fluent-plugin-cloudwatch-logs 0.7.4 → 0.7.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +61 -25
- data/lib/fluent/plugin/cloudwatch/logs/version.rb +1 -1
- data/lib/fluent/plugin/out_cloudwatch_logs.rb +8 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ec1239dd4ccfdea1b4989f51bd5949ab73fc6864d68716266e3fd536f06a1958
|
4
|
+
data.tar.gz: cf34cad429a40c2f3d78a659dc23ebdad49b57aeef39a0a166a4b82bfe820ed9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 88fd26f6f050cb2b776edbe5938392a1e7f8fc07b113836db98cafd40cb490f439a6bc097822d70557bcf40924e5f15056acb107953ceaeb722d79c1dea5d1b3
|
7
|
+
data.tar.gz: a83e07ae68fddcfc81788a56964c3926176ee44db1b4a92a65a169fcf5692807ad39acab639814c7bd419dd42cfaa53da9179299db74bd6fe1dbc37a8699bedd
|
data/README.md
CHANGED
@@ -15,7 +15,9 @@
|
|
15
15
|
|
16
16
|
## Installation
|
17
17
|
|
18
|
-
|
18
|
+
```sh
|
19
|
+
gem install fluent-plugin-cloudwatch-logs
|
20
|
+
```
|
19
21
|
|
20
22
|
## Preparation
|
21
23
|
|
@@ -40,39 +42,62 @@ Create IAM user with a policy like the following:
|
|
40
42
|
}
|
41
43
|
```
|
42
44
|
|
43
|
-
|
45
|
+
## Authentication
|
46
|
+
|
47
|
+
There are several methods to provide authentication credentials. Be aware that there are various tradeoffs for these methods,
|
48
|
+
although most of these tradeoffs are highly dependent on the specific environment.
|
49
|
+
|
50
|
+
### Environment
|
44
51
|
|
52
|
+
Set region and credentials via the environment:
|
53
|
+
|
54
|
+
```sh
|
55
|
+
export AWS_REGION=us-east-1
|
56
|
+
export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
|
57
|
+
export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_ACCESS_KEY"
|
45
58
|
```
|
46
|
-
|
47
|
-
|
48
|
-
|
59
|
+
|
60
|
+
Note: For this to work persistently the enviornment will need to be set in the startup scripts or docker variables.
|
61
|
+
|
62
|
+
### AWS Configuration
|
63
|
+
|
64
|
+
The plugin will look for the `$HOME/.aws/config` and `$HOME/.aws/credentials` for configuration information. To setup, as the
|
65
|
+
fluentd user, run:
|
66
|
+
|
67
|
+
```sh
|
68
|
+
aws configure
|
49
69
|
```
|
50
70
|
|
71
|
+
### Configuration Parameters
|
72
|
+
|
73
|
+
The authentication information can also be set
|
74
|
+
|
51
75
|
## Example
|
52
76
|
|
53
77
|
Start fluentd:
|
54
78
|
|
55
|
-
```
|
56
|
-
|
79
|
+
```sh
|
80
|
+
fluentd -c example/fluentd.conf
|
57
81
|
```
|
58
82
|
|
59
83
|
Send sample log to CloudWatch Logs:
|
60
84
|
|
61
|
-
```
|
62
|
-
|
85
|
+
```sh
|
86
|
+
echo '{"hello":"world"}' | fluent-cat test.cloudwatch_logs.out
|
63
87
|
```
|
64
88
|
|
65
89
|
Fetch sample log from CloudWatch Logs:
|
66
90
|
|
67
|
-
```
|
91
|
+
```sh
|
68
92
|
# stdout
|
69
93
|
2014-07-17 00:28:02 +0900 test.cloudwatch_logs.in: {"hello":"world"}
|
70
94
|
```
|
71
95
|
|
72
96
|
## Configuration
|
97
|
+
|
73
98
|
### out_cloudwatch_logs
|
74
99
|
|
75
|
-
```
|
100
|
+
```aconf
|
76
101
|
<match tag>
|
77
102
|
@type cloudwatch_logs
|
78
103
|
log_group_name log-group-name
|
@@ -98,6 +123,8 @@ Fetch sample log from CloudWatch Logs:
|
|
98
123
|
```
|
99
124
|
|
100
125
|
* `auto_create_stream`: to create log group and stream automatically. (defaults to false)
|
126
|
+
* `aws_key_id`: AWS Access Key. See [Authentication](#authentication) for more information.
|
127
|
+
* `aws_sec_key`: AWS Secret Access Key. See [Authentication](#authentication) for more information.
|
101
128
|
* `concurrency`: use to set the number of threads pushing data to CloudWatch. (default: 1)
|
102
129
|
* `endpoint`: use this parameter to connect to the local API endpoint (for testing)
|
103
130
|
* `http_proxy`: use to set an optional HTTP proxy
|
@@ -117,6 +144,7 @@ Fetch sample log from CloudWatch Logs:
|
|
117
144
|
* `put_log_events_disable_retry_limit`: if true, `put_log_events_retry_limit` will be ignored
|
118
145
|
* `put_log_events_retry_limit`: maximum count of retry (if exceeding this, the events will be discarded)
|
119
146
|
* `put_log_events_retry_wait`: time before retrying PutLogEvents (retry interval increases exponentially like `put_log_events_retry_wait * (2 ^ retry_count)`)
|
147
|
+
* `region`: AWS Region. See [Authentication](#authentication) for more information.
