.containers.useSplunkIncludeAnnotation is false (default value), set the splunk.com/exclude annotation to true on pods or namespaces to exclude their logs from being ingested. For example:

# annotates a namespace
kubectl annotate namespace <my-namespace> splunk.com/exclude=true

# annotates a pod
kubectl annotate pod -n <my-namespace> <my-pod> splunk.com/exclude=true

If logsCollection.containers.useSplunkIncludeAnnotation is true, set the splunk.com/include annotation to true on pods or namespaces to only ingest their logs. All other logs will be ignored. For example:

# annotates a namespace
kubectl annotate namespace <my-namespace> splunk.com/include=true

# annotates a pod
kubectl annotate pod -n <my-namespace> <my-pod> splunk.com/include=true

Filter source types πŸ”—

Use the splunk.com/sourcetype annotation on a pod to overwrite the sourcetype field. If not set, it will default to kube:container:CONTAINER_NAME.

kubectl annotate pod -n <my-namespace> <my-pod> splunk.com/sourcetype=kube:apiserver-audit

Review performance benchmarks πŸ”—

Configurations set using the Collector for Kubernetes Helm chart might have an impact on overall performance of log ingestion. The more receivers, processors, exporters, and extensions you add to any of the pipelines, the greater the performance impact.

The Collector for Kubernetes can exceed the default throughput of the HTTP Event Collector (HEC). To address capacity needs, monitor the HEC throughput and back pressure on the Collector for Kubernetes deployments and, if necessary, add additional nodes.

The following table provides a summary of performance benchmarks run internally:

Performance benchmarks πŸ”—

Log generator count

Event size (byte)

Agent CPU usage

Agent EPS

1

256

1.8

30,000

1

516

1.8

28,000

1

1024

1.8

24,000

5

256

3.2

54,000

7

256

3

52,000

10

256

3.2

53,000

The data pipelines for these test runs involved reading container logs as they are being written, then parsing filename for metadata, enriching it with Kubernetes metadata, reformatting the data structure, and sending logs (without compression) to the Splunk HEC endpoint.

Collect events πŸ”—

Collect Kubernetes events πŸ”—

To see Kubernetes events as part of the Events Feed section in charts, set splunkObservability.infrastructureMonitoringEventsEnabled to true. The cluster receiver will be configured with a Smart Agent receiver using the kubernetes-events monitor to send custom events.

To collect Kubernetes events as logs for Log Observer or Log Observer Connect using the Collector, you need to add k8sObjects to your configuration file, and set logsEnabled to true in either splunkObservability or splunkPlatform. Events are processed in the logs pipeline.

k8sObjects has the following fields:

  • name. Required. Name of the object, for example pods or namespaces.

  • mode. Defines in which way this type of object is collected: either pull or watch. pull by default.

    • pull mode reads all objects of this type using the list API at an interval.

    • watch mode sets up a long connection using the watch API to get updates only.

  • namespaces. If specified, the Collector only collects objects from the specified namespaces. By default, the matching objects from all namespaces are included.

  • labelSelector. Selects objects by labels.

  • fieldSelector. Selects objects by fields.

  • interval. Only applies to pull mode. The interval at which object is pulled. 60 seconds by default.

For example:

k8sObjects:
  - name: pods
    mode: pull
    label_selector: environment in (production),tier in (frontend)
    field_selector: status.phase=Running
    interval: 15m
  - name: events
    mode: watch
    group: events.k8s.io
    namespaces: [default]

For more information, see the Github documentation for the cluster receiver Helm chart deployment at Kubernetes objects collection using OpenTelemetry Kubernetes Object Receiver .

Collect journald events πŸ”—

The Splunk Distribution of OpenTelemetry Collector for Kubernetes can collect journald events from Kubernetes environments. To process journald events, add the following section to your values.yaml configuration:

logsCollection:
  journald:
    enabled: true
    directory: /run/log/journal
    # List of service units to collect and configuration for each. Update the list as needed.
    units:
      - name: kubelet
        priority: info
      - name: docker
        priority: info
      - name: containerd
        priority: info
    # Optional: Route journald logs to a separate Splunk Index by specifying the index
    # value. Make sure the index exists in Splunk and is configured to receive HEC
    # traffic (not applicable to Splunk Observability Cloud).
    index: ""