Kubernetes Container Logs
Collect container related logs from Kubernetes clusters with Elastic Agent.
What is an Elastic integration?
This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
container-logs integration collects and parses logs of Kubernetes containers.
It requires access to the log files in each Kubernetes node where the container logs are stored.
This defaults to /var/log/containers/*${kubernetes.container.id}.log.
By default only container parser is enabled. Additional log parsers can be added as an advanced options configuration.
Rerouting based on pod annotations
You can customize the routing of container logs events and sending them to different datasets and namespaces using pods' annotations.
Routing customization can happen at:
- pod definition time, e.g., using a deployment.
- pod runtime, annotating pods using
kubectl.
Set routing at pod definition time
Here is an example of an Nginx deployment where we set both elastic.co/dataset and elastic.co/namespace annotations to route the container logs to specific datasets and namespace, respectively.
# nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
annotations:
elastic.co/dataset: kubernetes.container_logs.nginx
elastic.co/namespace: nginx
labels:
app: nginx
app.kubernetes.io/name: myservice
app.kubernetes.io/version: v0.1.2
app.kubernetes.io/instance: myservice-abcxzy
spec:
containers:
- name: nginx-container
image: nginx:latest
ports:
- containerPort: 80Set routing at runtime
Suppose you want to change the container logs routing on a running container. In that case, you can annotate the pod using kubectl, and the integration will apply it immediately sending all the following documents to the new destination:
Here is an example where we route the container logs for a pod running the Elastic Agent to the kubernetes.container_logs.agents dataset:
kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/dataset=kubernetes.container_logs.agentsHere's a similar example to change the namespace on a pod running Nginx:
kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/namespace=nginxYou can restore the standard routing by removing the annotations:
kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/dataset-
kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/namespace-Annotations Reference
Here are the annotations available to customize routing:
| Label | Description |
|---|---|
elastic.co/dataset | Defines the target data stream's dataset for this pod. |
elastic.co/namespace | Defines the target data stream's namespace for this pod. |
Changelog
| Version | Details |
|---|---|
1.45.0 | Enhancement View pull request Reroute container logs based on pod annotations. |
1.44.0 | Enhancement View pull request Introducing kubernetes.deployment.status.* metrics |
1.43.1 | Enhancement View pull request Updating index pattern for adHocDataviews for CCS use case |
1.43.0 | Enhancement View pull request Expand index pattern for adHocDataviews for CCS use case |
1.42.0 | Enhancement View pull request Add permissions to reroute events to logs-- for container_logs datastream |
1.41.0 | Enhancement View pull request Enable time series data streams for the metrics datasets. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html |
1.40.0 | Bug fix View pull request Fix system tests for kubernetes integration for k8s v1.27.0 |
1.40.0-beta.2 | Bug fix View pull request Fix volume dashboard. |
1.40.0-beta.1 | Bug fix View pull request Fix proxy and scheduler visualization with missing sort field. |
1.40.0-beta | Enhancement View pull request Enable TSDS for metrics data_streams, except events for beta testing |
1.39.0 | Enhancement View pull request Remove container.name as a dimension. |
1.38.1 | Enhancement View pull request Switch max to last value on counter formulas and add missing sort field to proxy, controller manager and scheduler dashboard. |
1.38.0 | Enhancement View pull request Fix Pod dashboard and remove some visualisations from Api Server dashboard to support TSDB migration |
1.37.0 | Enhancement View pull request Update proxy, controller manager and scheduler dashboard to support TSDB. |
1.36.0 | Enhancement View pull request Add container.name dimension to container data stream |
1.35.0 | Enhancement View pull request Add NetworkUnavailable condition to state node |
1.34.1 | Enhancement View pull request Add support for TSDB on all metric data streams except the state ones |
1.34.0 | Enhancement View pull request Add support for TSDB on all state metric data streams |
1.33.0 | Enhancement View pull request Add data_stream.dataset setting and custom yaml input. |
1.32.2 | Enhancement View pull request Added link to docs for condition filter |
1.32.1 | Enhancement View pull request Added categories and/or subcategories. |
1.32.0 | Enhancement View pull request Add documentation for how to install alerts |
1.31.2 | Enhancement View pull request Add system testing for state service datastream |
1.31.1 | Enhancement View pull request Update controller manager, proxy and scheduler metrics and dashboards |
1.31.0 | Enhancement View pull request Use datas_tream.dataset as pre filters for dashboards and remove tags |
1.30.0 | Enhancement View pull request Add missing namespace_uid and namespace_labels fields |
1.29.2 | Bug fix View pull request Fix function for memory node usage |
1.29.1 | Bug fix View pull request Fix removed condition setting for container_logs |
1.29.0 | Bug fix View pull request Remove "Control Plane" column from Node Information table |
1.28.2 | Bug fix View pull request Fix Pod Memory usage panel title |
1.28.1 | Enhancement View pull request Delete statefulset, job and cronjob visualizations from Cluster Overview dashboard |
1.28.0 | Enhancement View pull request Adding banner for Kube-state metrics |
1.27.1 | Enhancement View pull request Fix typo in cluster overview dashboard |
1.27.0 | Enhancement View pull request New cluster overview dashboard |
1.26.0 | Enhancement View pull request Add processors configuration option for Kubernetes data_streams |
1.25.0 | Enhancement View pull request Add condition configuration option to container logs data stream |
1.24.0 | Enhancement View pull request Add fields to audit logs data stream |
