fluent-plugin-vmware-loginsight 0.1.5 → 0.1.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 769cbf3caa38634e432618e399254da2f53d6ba18e8b2def4b9d172aaed29c63
-  data.tar.gz: ba0ef75193473229d2d1d47de0866160e261dcd19672f5fde1c7bdfd9b423ea1
+  metadata.gz: 10d3d5209686fe48c79d1182e193316588f8e29bb6567d9ebe54b0eb061f0e55
+  data.tar.gz: 53b75b154b7ca8ff95c8aa71dd0fe91d00deff9460761ac4ea1c13da02c724e7
 SHA512:
-  metadata.gz: 3e6a40c4f69297840d6da7cab368a22df065080e0e3706e351686f67ea440d04d8a550d1b4554bac46a25d922be4c40584afb42ffe958c3f48b1cdb18d19822f
-  data.tar.gz: 1f954795a9d5064904df57469ebe071f94400a39644b14101767542a13bab312a6091ca0348855c8c392be385edf030374e3588c1d012da7208d0c8a6d74b335
+  metadata.gz: 2f41fbe184204f8100ebca73447f87d1cdce2640941bdae56d34fff216cbd554a7c22ed1e71f5e39f23bcdb72d8b766897f91917959f29e7346e6deecb0a2f7e
+  data.tar.gz: 1ff567aaf08344dc494fdedb6ed2efc21084e55c66da28b33cdbd40a17331c02519e94226959c291e487787a57e12bdad2fc6cff386573fb483b92dd34430e47

data/README.md

@@ -1,5 +1,7 @@
 # fluent-plugin-vmware-loginsight
 
+[![Gem Version](https://badge.fury.io/rb/fluent-plugin-vmware-loginsight.svg)](https://badge.fury.io/rb/fluent-plugin-vmware-loginsight)
+
 ## Overview
 output plugin to do forward logs to VMware Log Insight
 
@@ -28,39 +30,61 @@ $ bundle
 ## Usage
 
 ```
+# Collect all container logs
 <source>
   @type tail
+  @id in_tail_container_logs
   path /var/log/containers/*.log
+  # One could exclude certain logs like:
+  #exclude_path ["/var/log/containers/log-collector*.log"]
   pos_file /var/log/fluentd-docker.pos
-  time_format %Y-%m-%dT%H:%M:%S
-  tag kubernetes.*
-  format json
   read_from_head true
+  # Set this watcher to false if you have many files to tail
+  enable_stat_watcher false
+  refresh_interval 5
+  tag kubernetes.*
+  <parse>
+    @type json
+    time_key time
+    keep_time_key true
+    time_format %Y-%m-%dT%H:%M:%S.%NZ
+  </parse>
 </source>
 
-# Kubernetes metadata filter that tags additional meta data for each event
-<filter kubernetes.var.log.containers.**.log>
+# Kubernetes metadata filter that tags additional meta data for each container event
+<filter kubernetes.**>
   @type kubernetes_metadata
+  @id filter_kube_metadata
+  kubernetes_url "#{ENV['FLUENT_FILTER_KUBERNETES_URL'] || 'https://' + ENV.fetch('KUBERNETES_SERVICE_HOST') + ':' + ENV.fetch('KUBERNETES_SERVICE_PORT') + '/api'}"
+  verify_ssl "#{ENV['KUBERNETES_VERIFY_SSL'] || true}"
+  ca_file "#{ENV['KUBERNETES_CA_FILE']}"
+  skip_labels "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_LABELS'] || 'false'}"
+  skip_container_metadata "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_CONTAINER_METADATA'] || 'false'}"
+  skip_master_url "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_MASTER_URL'] || 'false'}"
+  skip_namespace_metadata "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_NAMESPACE_METADATA'] || 'false'}"
 </filter>
 
+# Match everything
 <match **>
   @type vmware_loginsight
+  @id out_vmw_li_all_container_logs
   scheme https
   ssl_verify true
-# Loginsight host: One may use IP address or cname
-# host X.X.X.X
-  host my-loginsight.mycompany.com
-  port 9000
-  path api/v1/events/ingest
+  # Loginsight host: One may use IP address or cname
+  #host X.X.X.X
+  host MY_LOGINSIGHT_HOST
+  port 9543
   agent_id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
-  http_method post
-  serializer json
-  rate_limit_msec 0
-  raise_on_error false
-  include_tag_key true
-  tag_key tag
+  # Keys from log event whose values should be added as log message/text to
+  # Loginsight. Note these key/value pairs  won't be added as metadata/fields
+  log_text_keys ["log","msg","message"]
+  # Use this flag if you want to enable http debug logs
+  http_conn_debug false
 </match>
 ```
+
+For more examples look at [examples](./examples/)
+
 ### Configuration options
 
 ```
@@ -104,6 +128,9 @@ request_timeout, :time, :default => 5
