How-To: Set up Fluentd, Elastic search and Kibana in Kubernetes

How to install Fluentd, Elastic Search, and Kibana to search logs in Kubernetes

Prerequisites

Install Elastic search and Kibana

  1. Create a Kubernetes namespace for monitoring tools

    1. kubectl create namespace dapr-monitoring

  2. Add the helm repo for Elastic Search

    1. helm repo add elastic https://helm.elastic.co
    2. helm repo update

  3. Install Elastic Search using Helm

    By default, the chart creates 3 replicas which must be on different nodes. If your cluster has fewer than 3 nodes, specify a smaller number of replicas. For example, this sets the number of replicas to 1:

    1. helm install elasticsearch elastic/elasticsearch --version 7.17.3 -n dapr-monitoring --set replicas=1

    Otherwise:

    1. helm install elasticsearch elastic/elasticsearch --version 7.17.3 -n dapr-monitoring

    If you are using minikube or simply want to disable persistent volumes for development purposes, you can do so by using the following command:

    1. helm install elasticsearch elastic/elasticsearch --version 7.17.3 -n dapr-monitoring --set persistence.enabled=false,replicas=1

  4. Install Kibana

    1. helm install kibana elastic/kibana --version 7.17.3 -n dapr-monitoring

  5. Ensure that Elastic Search and Kibana are running in your Kubernetes cluster

    1. $ kubectl get pods -n dapr-monitoring
    2. NAME                            READY   STATUS    RESTARTS   AGE
    3. elasticsearch-master-0          1/1     Running   0          6m58s
    4. kibana-kibana-95bc54b89-zqdrk   1/1     Running   0          4m21s

Install Fluentd

  1. Install config map and Fluentd as a daemonset

    Download these config files:

    Note: If you already have Fluentd running in your cluster, please enable the nested json parser so that it can parse JSON-formatted logs from Dapr.

    Apply the configurations to your cluster:

    1. kubectl apply -f ./fluentd-config-map.yaml
    2. kubectl apply -f ./fluentd-dapr-with-rbac.yaml

  2. Ensure that Fluentd is running as a daemonset. The number of FluentD instances should be the same as the number of cluster nodes. In the example below, there is only one node in the cluster:

    1. $ kubectl get pods -n kube-system -w
    2. NAME                          READY   STATUS    RESTARTS   AGE
    3. coredns-6955765f44-cxjxk      1/1     Running   0          4m41s
    4. coredns-6955765f44-jlskv      1/1     Running   0          4m41s
    5. etcd-m01                      1/1     Running   0          4m48s
    6. fluentd-sdrld                 1/1     Running   0          14s

Install Dapr with JSON formatted logs

  1. Install Dapr with enabling JSON-formatted logs

    1. helm repo add dapr https://dapr.github.io/helm-charts/
    2. helm repo update
    3. helm install dapr dapr/dapr --namespace dapr-system --set global.logAsJson=true

  2. Enable JSON formatted log in Dapr sidecar

    Add the dapr.io/log-as-json: "true" annotation to your deployment yaml. For example:

    1. apiVersion: apps/v1
    2. kind: Deployment
    3. metadata:
    4.   name: pythonapp
    5.   namespace: default
    6.   labels:
    7.     app: python
    8. spec:
    9.   replicas: 1
    10.   selector:
    11.     matchLabels:
    12.       app: python
    13.   template:
    14.     metadata:
    15.       labels:
    16.         app: python
    17.       annotations:
    18.         dapr.io/enabled: "true"
    19.         dapr.io/app-id: "pythonapp"
    20.         dapr.io/log-as-json: "true"
    21. ...

Search logs

Note: Elastic Search takes a time to index the logs that Fluentd sends.

  1. Port-forward from localhost to svc/kibana-kibana

    1. $ kubectl port-forward svc/kibana-kibana 5601 -n dapr-monitoring
    2. Forwarding from 127.0.0.1:5601 -> 5601
    3. Forwarding from [::1]:5601 -> 5601
    4. Handling connection for 5601
    5. Handling connection for 5601

  2. Browse to http://localhost:5601

  3. Expand the drop-down menu and click Management → Stack Management

    Stack Management item under Kibana Management menu options

  4. On the Stack Management page, select Data → Index Management and wait until dapr-* is indexed.

    Index Management view on Kibana Stack Management page

  5. Once dapr-* is indexed, click on Kibana → Index Patterns and then the Create index pattern button.

    Kibana create index pattern button

  6. Define a new index pattern by typing dapr* into the Index Pattern name field, then click the Next step button to continue.

    Kibana define an index pattern page

  7. Configure the primary time field to use with the new index pattern by selecting the @timestamp option from the Time field drop-down. Click the Create index pattern button to complete creation of the index pattern.

    Kibana configure settings page for creating an index pattern

  8. The newly created index pattern should be shown. Confirm that the fields of interest such as scope, type, app_id, level, etc. are being indexed by using the search box in the Fields tab.

    Note: If you cannot find the indexed field, please wait. The time it takes to search across all indexed fields depends on the volume of data and size of the resource that the elastic search is running on.

    View of created Kibana index pattern

  9. To explore the indexed data, expand the drop-down menu and click Analytics → Discover.

    Discover item under Kibana Analytics menu options

  10. In the search box, type in a query string such as scope:* and click the Refresh button to view the results.

    Note: This can take a long time. The time it takes to return all results depends on the volume of data and size of the resource that the elastic search is running on.

    Using the search box in the Kibana Analytics Discover page

References

Last modified October 12, 2023: Update config.toml (#3826) (0ffc2e7)