|
120
148
|
* `remove_log_group_aws_tags_key`: remove field specified by `log_group_aws_tags_key`
|
121
149
|
* `remove_log_group_name_key`: remove field specified by `log_group_name_key`
|
122
150
|
* `remove_log_stream_name_key`: remove field specified by `log_stream_name_key`
|
@@ -126,9 +154,12 @@ Fetch sample log from CloudWatch Logs:
|
|
126
154
|
* `use_tag_as_group`: to use tag as a group name
|
127
155
|
* `use_tag_as_stream`: to use tag as a stream name
|
128
156
|
|
157
|
+
**NOTE:** `retention_in_days` requests additional IAM permission `logs:PutRetentionPolicy` for log_group.
|
158
|
+
Please refer to [the PutRetentionPolicy column in documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html) for details.
|
159
|
+
|
129
160
|
### in_cloudwatch_logs
|
130
161
|
|
131
|
-
```
|
162
|
+
```aconf
|
132
163
|
<source>
|
133
164
|
@type cloudwatch_logs
|
134
165
|
tag cloudwatch.in
|
@@ -141,6 +172,8 @@ Fetch sample log from CloudWatch Logs:
|
|
141
172
|
</source>
|
142
173
|
```
|
143
174
|
|
175
|
+
* `aws_key_id`: AWS Access Key. See [Authentication](#authentication) for more information.
|
176
|
+
* `aws_sec_key`: AWS Secret Access Key. See [Authentication](#authentication) for more information.
|
144
177
|
* `aws_sts_role_arn`: the role ARN to assume when using cross-account sts authentication
|
145
178
|
* `aws_sts_session_name`: the session name to use with sts authentication (default: `fluentd`)
|
146
179
|
* `aws_use_sts`: use [AssumeRoleCredentials](http://docs.aws.amazon.com/sdkforruby/api/Aws/AssumeRoleCredentials.html) to authenticate, rather than the [default credential hierarchy](http://docs.aws.amazon.com/sdkforruby/api/Aws/CloudWatchLogs/Client.html#initialize-instance_method). See 'Cross-Account Operation' below for more detail.
|
@@ -150,6 +183,7 @@ Fetch sample log from CloudWatch Logs:
|
|
150
183
|
* `json_handler`: name of the library to be used to handle JSON data. For now, supported libraries are `json` (default) and `yajl`.
|
151
184
|
* `log_group_name`: name of log group to fetch logs
|
152
185
|
* `log_stream_name`: name of log stream to fetch logs
|
186
|
+
* `region`: AWS Region. See [Authentication](#authentication) for more information.
|
153
187
|
* `state_file`: file to store current state (e.g. next\_forward\_token)
|
154
188
|
* `tag`: fluentd tag
|
155
189
|
* `use_log_stream_name_prefix`: to use `log_stream_name` as log stream name prefix (default false)
|
@@ -160,7 +194,7 @@ Fetch sample log from CloudWatch Logs:
|
|
160
194
|
|
161
195
|
Set credentials:
|
162
196
|
|
163
|
-
```
|
197
|
+
```aconf
|
164
198
|
$ export AWS_REGION=us-east-1
|
165
199
|
$ export AWS_ACCESS_KEY_ID="YOUR_ACCESS_KEY"
|
166
200
|
$ export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY"
|
@@ -168,29 +202,30 @@ $ export AWS_SECRET_ACCESS_KEY="YOUR_SECRET_KEY"
|
|
168
202
|
|
169
203
|
Run tests:
|
170
204
|
|
171
|
-
```
|
172
|
-
|
205
|
+
```sh
|
206
|
+
rake test
|
173
207
|
```
|
174
208
|
|
175
209
|
Or, If you do not want to use IAM roll or ENV(this is just like writing to configuration file) :
|
176
210
|
|
177
|
-
```
|
178
|
-
|
211
|
+
```sh
|
212
|
+
rake aws_key_id=YOUR_ACCESS_KEY aws_sec_key=YOUR_SECRET_KEY region=us-east-1 test
|
179
213
|
```
|
180
214
|
|
181
215
|
If you want to run the test suite against a mock server, set `endpoint` as below:
|
182
216
|
|
183
|
-
```
|
184
|
-
|
185
|
-
|
217
|
+
```sh
|
218
|
+
export endpoint='http://localhost:5000/'
|
219
|
+
rake test
|
186
220
|
```
|
187
221
|
|
188
222
|
|
189
223
|
## Caution
|
190
224
|
|
191
|
-
|
225
|
+
If an event message exceeds API limit (256KB), the event will be discarded.
|
192
226
|
|
193
227
|
## Cross-Account Operation
|
228
|
+
|
194
229
|
In order to have an instance of this plugin running in one AWS account to fetch logs from another account cross-account IAM authentication is required. Whilst this can be accomplished by configuring specific instances of the plugin manually with credentials for the source account in question this is not desirable for a number of reasons.
|
195
230
|
|
196
231
|
In this case IAM can be used to allow the fluentd instance in one account ("A") to ingest Cloudwatch logs from another ("B") via the following mechanic:
|
@@ -204,7 +239,7 @@ In this case IAM can be used to allow the fluentd instance in one account ("A")
|
|
204
239
|
* Create an IAM role `cloudwatch`
|
205
240
|
* Attach a policy to allow the role holder to assume another role (where `ACCOUNT-B` is substituted for the appropriate account number):
|
206
241
|
|
207
|
-
```
|
242
|
+
```json
|
208
243
|
{
|
209
244
|
"Version": "2012-10-17",
|
210
245
|
"Statement": [
|
@@ -228,7 +263,7 @@ In this case IAM can be used to allow the fluentd instance in one account ("A")
|
|
228
263
|
* Create an IAM role `fluentd`
|
229
264
|
* Ensure the `fluentd` role as account "A" as a trusted entity:
|
230
265
|
|
231
|
-
```
|
266
|
+
```json
|
232
267
|
{
|
233
268
|
"Version": "2012-10-17",
|
234
269
|
"Statement": [
|
@@ -245,7 +280,7 @@ In this case IAM can be used to allow the fluentd instance in one account ("A")
|
|
245
280
|
|
246
281
|
* Attach a policy:
|
247
282
|
|
248
|
-
```
|
283
|
+
```json
|
249
284
|
{
|
250
285
|
"Version": "2012-10-17",
|
251
286
|
"Statement": [
|
@@ -270,7 +305,8 @@ In this case IAM can be used to allow the fluentd instance in one account ("A")
|
|
270
305
|
```
|
271
306
|
|
272
307
|
### Configuring the plugin for STS authentication
|
273
|
-
|
308
|
+
|
309
|
+
```aconf
|
274
310
|
<source>
|
275
311
|
@type cloudwatch_logs
|
276
312
|
region us-east-1 # You must supply a region
|
@@ -84,6 +84,8 @@ module Fluent::Plugin
|
|
84
84
|
super
|
85
85
|
|
86
86
|
options = {}
|
87
|
+
options[:logger] = log if log
|
88
|
+
options[:log_level] = ({0 => :trace, 1 => :debug, 2 => :info, 3 => :warn, 4 => :error, 5 => :fatal}[log.level] || :info) if log
|
87
89
|
options[:region] = @region if @region
|
88
90
|
options[:endpoint] = @endpoint if @endpoint
|
89
91
|
options[:instance_profile_credentials_retries] = @aws_instance_profile_credentials_retries if @aws_instance_profile_credentials_retries
|
@@ -102,6 +104,8 @@ module Fluent::Plugin
|
|
102
104
|
@sequence_tokens = {}
|
103
105
|
@store_next_sequence_token_mutex = Mutex.new
|
104
106
|
|
107
|
+
log.debug "Aws::CloudWatchLogs::Client initialized: log.level #{log.level} => #{options[:log_level]}"
|
108
|
+
|
105
109
|
@json_handler = case @json_handler
|
106
110
|
when :yajl
|
107
111
|
Yajl
|
@@ -259,6 +263,9 @@ module Fluent::Plugin
|
|
259
263
|
when Array
|
260
264
|
record.each {|v| scrub_record!(v) }
|
261
265
|
when String
|
266
|
+
# The AWS API requires UTF-8 encoding
|
267
|
+
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogsConcepts.html
|
268
|
+
record.force_encoding('UTF-8')
|
262
269
|
record.scrub!
|
263
270
|
end
|
264
271
|
end
|
@@ -286,7 +293,7 @@ module Fluent::Plugin
|
|
286
293
|
while event = events.shift
|
287
294
|
event_bytesize = event[:message].bytesize + EVENT_HEADER_SIZE
|
288
295
|
if MAX_EVENT_SIZE < event_bytesize
|
289
|
-
log.warn "Log event is discarded because it is too large: #{event_bytesize} bytes exceeds limit of #{MAX_EVENT_SIZE}"
|
296
|
+
log.warn "Log event in #{group_name} is discarded because it is too large: #{event_bytesize} bytes exceeds limit of #{MAX_EVENT_SIZE}"
|
290
297
|
break
|
291
298
|
end
|
292
299
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-cloudwatch-logs
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.7.
|
4
|
+
version: 0.7.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryota Arai
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-11-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: fluentd
|
@@ -150,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
150
150
|
- !ruby/object:Gem::Version
|
151
151
|
version: '0'
|
152
152
|
requirements: []
|
153
|
-
rubygems_version: 3.0.
|
153
|
+
rubygems_version: 3.0.3
|
154
154
|
signing_key:
|
155
155
|
specification_version: 4
|
156
156
|
summary: CloudWatch Logs Plugin for Fluentd
|