 # If set, enables debug logs for http connection
 http_conn_debug, :bool, :default => false :: Valid Value: true | false
 
+# Number of bytes per post request
+max_batch_size, :integer, :default => 512000
+
 # Simple rate limiting: ignore any records within `rate_limit_msec` since the last one
 rate_limit_msec, :integer, :default => 0
 
@@ -125,9 +152,35 @@ flatten_hashes, :bool, :default => true :: Valid Value: true | false
 
 # Seperator to use for joining flattened keys
 flatten_hashes_separator, :string, :default => "_"
-```
 
-For more examples look at [examples](./examples/)
+# Rename fields names
+config_param :rename_fields, :hash, default: {"source" => "log_source"}, value_type: :string
+
+# Keys from log event to rewrite
+# for instance from 'kubernetes_namespace' to 'k8s_namespace'
+# tags will be rewritten with substring substitution
+# and applied in the order present in the hash
+# (Hashes enumerate their values in the order that the
+# corresponding keys were inserted
+# see https://ruby-doc.org/core-2.2.2/Hash.html)
+# example config:
+# shorten_keys {
+#    "__":"_",
+#    "container_":"",
+#    "kubernetes_":"k8s_",
+#    "labels_":"",
+# }
+shorten_keys, :hash, value_type: :string, default:
+        {
+            'kubernetes_':'k8s_',
+            'namespace':'ns',
+            'labels_':'',
+            '_name':'',
+            '_hash':'',
+            'container_':''
+        }
+
+```
 
 ## Contributing
 

data/VERSION

@@ -0,0 +1 @@
+0.1.11

data/examples/fluent.conf

@@ -8,18 +8,25 @@
 # 
 # SPDX-License-Identifier: MIT
 
+# Sample Fluentd config, edit as per your needs.
+# https://github.com/fluent/fluentd-kubernetes-daemonset/tree/master/templates/conf has some good fluentd config examples
 
+# System level configs
 <system>
   log_level info
 </system>
 
 # Prevent fluentd from handling records containing its own logs to handle cycles.
-<match fluent.**>
-  @type null
-</match>
+<label @FLUENT_LOG>
+  <match fluent.**>
+    @type null
+  </match>
+</label>
 
+# Collect all journal logs
 <source>
   @type systemd
+  @id in_systemd_logs
   path /run/log/journal
   # Can filter logs if we want, e.g.
   #filters [{ "_SYSTEMD_UNIT": "kubelet.service" }]
@@ -33,76 +40,121 @@
   strip_underscores true
 </source>
 
+# Collect all container logs
 <source>
   @type tail
+  @id in_tail_container_logs
   path /var/log/containers/*.log
   # One could exclude certain logs like:
-  #  exclude_path ["/var/log/containers/log-collector*.log"]
+  #exclude_path ["/var/log/containers/log-collector*.log"]
   pos_file /var/log/fluentd-docker.pos
-  time_format %Y-%m-%dT%H:%M:%S
-  tag kubernetes.*
-  format json
   read_from_head true
+  # Set this watcher to false if you have many files to tail
+  enable_stat_watcher false
+  refresh_interval 5
+  tag kubernetes.*
+  <parse>
+    @type json
+    time_key time
+    keep_time_key true
+    time_format %Y-%m-%dT%H:%M:%S.%NZ
+  </parse>
 </source>
 
-
-# Sample rule for services that generate java like stack trace
-#<source>
-#  @type tail
-#  path /var/log/containers/javaapp**.log
-#  pos_file /var/log/fluentd-dockerlog.pos
-#  time_format %b %d %H:%M:%S
-#  tag kubernetes.*
-#  format multiline
-#  format_firstline /\d{4}-\d{1,2}-\d{1,2}/
-#  format1 /^(?<time>\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}) \[(?<thread>.*)\] (?<level>[^\s]+)(?<message>.*)/
-#  read_from_head true
-#</source>
-
-# Kubernetes metadata filter that tags additional meta data for each event
-<filter kubernetes.var.log.containers.**.log>
+# Kubernetes metadata filter that tags additional meta data for each container event
+<filter kubernetes.**>
   @type kubernetes_metadata
+  @id filter_kube_metadata
+  kubernetes_url "#{ENV['FLUENT_FILTER_KUBERNETES_URL'] || 'https://' + ENV.fetch('KUBERNETES_SERVICE_HOST') + ':' + ENV.fetch('KUBERNETES_SERVICE_PORT') + '/api'}"
+  verify_ssl "#{ENV['KUBERNETES_VERIFY_SSL'] || true}"
