Parse system logs into structured messages in fluentd.

This allows you to filter based on components of the log,
like their severity, in the developers console or elasticsearch.

cluster/addons/fluentd-elasticsearch/fluentd-es-image/td-agent.conf

@@ -115,65 +115,90 @@
   read_from_head true
 </source>
 
+# Example:
+# 2015-12-21 23:17:22,066 [salt.state       ][INFO    ] Completed state [net.ipv4.ip_forward] at time 23:17:22.066081
 <source>
   type tail
-  format none
+  format /^(?<time>[^ ]* [^ ,]*)[^\[]*\[[^\]]*\]\[(?<severity>[^ \]]*) *\] (?<message>.*)$/
+  time_format %Y-%m-%d %H:%M:%S
   path /var/log/salt/minion
   pos_file /var/log/gcp-salt.pos
   tag salt
 </source>
 
+# Example:
+# Dec 21 23:17:22 gke-foo-1-1-4b5cbd14-node-4eoj startupscript: Finished running startup script /var/run/google.startup.script
 <source>
   type tail
-  format none
+  format syslog
   path /var/log/startupscript.log
   pos_file /var/log/es-startupscript.log.pos
   tag startupscript
 </source>
 
+# Examples:
+# time="2016-02-04T06:51:03.053580605Z" level=info msg="GET /containers/json"
+# time="2016-02-04T07:53:57.505612354Z" level=error msg="HTTP Error" err="No such image: -f" statusCode=404
 <source>
   type tail
-  format none
+  format /^time="(?<time>[^)]*)" level=(?<severity>[^ ]*) msg="(?<message>[^"]*)"( err="(?<error>[^"]*)")?( statusCode=($<status_code>\d+))?/
+  time_format %Y-%m-%dT%H:%M:%S.%N%z
   path /var/log/docker.log
   pos_file /var/log/es-docker.log.pos
   tag docker
 </source>
 
+# Example:
+# 2016/02/04 06:52:38 filePurge: successfully removed file /var/etcd/data/member/wal/00000000000006d0-00000000010a23d1.wal
 <source>
   type tail
+  # Not parsing this, because it doesn't have anything particularly useful to
+  # parse out of it (like severities).
   format none
   path /var/log/etcd.log
   pos_file /var/log/es-etcd.log.pos
   tag etcd
 </source>
 
+# Example:
+# I0204 07:32:30.020537    3368 server.go:1048] POST /stats/container/: (13.972191ms) 200 [[Go-http-client/1.1] 10.244.1.3:40537]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kubelet.log
   pos_file /var/log/es-kubelet.log.pos
   tag kubelet
 </source>
 
+# Example:
+# I0204 07:00:19.604280       5 handlers.go:131] GET /api/v1/nodes: (1.624207ms) 200 [[kube-controller-manager/v1.1.3 (linux/amd64) kubernetes/6a81b50] 127.0.0.1:38266]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-apiserver.log
   pos_file /var/log/es-kube-apiserver.log.pos
   tag kube-apiserver
 </source>
 
+# Example:
+# I0204 06:55:31.872680       5 servicecontroller.go:277] LB already exists and doesn't need update for service kube-system/kube-ui
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-controller-manager.log
   pos_file /var/log/es-kube-controller-manager.log.pos
   tag kube-controller-manager
 </source>
 
+# Example:
+# W0204 06:49:18.239674       7 reflector.go:245] pkg/scheduler/factory/factory.go:193: watch of *api.Service ended with: 401: The event in requested index is outdated and cleared (the requested history has been cleared [2578313/2577886]) [2579312]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-scheduler.log
   pos_file /var/log/es-kube-scheduler.log.pos
   tag kube-scheduler

cluster/addons/fluentd-gcp/fluentd-gcp-image/google-fluentd.conf

@@ -64,65 +64,90 @@
   tag kubernetes.${tag_suffix[4].split('-')[0..-2].join('-')}
 </match>
 
+# Example:
+# 2015-12-21 23:17:22,066 [salt.state       ][INFO    ] Completed state [net.ipv4.ip_forward] at time 23:17:22.066081
 <source>
   type tail
-  format none
+  format /^(?<time>[^ ]* [^ ,]*)[^\[]*\[[^\]]*\]\[(?<severity>[^ \]]*) *\] (?<message>.*)$/
+  time_format %Y-%m-%d %H:%M:%S
   path /var/log/salt/minion
   pos_file /var/log/gcp-salt.pos
   tag salt
 </source>
 
+# Example:
+# Dec 21 23:17:22 gke-foo-1-1-4b5cbd14-node-4eoj startupscript: Finished running startup script /var/run/google.startup.script
 <source>
   type tail
-  format none
+  format syslog
   path /var/log/startupscript.log
   pos_file /var/log/gcp-startupscript.log.pos
   tag startupscript
 </source>
 
+# Examples:
+# time="2016-02-04T06:51:03.053580605Z" level=info msg="GET /containers/json"
+# time="2016-02-04T07:53:57.505612354Z" level=error msg="HTTP Error" err="No such image: -f" statusCode=404
 <source>
   type tail
-  format none
+  format /^time="(?<time>[^)]*)" level=(?<severity>[^ ]*) msg="(?<message>[^"]*)"( err="(?<error>[^"]*)")?( statusCode=($<status_code>\d+))?/
+  time_format %Y-%m-%dT%H:%M:%S.%N%z
   path /var/log/docker.log
   pos_file /var/log/gcp-docker.log.pos
   tag docker
 </source>
 
+# Example:
+# 2016/02/04 06:52:38 filePurge: successfully removed file /var/etcd/data/member/wal/00000000000006d0-00000000010a23d1.wal
 <source>
   type tail
+  # Not parsing this, because it doesn't have anything particularly useful to
+  # parse out of it (like severities).
   format none
   path /var/log/etcd.log
   pos_file /var/log/gcp-etcd.log.pos
   tag etcd
 </source>
 
+# Example:
+# I0204 07:32:30.020537    3368 server.go:1048] POST /stats/container/: (13.972191ms) 200 [[Go-http-client/1.1] 10.244.1.3:40537]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kubelet.log
   pos_file /var/log/gcp-kubelet.log.pos
   tag kubelet
 </source>
 
+# Example:
+# I0204 07:00:19.604280       5 handlers.go:131] GET /api/v1/nodes: (1.624207ms) 200 [[kube-controller-manager/v1.1.3 (linux/amd64) kubernetes/6a81b50] 127.0.0.1:38266]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-apiserver.log
   pos_file /var/log/gcp-kube-apiserver.log.pos
   tag kube-apiserver
 </source>
 
+# Example:
+# I0204 06:55:31.872680       5 servicecontroller.go:277] LB already exists and doesn't need update for service kube-system/kube-ui
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-controller-manager.log
   pos_file /var/log/gcp-kube-controller-manager.log.pos
   tag kube-controller-manager
 </source>
 
+# Example:
+# W0204 06:49:18.239674       7 reflector.go:245] pkg/scheduler/factory/factory.go:193: watch of *api.Service ended with: 401: The event in requested index is outdated and cleared (the requested history has been cleared [2578313/2577886]) [2579312]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-scheduler.log
   pos_file /var/log/gcp-kube-scheduler.log.pos
   tag kube-scheduler