ClusterLogDestination
Scope: Cluster
Version: v1alpha1
Describes setting for a log storage, which you can use in many log sources.
metadata.name — is an upstream name, which you should use in custom resource ClusterLoggingConfig.
- objectspec
Required value
- objectspec.buffer
Buffer parameters.
- objectspec.buffer.disk
Disk buffer parameters.
- integer or stringspec.buffer.disk.maxSize
The maximum size of the buffer on disk. Must be at least ~256MB (268435488 bytes).
You can express size as a plain integer or as a fixed-point number using one of these quantity suffixes:
E,P,T,G,M,k,Ei,Pi,Ti,Gi,Mi,Ki.More about resource quantity:
Pattern:
^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$Examples:
maxSize: 512MimaxSize: 268435488
- objectspec.buffer.memory
- numberspec.buffer.memory.maxEvents
The maximum number of events allowed in the buffer.
- stringspec.buffer.type
Required value
The type of buffer to use.
Allowed values:
Disk,Memory - stringspec.buffer.whenFull
Event handling behavior when a buffer is full.
Default:
"Block"Allowed values:
DropNewest,Block
- objectspec.elasticsearch
- objectspec.elasticsearch.auth
- stringspec.elasticsearch.auth.awsAccessKey
Base64-encoded AWS
ACCESS_KEY. - stringspec.elasticsearch.auth.awsAssumeRole
The ARN of an IAM role to assume at startup.
- stringspec.elasticsearch.auth.awsRegion
AWS region for authentication.
- stringspec.elasticsearch.auth.awsSecretKey
Base64-encoded AWS
SECRET_KEY. - stringspec.elasticsearch.auth.password
Base64-encoded Basic authentication password.
- stringspec.elasticsearch.auth.strategy
The authentication strategy to use.
Default:
"Basic"Allowed values:
Basic,AWS - stringspec.elasticsearch.auth.user
The Basic authentication user name.
- booleanspec.elasticsearch.dataStreamEnabled
Use for storage indexes or datastreams (https://www.elastic.co/guide/en/elasticsearch/reference/master/data-streams.html).
Datastream usage is better for logs and metrics storage but they works only for Elasticsearch >= 7.16.X.
Default:
false - stringspec.elasticsearch.docType
The
doc_typefor your index data. This is only relevant for Elasticsearch <= 6.X.- For Elasticsearch >= 7.X you do not need this option since this version has removed
doc_typemapping; - For Elasticsearch >= 6.X the recommended value is
_doc, because using it will make it easy to upgrade to 7.X; - For Elasticsearch < 6.X you can’t use a value starting with
_or empty string. Use, for example, values likelogs.
- For Elasticsearch >= 7.X you do not need this option since this version has removed
- stringspec.elasticsearch.endpoint
Required value
Base URL of the Elasticsearch instance.
- stringspec.elasticsearch.index
Index name to write events to.
- stringspec.elasticsearch.pipeline
Name of the pipeline to apply.
- objectspec.elasticsearch.tls
Configures the TLS options for outgoing connections.
- stringspec.elasticsearch.tls.caFile
Base64-encoded CA certificate in PEM format.
- objectspec.elasticsearch.tls.clientCrt
Configures the client certificate for outgoing connections.
- stringspec.elasticsearch.tls.clientCrt.crtFile
Required value
Base64-encoded certificate in PEM format.
You must also set the
keyFileparameter. - stringspec.elasticsearch.tls.clientCrt.keyFile
Required value
Base64-encoded private key in PEM format (PKCS#8).
You must also set the
crtFileparameter. - stringspec.elasticsearch.tls.clientCrt.keyPass
Base64-encoded pass phrase used to unlock the encrypted key file.
- objectspec.elasticsearch.tls.secretRef
Reference to a Kubernetes Secret containing the CA certificate (ca.pem), client certificate (crt.pem), private key (key.pem) and key pass (keyPass) in Base64-encoded PEM format. If specified, TLS settings are overridden with values from the secret. Secret should be located in d8-log-shipper namespace and have
log-shipper.deckhouse.io/watch-secret: truelabel.- stringspec.elasticsearch.tls.secretRef.name
Name of the Secret with TLS certificates.
- booleanspec.elasticsearch.tls.verifyCertificate
Validate the TLS certificate of the remote host. Specifically the issuer is checked but not CRLs (Certificate Revocation Lists).
Default:
true - booleanspec.elasticsearch.tls.verifyHostname
Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.
Default:
true
- objectspec.extraLabels
A set of labels that will be attached to each batch of events.