1.23.1 | Enhancement View pull request Add missing dimension fields |
1.23.0 | Enhancement View pull request Add fields to audit logs data stream |
1.22.1 | Enhancement View pull request Fix overlapping fields in state_job data stream |
1.22.0 | Enhancement View pull request Update apiserver and controllermanaged deprecated fields and dashboards |
1.21.2 | Bug fix View pull request add container ID and pod name as part of Kubernetes Cotainer Logs filestream input |
1.21.1 | Enhancement View pull request improved the wording of the link to Kubernetes documentation |
1.21.0 | Enhancement View pull request Add new dashboards |
1.20.0 | Enhancement View pull request Change fields type for audit_logs data_stream to use requestObject and responseObject fields of audit events. Disable dynamic mapping for audit_logs data_stream. Drop kubernetes.audit.responseObject.metadata and kubernetes.audit.requestObject.metadata |
1.19.1 | Enhancement View pull request Add documentation for volume field |
1.19.0 | Enhancement View pull request Add missed ecs fields |
1.18.1 | Enhancement View pull request Add documentation for multi-fields |
1.18.0 | Enhancement View pull request Fix k8s overview dashboard |
1.17.3 | Bug fix View pull request Remove incorrectly tagged boolean dimension |
1.17.2 | Bug fix View pull request Add missing metadata fields |
1.17.1 | Enhancement View pull request Improve default ndjson parser configuration |
1.17.0 | Enhancement View pull request Disable audit logs collection by default |
1.16.0 | Enhancement View pull request Documentation improvements |
1.15.0 | Enhancement View pull request Add ssl.certificate_authorities configuration |
1.14.3 | Bug fix View pull request Add missing job.name and cronjob.name fields to state_container datastream |
1.14.2 | Bug fix View pull request Add missing job.name and cronjob.name fields to container related datastreams |
1.14.1 | Bug fix View pull request Add missing job.name and cronjob.name fields added by metadata generators |
1.14.0 | Enhancement View pull request Tune state_metrics settings |
1.13.0 | Enhancement View pull request Update to ECS 8.0 |
1.12.0 | Enhancement View pull request Expose add_recourse_metadata configuration option |
1.11.0 | Enhancement View pull request Add memory.working_set.limit.pct for pod and container data streams |
1.10.0 | Enhancement View pull request Add leader election in state_job data stream |
1.9.0 | Enhancement View pull request Add missing fields |
1.8.1 | Bug fix View pull request Set kubernetes.volume.fs.used.pct to scaled_float |
1.8.0 | Enhancement View pull request Support json logs parsing |
1.7.0 | Enhancement View pull request Add new audit logs data stream in kubernetes integration |
1.6.0 | Enhancement View pull request Add skip_older option for event datastream |
1.5.0 | Enhancement View pull request Revert Kubernetes namespace field breaking change |
1.4.2 | Enhancement View pull request Add dimension fields |
1.4.1 | Enhancement View pull request Remove overriding of index pattern on the Kubernetes overview dashboard |
1.4.0 | Enhancement View pull request Use filestream input for container_logs data stream |
1.3.3 | Bug fix View pull request Fix conditions of data_streams that are based on k8s labels & add condition in pipelines |
1.3.2 | Enhancement View pull request Set default host for proxy to localhost |
1.3.1 | Enhancement View pull request Uniform with guidelines |
1.3.0 | Enhancement View pull request Add container_logs ecs fields |
1.2.1 | Bug fix View pull request Update Kubernetes cluster_ip field type |
1.2.0 | Enhancement View pull request Update Kubernetes namespace field |
1.1.1 | Bug fix View pull request Update Kubernetes integration Readme |
1.1.0 | Enhancement View pull request Update to ECS 1.12.0 |
1.0.0 | Enhancement View pull request Release Kubernetes as GA |
0.14.1 | Enhancement View pull request Update default host in kubernetes proxy data stream in kubernetes integration |
0.14.0 | Enhancement View pull request Add new container logs data stream in kubernetes integration |
0.13.0 | Enhancement View pull request Leverage dynamic kubernetes provider for controller and scheduler datastream |
0.12.2 | Bug fix View pull request Add missing field "kubernetes.daemonset.name" field for pod and container data streams |
0.12.1 | Bug fix View pull request Add missing cluster filter for "orchestrator.cluster.name" field in [Metrics Kubernetes] Overview dashboard and Dashboard section in the integration overview page |
0.12.0 | Enhancement View pull request Update kubernetes package ecs fields with orchestrator.cluster.url and orchestrator.cluster.name |
0.11.1 | Enhancement View pull request Escape special characters in docs |
0.11.0 | Enhancement View pull request Update documentation to fit mdx spec |
0.10.0 | Enhancement View pull request Update integration description |
0.9.1 | Bug fix View pull request Add missing field "kubernetes.daemonset.name" field for state_pod and state_container |
0.9.0 | Enhancement View pull request Enhance kubernetes package with state_job data stream |
0.8.0 | Enhancement View pull request Leverage leader election in kubernetes integration |
0.7.0 | Enhancement View pull request Add _meta information to Kubernetes fields |
0.6.0 | Enhancement View pull request Introduce kubernetes package granularity using input_groups |
0.5.3 | Enhancement View pull request Add missing field "kubernetes.statefulset.replicas.ready" |
0.5.2 | Bug fix View pull request Fix stack compatability |
0.5.1 | Bug fix View pull request Fix references to env variables |
0.5.0 | Enhancement View pull request Add missing field "kubernetes.selectors.*" and extra https settings for controllermanager and scheduler datastreams |
0.4.5 | Enhancement View pull request Add missing field "kubernetes.pod.ip" |
0.4.4 | Enhancement View pull request Updating package owner |
0.4.3 | Bug fix View pull request Correct sample event file. |
0.4.2 | Bug fix View pull request Change kibana.version constraint to be more conservative. |
0.4.1 | Enhancement View pull request Add missing fields |
0.1.0 | Enhancement View pull request initial release |