Observability — Logging FAQ

This page contains some of the frequently asked questions about logging.

How to change the log store to the external Elasticsearch and shut down the internal Elasticsearch

If you are using the KubeSphere internal Elasticsearch and want to change it to your external alternate, follow the steps below. If you haven’t enabled the logging system, refer to KubeSphere Logging System to setup your external Elasticsearch directly.

  1. First, you need to update the KubeKey configuration. Execute the following command:

    1. kubectl edit cc -n kubesphere-system ks-installer
  2. Comment out es.elasticsearchDataXXX, es.elasticsearchMasterXXX and status.logging, and set es.externalElasticsearchUrl to the address of your Elasticsearch and es.externalElasticsearchPort to its port number. Below is an example for your reference.

    1. apiVersion: installer.kubesphere.io/v1alpha1
    2. kind: ClusterConfiguration
    3. metadata:
    4. name: ks-installer
    5. namespace: kubesphere-system
    6. ...
    7. spec:
    8. ...
    9. common:
    10. es:
    11. # elasticsearchDataReplicas: 1
    12. # elasticsearchDataVolumeSize: 20Gi
    13. # elasticsearchMasterReplicas: 1
    14. # elasticsearchMasterVolumeSize: 4Gi
    15. elkPrefix: logstash
    16. logMaxAge: 7
    17. externalElasticsearchUrl: <192.168.0.2>
    18. externalElasticsearchPort: <9200>
    19. ...
    20. status:
    21. ...
    22. # logging:
    23. # enabledTime: 2020-08-10T02:05:13UTC
    24. # status: enabled
    25. ...
  3. Rerun ks-installer.

    1. kubectl rollout restart deploy -n kubesphere-system ks-installer
  4. Remove the internal Elasticsearch by running the following command. Please make sure you have backed up data in the internal Elasticsearch.

    1. helm uninstall -n kubesphere-logging-system elasticsearch-logging
  5. Change the configuration of Jaeger if Istio is enabled.

    1. $ kubectl -n istio-system edit jaeger
    2. ...
    3. options:
    4. es:
    5. index-prefix: logstash
    6. server-urls: http://elasticsearch-logging-data.kubesphere-logging-system.svc:9200 # Change it to the external address.

How to change the log store to Elasticsearch with X-Pack Security enabled

Currently, KubeSphere doesn’t support the integration of Elasticsearch with X-Pack Security enabled. This feature is coming soon.

How to modify the log data retention period

You need to update the KubeKey configuration and rerun ks-installer.

  1. Execute the following command:

    1. kubectl edit cc -n kubesphere-system ks-installer
  2. Comment out status.logging and set a desired retention period as the value of es.logMaxAge (7 by default).

    1. apiVersion: installer.kubesphere.io/v1alpha1
    2. kind: ClusterConfiguration
    3. metadata:
    4. name: ks-installer
    5. namespace: kubesphere-system
    6. ...
    7. spec:
    8. ...
    9. common:
    10. es:
    11. ...
    12. logMaxAge: <7>
    13. ...
    14. status:
    15. ...
    16. # logging:
    17. # enabledTime: 2020-08-10T02:05:13UTC
    18. # status: enabled
    19. ...
  3. Rerun ks-installer.

    1. kubectl rollout restart deploy -n kubesphere-system ks-installer

I cannot find logs from workloads on some nodes using Toolbox

If you deployed KubeSphere through multi-node installation and are using symbolic links for the docker root directory, make sure all nodes follow the same symbolic links. Logging agents are deployed in DaemonSets onto nodes. Any discrepancy in container log paths may cause collection failures on that node.

To find out the docker root directory path on nodes, you can run the following command. Make sure the same value applies to all nodes.

  1. docker info -f '{{.DockerRootDir}}'

The log search page in Toolbox gets stuck when loading

If the log search page is stuck when loading, check the storage system you are using. For example, a misconfigured NFS storage system may cause this issue.

Toolbox shows no log record today

Check if your log volume exceeds the storage limit of Elasticsearch. If so, you need to increase the Elasticsearch disk volume.

I see Internal Server Error when viewing logs in Toolbox

There can be several reasons for this issue:

  • Network partition
  • Invalid Elasticsearch host and port
  • The Elasticsearch health status is red

How to make KubeSphere only collect logs from specified workloads

The KubeSphere logging agent is powered by Fluent Bit. You need to update the Fluent Bit configuration to exclude certain workload logs. To modify the Fluent Bit input configuration, run the following command:

  1. kubectl edit input -n kubesphere-logging-system tail

Update the field Input.Spec.Tail.ExcludePath. For example, set the path to /var/log/containers/*_kube*-system_*.log to exclude any log from system components.

For more information, see Fluent Bit Operator.