You can use simple templating here:
{{ app }}.There are some reserved keys:
- parsed_data
- pod
- pod_labels_*
- pod_ip
- namespace
- image
- container
- node
- pod_owner
Example:
extraLabels: forwarder: vector key: value app_info: "{{ app }}" array_member: "{{ array[0] }}" symbol_escating_value: "{{ pay\\.day }}" - objectspec.kafka
- array of stringsspec.kafka.bootstrapServers
Required value
A list of host and port pairs that are the addresses of the Kafka brokers in a “bootstrap” Kafka cluster that a Kafka client connects to initially to bootstrap itself.
Default:
[]Example:
bootstrapServers: - 10.14.22.123:9092 - 10.14.23.332:9092- stringElement of the array
Pattern:
^(.+)\:\d{1,5}$
- objectspec.kafka.encoding
How to encode the message.
- stringspec.kafka.encoding.codec
Default:
"JSON"Allowed values:
JSON,CEF
- stringspec.kafka.keyField
Allows to set the key_field.
Examples:
keyField: hostkeyField: nodekeyField: namespacekeyField: parsed_data.app_info - objectspec.kafka.sasl
Configuration for SASL authentication when interacting with Kafka.
- stringspec.kafka.sasl.mechanism
Required value
The SASL mechanism to use. Only PLAIN and SCRAM-based mechanisms are supported.
Allowed values:
PLAIN,SCRAM-SHA-256,SCRAM-SHA-512 - stringspec.kafka.sasl.password
Required value
The SASL password.
Example:
password: qwerty - stringspec.kafka.sasl.username
Required value
The SASL username.
Example:
username: username
- objectspec.kafka.tls
Configures the TLS options for outgoing connections.
- stringspec.kafka.tls.caFile
Base64-encoded CA certificate in PEM format.
- objectspec.kafka.tls.clientCrt
Configures the client certificate for outgoing connections.
- stringspec.kafka.tls.clientCrt.crtFile
Required value
Base64-encoded certificate in PEM format.
You must also set the
keyFileparameter. - stringspec.kafka.tls.clientCrt.keyFile
Required value
Base64-encoded private key in PEM format (PKCS#8).
You must also set the
crtFileparameter. - stringspec.kafka.tls.clientCrt.keyPass
Base64-encoded pass phrase used to unlock the encrypted key file.
- objectspec.kafka.tls.secretRef
Reference to a Kubernetes Secret containing the CA certificate (ca.pem), client certificate (crt.pem), private key (key.pem) and key pass (keyPass) in Base64-encoded PEM format. If specified, TLS settings are overridden with values from the secret. Secret should be located in d8-log-shipper namespace and have
log-shipper.deckhouse.io/watch-secret: truelabel.- stringspec.kafka.tls.secretRef.name
Name of the Secret with TLS certificates.
- booleanspec.kafka.tls.verifyCertificate
Validate the TLS certificate of the remote host.
Default:
true - booleanspec.kafka.tls.verifyHostname
Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.
Default:
true
- stringspec.kafka.topic
Required value
The Kafka topic name to write events to. This parameter supports template syntax, which enables you to use dynamic per-event values.
Examples:
topic: logstopic: logs-{{unit}}-%Y-%m-%d
- objectspec.logstash
- stringspec.logstash.endpoint
Required value
Base URL of the Logstash instance.
- objectspec.logstash.tls
Configures the TLS options for outgoing connections.
- stringspec.logstash.tls.caFile
Base64-encoded CA certificate in PEM format.
- objectspec.logstash.tls.clientCrt
Configures the client certificate for outgoing connections.
- stringspec.logstash.tls.clientCrt.crtFile
Required value
Base64-encoded certificate in PEM format.
You must also set the
keyFileparameter. - stringspec.logstash.tls.clientCrt.keyFile
Required value
Base64-encoded private key in PEM format (PKCS#8).
You must also set the
crtFileparameter. - stringspec.logstash.tls.clientCrt.keyPass
Base64-encoded pass phrase used to unlock the encrypted key file.
- objectspec.logstash.tls.secretRef
Reference to a Kubernetes Secret containing the CA certificate (ca.pem), client certificate (crt.pem), private key (key.pem) and key pass (keyPass) in Base64-encoded PEM format. If specified, TLS settings are overridden with values from the secret. Secret should be located in d8-log-shipper namespace and have
log-shipper.deckhouse.io/watch-secret: truelabel.- stringspec.logstash.tls.secretRef.name
Name of the Secret with TLS certificates.
- booleanspec.logstash.tls.verifyCertificate
Validate the TLS certificate of the remote host.
Default:
true - booleanspec.logstash.tls.verifyHostname
Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.
Default:
true
- objectspec.loki
- objectspec.loki.auth
- stringspec.loki.auth.password
Base64-encoded Basic authentication password.
- stringspec.loki.auth.strategy
The authentication strategy to use.
Default:
"Basic"Allowed values:
Basic,Bearer - stringspec.loki.auth.token
The token to use for Bearer authentication.
- stringspec.loki.auth.user
The Basic authentication user name.
- stringspec.loki.endpoint
Required value
Base URL of the Loki instance.
Agent automatically adds
/loki/api/v1/pushinto URL during data transmission. - stringspec.loki.tenantID
ID of a tenant.
This option is used only for GrafanaCloud. When running Loki locally, a tenant ID is not required.
- objectspec.loki.tls
Configures the TLS options for outgoing connections.
- stringspec.loki.tls.caFile
Base64-encoded CA certificate in PEM format.
- objectspec.loki.tls.clientCrt
Configures the client certificate for outgoing connections.
- stringspec.loki.tls.clientCrt.crtFile
Required value
Base64-encoded certificate in PEM format.
You must also set the
keyFileparameter. - stringspec.loki.tls.clientCrt.keyFile
Required value
Base64-encoded private key in PEM format (PKCS#8).
You must also set the
crtFileparameter. - stringspec.loki.tls.clientCrt.keyPass
Base64-encoded pass phrase used to unlock the encrypted key file.
- objectspec.loki.tls.secretRef
Reference to a Kubernetes Secret containing the CA certificate (ca.pem), client certificate (crt.pem), private key (key.pem) and key pass (keyPass) in Base64-encoded PEM format. If specified, TLS settings are overridden with values from the secret. Secret should be located in d8-log-shipper namespace and have
log-shipper.deckhouse.io/watch-secret: truelabel.- stringspec.loki.tls.secretRef.name
Name of the Secret with TLS certificates.
- booleanspec.loki.tls.verifyCertificate
Validate the TLS certificate of the remote host.
If set to
false, the certificate is not checked in the Certificate Revocation Lists.Default:
true - booleanspec.loki.tls.verifyHostname
Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.
Default:
true
- objectspec.rateLimit
Parameter for limiting the flow of events.
- array of objectsspec.rateLimit.excludes
List of excludes for keyField.
Only NOT matched log entries would be rate limited.
Examples:
excludes: field: tier operator: Existsexcludes: field: foo operator: NotIn values: - dev - 42 - 'true' - '3.14'excludes: field: bar operator: Regex values: - "^abc" - "^\\d.+$"- stringspec.rateLimit.excludes.field
Required value
Field name for filtering.
- stringspec.rateLimit.excludes.operator
Required value
Operator for log field comparations:
In— finds a substring in a string.NotIn— is a negative version of theInoperator.Regex— is trying to match regexp over the field; only log events with matching fields will pass.NotRegex— is a negative version of theRegexoperator; log events without fields or with not matched fields will pass.Exists— drops log event if it contains some fields.DoesNotExist— drops log event if it does not contain some fields.
Allowed values:
In,NotIn,Regex,NotRegex,Exists,DoesNotExist - arrayspec.rateLimit.excludes.values
Array of values or regexes for corresponding operations. Does not work for
ExistsandDoesNotExistoperations.Fields a with float or boolean values will be converted to strings during comparison.
- stringspec.rateLimit.keyField
The name of the log field whose value will be hashed to determine if the event should be rate limited.
- numberspec.rateLimit.linesPerMinute
Required value
The number of records per minute.
- objectspec.socket
- stringspec.socket.address
Required value
Address of the socket.
Pattern:
^.*:[1-9][0-9]+$ - objectspec.socket.encoding
How to encode the message.
- stringspec.socket.encoding.codec
Default:
"JSON"Allowed values:
Text,JSON,Syslog,CEF,GELF
- stringspec.socket.mode
Required value
Allowed values:
TCP,UDP - objectspec.socket.tcp
- objectspec.socket.tcp.tls
Configures the TLS options for outgoing connections.
- stringspec.socket.tcp.tls.caFile
Base64-encoded CA certificate in PEM format.
- objectspec.socket.tcp.tls.clientCrt
Configures the client certificate for outgoing connections.
- stringspec.socket.tcp.tls.clientCrt.crtFile
Required value
Base64-encoded certificate in PEM format.
