Problem:
We are using a setup that ingests data from the Kubernetes cluster into Sumo Logic.
(https://github.com/SumoLogic/fluentd-kubernetes-sumologic)
We are not seeing any Kubernetes logs in Sumo Logic under the expected sourceCategory
Cause:
The source category for Kubernetes logs is assigned dynamically and does not use the Source category defined in the HTTP Source configuration. The source Category is defined by the following environment variables in the Kubernetes yaml configuration.
| Environment Variable | Description |
|
SOURCE_CATEGORY |
Sets the _sourceCategory metadata field in Sumo. Default: "%{namespace}/%{pod_name}" |
|
SOURCE_CATEGORY_PREFIX |
Prepends a string that identifies the cluster to the _sourceCategorymetadata field in Sumo. Default: kubernetes/ |
|
SOURCE_CATEGORY_REPLACE_DASH |
Used to replace a dash (-) character with another character. Default: / Assuming defaults, a Pod called travel-nginx-3629474229-dirmo within namespace app will appear in Sumo as: _sourceCategory=kubernetes/app/travel/nginx |
Resolution:
You can identify the source categories applied to the Kubernetes logs using the results of the following query (with or without "Use Receipt time" checked as needed)
_sourceCategory=kubernetes* | count by _sourceCategory, _collector, _source | sort by _count
Or
_source=<http_source_name> _collector=<hosted_collector_name> | count by _sourceCategory, _collector, _source | sort by _count
The first query above assumes the default Out-Of-The-Box settings for the source category and lists all the source categories.
The second query requires the (hosted) Collector name and HTTP Source name that was used to provide the HTTP endpoint used in the Fluentd configuration
Comments
0 comments
Please sign in to leave a comment.