+  ca_file "#{ENV['KUBERNETES_CA_FILE']}"
+  skip_labels "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_LABELS'] || 'false'}"
+  skip_container_metadata "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_CONTAINER_METADATA'] || 'false'}"
+  skip_master_url "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_MASTER_URL'] || 'false'}"
+  skip_namespace_metadata "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_NAMESPACE_METADATA'] || 'false'}"
 </filter>
 
-# If we want to transform events we could use:
-#<filter **>
-#  @type record_transformer
-#  enable_ruby
-#  auto_typecast
-#  <record>
-#    hostname "#{Socket.gethostname}"
-#    mykey ${["message"=>record.to_json]}
-#  </record>
-#</filter>
+# Prefix the tag by namespace. This would make it easy to match logs by namespaces
+<match kubernetes.**>
+  @type rewrite_tag_filter
+  <rule>
+    key $.kubernetes.namespace_name
+    pattern ^(.+)$
+    tag $1.${tag}
+  </rule>
+</match>
 
-<match fluent.**>
-  @type null
+# Collect all kube apiserver audit logs
+<source>
+  @type tail
+  @id in_tail_kube_audit_logs
+  # audit log path of kube-apiserver
+  path "/var/log/kube-audit/audit.log"
+  pos_file /var/log/kube-audit.pos
+  tag kube-audit
+  <parse>
+    @type json
+    time_key timestamp
+    keep_time_key false
+    time_format %Y-%m-%dT%H:%M:%SZ
+  </parse>
+</source>
+
+# Loginsight doesn't support ingesting `source` as a field name, get rid of it
+<filter kube-audit>
+  @type record_transformer
+  @id filter_kube_audit_logs
+  enable_ruby
+  remove_keys source
+  <record>
+    log ${record}
+  </record>
+</filter>
+
+# You can catch and match logs by namespace
+<match my-namespace-one.** my-namespace-two.**>
+  @type vmware_loginsight
+  @id out_vmw_li_my_namespace_logs
+  scheme http
+  ssl_verify false
+  # Loginsight host: One may use IP address or cname
+  #host X.X.X.X
+  host MY_LOGINSIGHT_HOST
+  port 9000
+  agent_id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
+  # Keys from log event whose values should be added as log message/text to
+  # Loginsight. Note these key/value pairs  won't be added as metadata/fields
+  log_text_keys ["log","msg","message"]
+  # Use this flag if you want to enable http debug logs
+  http_conn_debug false
 </match>
 
+# Match everything else
 <match **>
   @type copy
   <store>
     @type vmware_loginsight
+    @id out_vmw_li_all_container_logs
     scheme https
     ssl_verify true
-#   Loginsight host: One may use IP address or cname
-#   host X.X.X.X
-    host my-loginsight.mycompany.com
-    port 9000
-    path api/v1/events/ingest
+    # Loginsight host: One may use IP address or cname
+    #host X.X.X.X
+    host MY_LOGINSIGHT_HOST
+    port 9543
     agent_id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
-    http_method post
-    serializer json
-    rate_limit_msec 0
-    raise_on_error false
+    # Keys from log event whose values should be added as log message/text to
+    # Loginsight. Note these key/value pairs  won't be added as metadata/fields
     log_text_keys ["log","msg","message"]
-    include_tag_key true
-    tag_key tag
+    # Use this flag if you want to enable http debug logs
+    http_conn_debug false
   </store>
-# copy plugin supports sending/copying logs to multiple plugins
-# One may choose to send them to multiple LIs
-# Or one may want send a copy to stdout for debugging
-#  <store>
-#    @type stdout
-#  </store>
+  # copy plugin supports sending/copying logs to multiple plugins
+  # One may choose to send them to multiple LIs
+  # Or one may want send a copy to stdout for debugging
+  # Please note, if you use stdout along with LI, catch the logger's log to make
+  # sure they're not cyclic
+  #<store>
+  #  @type stdout
+  #</store>
 </match>
+

data/examples/fluentd-vrli-plugin-debian.dockerfile

@@ -0,0 +1,48 @@
+# Fluentd plugin for VMware Log Insight
+# 
+# Copyright 2018-2019 VMware, Inc. All Rights Reserved. 
+# 
+# This product is licensed to you under the MIT license (the "License").  You may not use this product except in compliance with the MIT License.  
+# 
+# This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file. 
+# 
+# SPDX-License-Identifier: MIT
+
+
+# Sample Dockerfile to use as log collector
+# Builds a debian-based fluentd image that has fluent-plugin-kubernetes_metadata_filter,
+# fluent-plugin-rewrite-tag-filter, fluent-plugin-systemd and
+# fluent-plugin-vmware-loginsight gem installed.
+#
+# This image will get preconfigured with the fluent.conf if avaialble at the
+# same dir level. For fluentd config example, see
+# https://github.com/vmware/fluent-plugin-vmware-loginsight/blob/master/examples/fluent.conf
+
+# This base image is built from https://github.com/fluent/fluentd-kubernetes-daemonset
+FROM fluent/fluentd:v1.11-debian-1
+
+# Use root account to use apt
+USER root
+
+# You can install your plugins here
+RUN buildDeps="sudo make gcc g++ libc-dev" \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends $buildDeps \
+ && sudo gem install \
+        fluent-plugin-kubernetes_metadata_filter:2.4.6 \
+        fluent-plugin-rewrite-tag-filter:2.3.0 \
+        fluent-plugin-systemd:1.0.2 \
+        fluent-plugin-vmware-loginsight:0.1.10 \
+ && sudo gem sources --clear-all \
+ && SUDO_FORCE_REMOVE=yes \
+    apt-get purge -y --auto-remove \
+                  -o APT::AutoRemove::RecommendsImportant=false \
+                  $buildDeps \
+ && rm -rf /var/lib/apt/lists/* \
+ && rm -rf /tmp/* /var/tmp/* /usr/lib/ruby/gems/*/cache/*.gem
+
+#  You can install the LI plugin using a gem or if you want to test your
+#  changes to plugin, you may add the .rb directly under `plugins` dir, then
+#  you don't need to install the gem
+COPY plugins /fluentd/plugins/
+

data/examples/fluentd-vrli-plugin-photon-tdnf.dockerfile

@@ -0,0 +1,45 @@
+# Fluentd plugin for VMware Log Insight
+# 
+# Copyright 2019 VMware, Inc. All Rights Reserved. 
+# 
+# This product is licensed to you under the MIT license (the "License").  You may not use this product except in compliance with the MIT License.  
+# 
+# This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file. 
+# 
+# SPDX-License-Identifier: MIT
+
+# Builds a photon-based image that contains fluentd, fluent-plugin-vmware-loginsight some of the tools recommended by fluent
+# (libjemalloc, oj, assync-http). This image is based on the minimalistic VMware Photon OS so the result is smaller in size.
+# Furthermore, all of the needed components are installed from the trusted Photon repository by using the tdnf package manager.
+#
+# Fluentd is configured with the default configuration that gets produced by the `fluentd --setup` command. For an example of
+# a configuration that uses the fluent-plugin-vmware-loginsight plugin check fluent.conf under the examples dir:
+# https://github.com/vmware/fluent-plugin-vmware-loginsight/blob/master/examples/fluent.conf
+
+FROM photon:3.0-20190705
+
+USER root
+
+# Distro sync and install components
+RUN tdnf distro-sync --refresh -y \
+    && tdnf install -y \
+    rubygem-fluentd-1.6.3 \
+    #
+    # optional but used by fluentd
+    rubygem-oj-3.3.10 \
+    rubygem-async-http-0.48.2 \
+    jemalloc-4.5.0 \
+    #
+    # Install Log Insight plugin
+    rubygem-fluent-plugin-vmware-loginsight-0.1.5
+
+RUN ln -s /usr/lib/ruby/gems/2.5.0/bin/fluentd /usr/bin/fluentd \
+    && fluentd --setup
+
+# Make sure fluentd picks jemalloc
+ENV LD_PRELOAD="/usr/lib/libjemalloc.so.2"
+
+# Standard fluentd ports
+EXPOSE 24224 5140
+
+ENTRYPOINT ["/usr/bin/fluentd"]

data/examples/fluentd-vrli-plugin-photon.dockerfile

@@ -0,0 +1,68 @@
+# Fluentd plugin for VMware Log Insight
+# 
+# Copyright 2019 VMware, Inc. All Rights Reserved. 
+# 
+# This product is licensed to you under the MIT license (the "License").  You may not use this product except in compliance with the MIT License.  
+# 
+# This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file. 
+# 
+# SPDX-License-Identifier: MIT
+
+# Builds a photon-based image that contains fluentd, fluent-plugin-vmware-loginsight some of the tools recommended by fluent
+# (libjemalloc, oj, assync-http). This image is based on the minimalistic VMware Photon OS so the result is smaller in size.
+#
+# Fluentd is configured with the default configuration that gets produced by the `fluentd --setup` command. For an example of
+# a configuration that uses the fluent-plugin-vmware-loginsight plugin check fluent.conf under the examples dir:
+# https://github.com/vmware/fluent-plugin-vmware-loginsight/blob/master/examples/fluent.conf
+FROM photon:3.0-20190705
+
+USER root
+
+RUN buildDeps="\
+    binutils linux-api-headers glibc-devel \
+    make gcc gmp-devel libffi-devel \
+    tar bzip2 sed gawk" \
+    #
+    # Distro sync and install build dependencies
+    && tdnf distro-sync --refresh -y \
+    # Toybox conflicts with bzip2. The latter is needed to unpack libjemalloc
+    && tdnf remove -y toybox \
+    && tdnf install -y $buildDeps ruby \
+    #
+    # These are not required but are used if available
+    && gem install oj -v 3.3.10 \
+    && gem install json -v 2.2.0 \
+    && gem install async-http -v 0.46.3 \
+    #
+    # Install fluentd
+    && gem install --norc --no-document fluentd -v 1.6.3 \
+    && mkdir -p /fluentd/etc /fluentd/plugins \
+    #
+    # Install Log Insight plugin
+    && gem install --norc --no-document -v 0.1.5 fluent-plugin-vmware-loginsight \
+    #
+    # Install jemalloc 4.5.0
+    && curl -L --output /tmp/jemalloc-4.5.0.tar.bz2 https://github.com/jemalloc/jemalloc/releases/download/4.5.0/jemalloc-4.5.0.tar.bz2 \
+    && tar -C /tmp/ -xjvf /tmp/jemalloc-4.5.0.tar.bz2 \
+    && cd /tmp/jemalloc-4.5.0 \
+    && ./configure && make \
+    && mv lib/libjemalloc.so.2 /usr/lib \
+    && cd / \
+    #
+    # Cleanup to reduce image size
+    && rm -rf /tmp/jemalloc-4.5.0* \
+    && tdnf remove -y $buildDeps \
+    && tdnf clean all \
+    && gem sources --clear-all \
+    && gem cleanup
+
+# Create default fluent.conf
+RUN fluentd --setup
+
+# Make sure fluentd picks jemalloc
+ENV LD_PRELOAD="/usr/lib/libjemalloc.so.2"
+
+# Standard fluentd ports
+EXPOSE 24224 5140
+
+ENTRYPOINT ["/usr/bin/fluentd"]

data/examples/k8s-log-collector-ds.yaml

@@ -23,30 +23,32 @@ data:
   myapp-fluent.conf: |
     # Input sources
     @include general.conf
-    @include systemd-input.conf
-    @include kubernetes-input.conf
-
-    # Parsing/Filtering
-    @include kubernetes-filter.conf
+    @include systemd.conf
+    @include kubernetes.conf
+    @include kube-audit.conf
 
