Kubernetes Pods Logs

# Kubernetes Pods Specific Docs: https://docs.limacharlie.io/docs/adapter-types-k8s-pods

sensor_type: "k8_pods"
k8s_pods:
  write_timeout_sec: 10 # (optional) Timeout in seconds for writing data. e.g., 10 or null.
  # (optional) Root directory where pod logs are stored on the node. Defaults depend on K8s distro & CRI.
  # Examples: "/var/log/pods" (common), "/var/lib/docker/containers" (if Docker runtime and linking to its logs).
  root: "/var/log/pods"
  # (optional) Regex to include specific pods (matched against pod_namespace_pod_name_container_id).
  include_pods_re: "^my-app-namespace_my-app-pod-.*_container-id$" # Example: only include specific app pods
  # (optional) Regex to exclude specific pods (matched against pod_namespace_pod_name_container_id).
  exclude_pods_re: "^kube-system_kube-proxy-.*$" # Example: exclude kube-proxy pods
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required) Organization ID from LimaCharlie.
      installation_key: "YOUR_LC_INSTALLATION_KEY_K8SPODS" # (required) Installation key associated with the OID.
    # Hostname should ideally be the K8s node name where the adapter is running (if DaemonSet)
    # or a logical name representing the log collection scope.
    hostname: "k8s-worker-node-01.my-cluster.internal" # (required)
    platform: "kubernetes" # (required) Indicates the source is Kubernetes pod logs.
    architecture: "x86_64" # (optional) Architecture of the K8s node.
    mapping:
      # Pod logs (stdout/stderr) can be unstructured text or JSON lines.
      # If JSON lines, parsing_re is null. If text, define a regex.
      # Example for generic text log: timestamp [level] message
      parsing_re: "^(?P<log_timestamp>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d+Z)\\s+\\[(?P<log_level>\\w+)\\]\\s+(?P<log_message>.*)$"
      # (optional) Path to uniquely ID the original event. Can use K8s metadata if available in routing.
      sensor_key_path: "routing.k8s_pod_uid" # Example: if adapter provides pod UID in routing info.
      # (optional) If client_options.hostname is NOT static, or to use K8s node name from routing.
      sensor_hostname_path: "routing.k8s_node_name" # If adapter provides node name in routing.
      # (optional) Example: "K8S_POD_MYAPP_ACCESS_LOG", "K8S_POD_BACKEND_ERROR_LOG".
      # Leverages metadata injected by the adapter into the 'routing' field.
      event_type_path: "K8S_POD_{{ .routing.k8s_namespace | token | upper }}_{{ .routing.k8s_container_name | token | upper | default \"APP\" }}_{{ .log_level | token | upper | default \"INFO\" }}"
      # (optional) JSON path to the event's occurrence time, from parsed log or K8s timestamp.
      event_time_path: "log_timestamp" # Assumes 'log_timestamp' is captured by parsing_re or present in JSON logs.
      # (optional) JSON path for a field to populate LimaCharlie's investigation_id.
      investigation_id_path: "routing.k8s_pod_name" # Example: using pod name for correlation.
      # (optional) Use +/- syntax for transforms.
      transform:
        "+kubernetes_cluster_name": "prod-us-central1-a"
        "+k8s_namespace_from_routing": "{{ .routing.k8s_namespace }}"
        "+k8s_pod_name_from_routing": "{{ .routing.k8s_pod_name }}"
        "+k8s_container_name_from_routing": "{{ .routing.k8s_container_name }}"
        "-internal_log_stream_id": null # Example: remove an internal field
      # (optional) A list of field paths to drop.
      drop_fields:
      - "very_verbose_debug_output_from_pod"
      sid_replication_path: null # (optional) Not typically relevant for K8s pod logs.
    # mappings: null # Deprecated or less common.
    indexing:
      enabled: true
      # Example: index by K8s namespace and container name
      default_index: "k8s-logs-{{ .routing.k8s_namespace | lower | default \"default\" }}-{{ .routing.k8s_container_name | lower | default \"app\" }}-{{ .identity.oid | substr 0 8 }}"
    is_compressed: false # (optional) Logs are read from the filesystem, usually not compressed at this stage.
    sensor_seed_key: "SEED_KEY_K8SPODS_ADAPTER_001" # (required)
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: lc-adapter-k8s-pods
  namespace: default
spec:
  minReadySeconds: 30
  selector:
    matchLabels:
      name: lc-adapter-k8s-pods
  template:
    metadata:
      labels:
        name: lc-adapter-k8s-pods
    spec:
      containers:
      - image: refractionpoint/lc-adapter-k8s-pods
        name: lc-adapter-k8s-pods
        volumeMounts:
        - mountPath: /k8s-pod-logs
          name: pod-logs
        env:
        - name: K8S_POD_LOGS
          value: /k8s-pod-logs
        - name: OID
          value: aaaaaaaa-bfa1-bbbb-cccc-138cd51389cd
        - name: IKEY
          value: aaaaaaaa-9ae6-bbbb-cccc-5e42b854adf5
        - name: NAME
          value: k8s-pods
      volumes:
      - hostPath:
          path: /var/log/pods
        name: pod-logs
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate