Skip to content

Logging#

Below you will find some simple customizations customers might want to make to their objects to improve logging.

Logging in the Platform is currently done by Filebeat. When you are onboarded as a customer, you are required to provide a default index, that index along with some sane defaults, are automatically added to all your pods unless overriden.

Override default index#

If you would like to override the index, add the annotation platform-logging-splunkindex=desiredIndex

Override default log type#

By default the log is set to sourcetype log. This can be changed by using the annotation platform-logging-sourcetype=log

Other log types can be found here.

By using different log types, you can help Splunk extract more information from your logs in addtion to making them more legible.

Disable logging output#

If you find you have a pod that you do not wish to have its output logged, you may set the annotation platform-logging-droplogging=true

Simple Examples#

apiVersion: v1
kind: Pod
metadata:
  name: webserver
  annotations:
    platform-logging-splunkindex: custom-log
    platform-logging-sourcetype: http_endpoint
spec:
  containers:
  - name: webserver
    image: httpd:latest
    ports:
    - containerPort: 80

Built-in Hints based autodiscovery#

Autodiscovery of hints has been enabled on the cluster, allowing further complex configuration of logs.

Elastic has a great page on the use of these features.

By using a combination of annotations with a prefix of co.elastic.logs, complex actions such as setting the log type, per container in a pod, excluding specific lines, or even setting processors can be set.