     # Forwading - Be vigilant of the order in which these plugins are specified. Order matters!
-    @include myapp-loginsight-output.conf
+    @include vmw-li.conf
 
   general.conf: |
     <system>
       log_level info
     </system>
     # Prevent fluentd from handling records containing its own logs to handle cycles.
-    <match fluent.**>
-      @type null
-    </match>
+    <label @FLUENT_LOG>
+      <match fluent.**>
+        @type null
+      </match>
+    </label>
 
-  systemd-input.conf: |
+  systemd.conf: |
+    # Journal logs
     <source>
       @type systemd
+      @id in_systemd_logs
       path /run/log/journal
       # Can filter logs if we want, e.g.
-      # filters [{ "_SYSTEMD_UNIT": "kubelet.service" }]
+      #filters [{ "_SYSTEMD_UNIT": "kubelet.service" }]
       <storage>
         @type local
         persistent true
@@ -57,70 +59,114 @@ data:
       strip_underscores true
     </source>
 
-  kubernetes-input.conf: |
+  kubernetes.conf: |
+    # Container logs
+    # Kubernetes docker logs are stored under /var/lib/docker/containers for
+    # which kubernetes creates a symlink at /var/log/containers
     <source>
       @type tail
+      @id in_tail_container_logs
       path /var/log/containers/*.log
       # One could exclude certain logs like:
-      # exclude_path ["/var/log/containers/log-collector*.log"]
+      #exclude_path ["/var/log/containers/log-collector*.log"]
       pos_file /var/log/fluentd-docker.pos
-      time_format %Y-%m-%dT%H:%M:%S
-      tag kubernetes.*
-      format json
       read_from_head true
+      # Set this watcher to false if you have many files to tail
+      enable_stat_watcher false
+      refresh_interval 5
+      tag kubernetes.*
+      <parse>
+        @type json
+        time_key time
+        keep_time_key true
+        time_format %Y-%m-%dT%H:%M:%S.%NZ
+      </parse>
     </source>
-
-  kubernetes-filter.conf: |
+    # Kubernetes metadata filter that tags additional meta data for each container event
     <filter kubernetes.**>
       @type kubernetes_metadata
-      merge_json_log true
-      preserve_json_log true
+      @id filter_kube_metadata
+      kubernetes_url "#{ENV['FLUENT_FILTER_KUBERNETES_URL'] || 'https://' + ENV.fetch('KUBERNETES_SERVICE_HOST') + ':' + ENV.                  fetch('KUBERNETES_SERVICE_PORT') + '/api'}"
+      verify_ssl "#{ENV['KUBERNETES_VERIFY_SSL'] || true}"
+      ca_file "#{ENV['KUBERNETES_CA_FILE']}"
+      skip_labels "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_LABELS'] || 'false'}"
+      skip_container_metadata "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_CONTAINER_METADATA'] || 'false'}"
+      skip_master_url "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_MASTER_URL'] || 'false'}"
+      skip_namespace_metadata "#{ENV['FLUENT_KUBERNETES_METADATA_SKIP_NAMESPACE_METADATA'] || 'false'}"
+    </filter>
+
+    # Prefix the tag by namespace. This would make it easy to match logs by namespaces
+    <match kubernetes.**>
+      @type rewrite_tag_filter
+      <rule>
+        key $.kubernetes.namespace_name
+        pattern ^(.+)$
+        tag $1.${tag}
+      </rule>
+    </match>
+
+  kube-audit.conf: |
+    # Kube-apiserver audit logs
+    <source>
+      @type tail
+      @id in_tail_kube_audit_logs
+      # path to audit logs for kube-apiserver
+      path "/var/log/kube-audit/audit.log"
+      pos_file /var/log/kube-audit.pos
+      tag kube-audit
+      <parse>
+        @type json
+        time_key timestamp
+        keep_time_key false
+        time_format %Y-%m-%dT%H:%M:%SZ
+      </parse>
+    </source>
+    # Loginsight doesn't support ingesting `source` as a field name, get rid of it
+    <filter kube-audit>
+      @type record_transformer
+      @id filter_kube_audit_logs
+      enable_ruby
+      remove_keys source
+      <record>
+        log ${record}
+      </record>
     </filter>
 
-  myapp-loginsight-output.conf: |
+  vmw-li.conf: |
+    # Match everything
     # We are capturing all log messages and redirecting them to endpoints mentioned in each <store> tag.
     # One may redirect these logs to muliple endpoints (including multiple LI instances).
     # Or one may chose to tag their specific logs and add their own config to capture those tagged logs and redirect
-    # them to appropriate endpoint. This specific config needs to preceed this generic one.