You must also set the
keyFileparameter. - stringspec.socket.tcp.tls.clientCrt.keyFile
Required value
Base64-encoded private key in PEM format (PKCS#8).
You must also set the
crtFileparameter. - stringspec.socket.tcp.tls.clientCrt.keyPass
Base64-encoded pass phrase used to unlock the encrypted key file.
- objectspec.socket.tcp.tls.secretRef
Reference to a Kubernetes Secret containing the CA certificate (ca.pem), client certificate (crt.pem), private key (key.pem) and key pass (keyPass) in Base64-encoded PEM format. If specified, TLS settings are overridden with values from the secret. Secret should be located in d8-log-shipper namespace and have
log-shipper.deckhouse.io/watch-secret: truelabel.- stringspec.socket.tcp.tls.secretRef.name
Name of the Secret with TLS certificates.
- booleanspec.socket.tcp.verifyCertificate
Validate the TLS certificate of the remote host.
If set to
false, the certificate is not checked in the Certificate Revocation Lists.Default:
true - booleanspec.socket.tcp.verifyHostname
Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.
Default:
true
- objectspec.splunk
- stringspec.splunk.endpoint
Required value
Base URL of the Splunk instance.
Example:
endpoint: https://http-inputs-hec.splunkcloud.com - stringspec.splunk.index
Index name to write events to.
- objectspec.splunk.tls
Configures the TLS options for outgoing connections.
- stringspec.splunk.tls.caFile
Base64-encoded CA certificate in PEM format.
- objectspec.splunk.tls.clientCrt
Configures the client certificate for outgoing connections.
- stringspec.splunk.tls.clientCrt.crtFile
Required value
Base64-encoded certificate in PEM format.
You must also set the
keyFileparameter. - stringspec.splunk.tls.clientCrt.keyFile
Required value
Base64-encoded private key in PEM format (PKCS#8).
You must also set the
crtFileparameter. - stringspec.splunk.tls.clientCrt.keyPass
Base64-encoded pass phrase used to unlock the encrypted key file.
- objectspec.splunk.tls.secretRef
Reference to a Kubernetes Secret containing the CA certificate (ca.pem), client certificate (crt.pem), private key (key.pem) and key pass (keyPass) in Base64-encoded PEM format. If specified, TLS settings are overridden with values from the secret. Secret should be located in d8-log-shipper namespace and have
log-shipper.deckhouse.io/watch-secret: truelabel.- stringspec.splunk.tls.secretRef.name
Name of the Secret with TLS certificates.
- booleanspec.splunk.tls.verifyCertificate
Validate the TLS certificate of the remote host.
Default:
true - booleanspec.splunk.tls.verifyHostname
Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.
Default:
true
- stringspec.splunk.token
Required value
Default Splunk HEC token. If an event has a token set in its metadata, it will have priority over the one set here.
- stringspec.type
Type of a log storage backend.
Allowed values:
Loki,Elasticsearch,Logstash,Vector,Kafka,Splunk,Socket - objectspec.vector
- stringspec.vector.endpoint
Required value
An address of the Vector instance. API v2 must be used for communication between instances.
Pattern:
^(.+):([0-9]{1,5})$ - objectspec.vector.tls
Configures the TLS options for outgoing connections.
- stringspec.vector.tls.caFile
Base64-encoded CA certificate in PEM format.
- objectspec.vector.tls.clientCrt
Configures the client certificate for outgoing connections.
- stringspec.vector.tls.clientCrt.crtFile
Required value
Base64-encoded certificate in PEM format.
You must also set the
keyFileparameter. - stringspec.vector.tls.clientCrt.keyFile
Required value
Base64-encoded private key in PEM format (PKCS#8).
You must also set the
crtFileparameter. - stringspec.vector.tls.clientCrt.keyPass
Base64-encoded passphrase used to unlock the encrypted key file.
- objectspec.vector.tls.secretRef
Reference to a Kubernetes Secret containing the CA certificate (ca.pem), client certificate (crt.pem), private key (key.pem) and key pass (keyPass) in Base64-encoded PEM format. If specified, TLS settings are overridden with values from the secret. Secret should be located in d8-log-shipper namespace and have
log-shipper.deckhouse.io/watch-secret: truelabel.- stringspec.vector.tls.secretRef.name
Name of the Secret with TLS certificates.
- booleanspec.vector.tls.verifyCertificate
Validate the TLS certificate of the remote host.
Default:
true - booleanspec.vector.tls.verifyHostname
Verifies that the name of the remote host matches the name specified in the remote host’s TLS certificate.
Default:
true