+    # them to appropriate endpoint. That specific config needs to preceed this generic one.
     <match **>
       @type copy
       <store>
         @type vmware_loginsight
+        @id out_vmw_li_all_container_logs
         scheme https
         ssl_verify true
         # Loginsight host: One may use IP address or cname
-        # host X.X.X.X
-        host my-loginsight.mycompany.com
-        port 9000
-        path api/v1/events/ingest
+        #host X.X.X.X
+        host MY_LOGINSIGHT_HOST
+        port 9543
         agent_id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
-        http_method post
-        serializer json
-        rate_limit_msec 0
-        raise_on_error false
-        include_tag_key true
-        tag_key tag
+        # Keys from log event whose values should be added as log message/text to
+        # Loginsight. Note these key/value pairs  won't be added as metadata/fields
+        log_text_keys ["log","msg","message"]
+        # Use this flag if you want to enable http debug logs
+        http_conn_debug false
       </store>
-      # If we want to debug and send logs to stdout as well
-      # <store>
-      #   @type stdout
-      # </store>
+      # copy plugin supports sending/copying logs to multiple plugins
+      # One may choose to send them to multiple LIs
+      # Or one may want send a copy to stdout for debugging
+      # Please note, if you use stdout along with LI, catch the logger's log to make
+      # sure they're not cyclic
+      #<store>
+      #  @type stdout
+      #</store>
     </match>
 
 
-  extra.conf: |
-    # If we want to transform events we could use:
-    #<filter **>
-    #  @type record_transformer
-    #  enable_ruby
-    #  auto_typecast
-    #  <record>
-    #    hostname "#{Socket.gethostname}"
-    #    mykey ${["message"=>record.to_json]}
-    #  </record>
-    #</filter>
-
-
 ---
 kind: DaemonSet
 apiVersion: extensions/v1beta1
@@ -131,8 +177,21 @@ metadata:
     app: "log-collector"
     version: v1
 spec:
+  selector:
+    matchLabels:
+      app: "log-collector"
+  revisionHistoryLimit: 3
+  minReadySeconds: 10
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      # How many pods can be unavailable during the rolling update.
+      maxUnavailable: 3
   template:
     metadata:
+      annotations:
+        # One may use this annotation to trigger rollout whenever fluentd config changes
+        configHash: GENERATED_HASH
       labels:
         app: "log-collector"
         version: v1

data/fluent-plugin-vmware-loginsight.gemspec

@@ -14,7 +14,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name    = "fluent-plugin-vmware-loginsight"
-  spec.version = "0.1.5"
+  spec.version = File.read("VERSION").strip
   spec.authors = ["Vishal Mohite", "Chris Todd"]
   spec.email   = ["vmohite@vmware.com", "toddc@vmware.com"]
 

data/lib/fluent/plugin/out_vmware_loginsight.rb

@@ -70,7 +70,32 @@ module Fluent
       config_param :flatten_hashes, :bool, :default => true
       # Seperator to use for joining flattened keys
       config_param :flatten_hashes_separator, :string, :default => "_"
-
+      # Rename fields names
+      config_param :rename_fields, :hash, default: {"source" => "log_source"}, value_type: :string
+
+      # Keys from log event to rewrite
+      # for instance from 'kubernetes_namespace' to 'k8s_namespace'
+      # tags will be rewritten with substring substitution
+      # and applied in the order present in the hash
+      # (Hashes enumerate their values in the order that the
+      # corresponding keys were inserted
+      # see https://ruby-doc.org/core-2.2.2/Hash.html)
+      # example config:
+      # shorten_keys {
+      #    "__":"_",
+      #    "container_":"",
+      #    "kubernetes_":"k8s_",
+      #    "labels_":"",
+      # }
+      config_param :shorten_keys, :hash, value_type: :string, default:
+        {
+            'kubernetes_':'k8s_',
+            'namespace':'ns',
+            'labels_':'',
+            '_name':'',
+            '_hash':'',
+            'container_':''
+        }
 
       def initialize
         super
@@ -118,14 +143,11 @@ module Fluent
       def shorten_key(key)
         # LI doesn't allow some characters in field 'name'
         # like '/', '-', '\', '.', etc. so replace them with @flatten_hashes_separator
-        key = key.gsub(/[\/\.\-\\]/,@flatten_hashes_separator).downcase
-        # shorten field names
-        key = key.gsub(/kubernetes_/,'k8s_')
-        key = key.gsub(/namespace/,'ns')
-        key = key.gsub(/labels_/,'')
-        key = key.gsub(/_name/,'')
-        key = key.gsub(/_hash/,'')
-        key = key.gsub(/container_/,'')
+        key = key.gsub(/[\/\.\-\\\@]/,@flatten_hashes_separator).downcase
+        # shorten field names using provided shorten_keys parameters
+        @shorten_keys.each do | match, replace |
+            key = key.gsub(match.to_s,replace)
+        end
         key
       end
 
@@ -136,13 +158,18 @@ module Fluent
         else
           flattened_records = record
         end
-        flattened_records[@tag_key] = tag if @include_tag_key
+        # tag can be immutable in some cases, use a copy.
+        flattened_records[@tag_key] = tag.dup if @include_tag_key
         fields = []
         keys = []
         log = ''
         flattened_records.each do |key, value|
           begin
             next if value.nil?
+            # check if name of the key should be replaced
+            if @rename_fields.has_key?(key)
+              key = @rename_fields[key]
+            end
             # LI doesn't support duplicate fields, make unique names by appending underscore
             key = shorten_key(key)
             while keys.include?(key)
@@ -154,6 +181,7 @@ module Fluent
             begin
               value = value.to_json if value.is_a?(Hash)
               value = value.to_s
+              value = value.frozen? ? value.dup : value # if value is immutable, use a copy.
               value.force_encoding("utf-8")
             rescue Exception=>e
               $log.warn "force_encoding exception: " "#{e.class}, '#{e.message}', " \
@@ -228,7 +256,7 @@ module Fluent
           return
         end
 
-        if @auth and @auth == 'basic'
+        if @auth and @auth.to_s.eql? "basic"
           req.basic_auth(@username, @password)
         end
         begin

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-vmware-loginsight
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.1.11
 platform: ruby
 authors:
 - Vishal Mohite
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-10-22 00:00:00.000000000 Z
+date: 2021-03-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -87,8 +87,11 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- examples/Dockerfile
+- VERSION
 - examples/fluent.conf
+- examples/fluentd-vrli-plugin-debian.dockerfile
+- examples/fluentd-vrli-plugin-photon-tdnf.dockerfile
+- examples/fluentd-vrli-plugin-photon.dockerfile
 - examples/k8s-log-collector-ds.yaml
 - fluent-plugin-vmware-loginsight.gemspec
 - lib/fluent/plugin/out_vmware_loginsight.rb
@@ -113,8 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Fluend output plugin to forward logs to VMware Log Insight

data/examples/Dockerfile

@@ -1,32 +0,0 @@
-# Fluentd plugin for VMware Log Insight
-# 
-# Copyright 2018 VMware, Inc. All Rights Reserved. 
-# 
-# This product is licensed to you under the MIT license (the "License").  You may not use this product except in compliance with the MIT License.  
-# 
-# This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file. 
-# 
-# SPDX-License-Identifier: MIT
-
-
-FROM fluent/fluentd:v0.14.15-debian-onbuild
-# Above image expects the loginsight plugin vmware_loginsight to be available under ./plugins/vmware_loginsight.rb
-# and fluentd config under ./fluent.conf by default
-
-USER root
-
-RUN buildDeps="sudo make gcc g++ libc-dev ruby-dev libffi-dev" \
- && apt-get update \
- && apt-get install -y --no-install-recommends $buildDeps \
- && sudo gem install \
-        fluent-plugin-systemd \
-        fluent-plugin-kubernetes_metadata_filter \
-        fluent-plugin-vmware-loginsight \
- && sudo gem sources --clear-all \
- && SUDO_FORCE_REMOVE=yes \
-    apt-get purge -y --auto-remove \
-                  -o APT::AutoRemove::RecommendsImportant=false \
-                  $buildDeps \
- && rm -rf /var/lib/apt/lists/* \
-           /home/fluent/.gem/ruby/2.3.0/cache/*.gem \
-           /home/root/.gem/ruby/2.3.0/cache/*.gem