From 592da85a8120d73ab42019b8b2f96acf3afa305c Mon Sep 17 00:00:00 2001
From: Alex Robinson <arob@google.com>
Date: Thu, 7 Jan 2016 20:41:22 -0500
Subject: [PATCH 1/2] Parse system logs into structured messages in fluentd.

This allows you to filter based on components of the log,
like their severity, in the developers console or elasticsearch.
---
 .../fluentd-es-image/td-agent.conf            | 39 +++++++++++++++----
 .../fluentd-gcp-image/google-fluentd.conf     | 39 +++++++++++++++----
 2 files changed, 64 insertions(+), 14 deletions(-)

diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/td-agent.conf b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/td-agent.conf
index bbe39854181..1e2013da01d 100644
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/td-agent.conf
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/td-agent.conf
@@ -115,65 +115,90 @@
   read_from_head true
 </source>
 
+# Example:
+# 2015-12-21 23:17:22,066 [salt.state       ][INFO    ] Completed state [net.ipv4.ip_forward] at time 23:17:22.066081
 <source>
   type tail
-  format none
+  format /^(?<time>[^ ]* [^ ,]*)[^\[]*\[[^\]]*\]\[(?<severity>[^ \]]*) *\] (?<message>.*)$/
+  time_format %Y-%m-%d %H:%M:%S
   path /var/log/salt/minion
   pos_file /var/log/gcp-salt.pos
   tag salt
 </source>
 
+# Example:
+# Dec 21 23:17:22 gke-foo-1-1-4b5cbd14-node-4eoj startupscript: Finished running startup script /var/run/google.startup.script
 <source>
   type tail
-  format none
+  format syslog
   path /var/log/startupscript.log
   pos_file /var/log/es-startupscript.log.pos
   tag startupscript
 </source>
 
+# Examples:
+# time="2016-02-04T06:51:03.053580605Z" level=info msg="GET /containers/json"
+# time="2016-02-04T07:53:57.505612354Z" level=error msg="HTTP Error" err="No such image: -f" statusCode=404
 <source>
   type tail
-  format none
+  format /^time="(?<time>[^)]*)" level=(?<severity>[^ ]*) msg="(?<message>[^"]*)"( err="(?<error>[^"]*)")?( statusCode=($<status_code>\d+))?/
+  time_format %Y-%m-%dT%H:%M:%S.%N%z
   path /var/log/docker.log
   pos_file /var/log/es-docker.log.pos
   tag docker
 </source>
 
+# Example:
+# 2016/02/04 06:52:38 filePurge: successfully removed file /var/etcd/data/member/wal/00000000000006d0-00000000010a23d1.wal
 <source>
   type tail
+  # Not parsing this, because it doesn't have anything particularly useful to
+  # parse out of it (like severities).
   format none
   path /var/log/etcd.log
   pos_file /var/log/es-etcd.log.pos
   tag etcd
 </source>
 
+# Example:
+# I0204 07:32:30.020537    3368 server.go:1048] POST /stats/container/: (13.972191ms) 200 [[Go-http-client/1.1] 10.244.1.3:40537]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kubelet.log
   pos_file /var/log/es-kubelet.log.pos
   tag kubelet
 </source>
 
+# Example:
+# I0204 07:00:19.604280       5 handlers.go:131] GET /api/v1/nodes: (1.624207ms) 200 [[kube-controller-manager/v1.1.3 (linux/amd64) kubernetes/6a81b50] 127.0.0.1:38266]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-apiserver.log
   pos_file /var/log/es-kube-apiserver.log.pos
   tag kube-apiserver
 </source>
 
+# Example:
+# I0204 06:55:31.872680       5 servicecontroller.go:277] LB already exists and doesn't need update for service kube-system/kube-ui
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-controller-manager.log
   pos_file /var/log/es-kube-controller-manager.log.pos
   tag kube-controller-manager
 </source>
 
+# Example:
+# W0204 06:49:18.239674       7 reflector.go:245] pkg/scheduler/factory/factory.go:193: watch of *api.Service ended with: 401: The event in requested index is outdated and cleared (the requested history has been cleared [2578313/2577886]) [2579312]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-scheduler.log
   pos_file /var/log/es-kube-scheduler.log.pos
   tag kube-scheduler
diff --git a/cluster/addons/fluentd-gcp/fluentd-gcp-image/google-fluentd.conf b/cluster/addons/fluentd-gcp/fluentd-gcp-image/google-fluentd.conf
index 98caf02fb60..190afd31773 100644
--- a/cluster/addons/fluentd-gcp/fluentd-gcp-image/google-fluentd.conf
+++ b/cluster/addons/fluentd-gcp/fluentd-gcp-image/google-fluentd.conf
@@ -64,65 +64,90 @@
   tag kubernetes.${tag_suffix[4].split('-')[0..-2].join('-')}
 </match>
 
+# Example:
+# 2015-12-21 23:17:22,066 [salt.state       ][INFO    ] Completed state [net.ipv4.ip_forward] at time 23:17:22.066081
 <source>
   type tail
-  format none
+  format /^(?<time>[^ ]* [^ ,]*)[^\[]*\[[^\]]*\]\[(?<severity>[^ \]]*) *\] (?<message>.*)$/
+  time_format %Y-%m-%d %H:%M:%S
   path /var/log/salt/minion
   pos_file /var/log/gcp-salt.pos
   tag salt
 </source>
 
+# Example:
+# Dec 21 23:17:22 gke-foo-1-1-4b5cbd14-node-4eoj startupscript: Finished running startup script /var/run/google.startup.script
 <source>
   type tail
-  format none
+  format syslog
   path /var/log/startupscript.log
   pos_file /var/log/gcp-startupscript.log.pos
   tag startupscript
 </source>
 
+# Examples:
+# time="2016-02-04T06:51:03.053580605Z" level=info msg="GET /containers/json"
+# time="2016-02-04T07:53:57.505612354Z" level=error msg="HTTP Error" err="No such image: -f" statusCode=404
 <source>
   type tail
-  format none
+  format /^time="(?<time>[^)]*)" level=(?<severity>[^ ]*) msg="(?<message>[^"]*)"( err="(?<error>[^"]*)")?( statusCode=($<status_code>\d+))?/
+  time_format %Y-%m-%dT%H:%M:%S.%N%z
   path /var/log/docker.log
   pos_file /var/log/gcp-docker.log.pos
   tag docker
 </source>
 
+# Example:
+# 2016/02/04 06:52:38 filePurge: successfully removed file /var/etcd/data/member/wal/00000000000006d0-00000000010a23d1.wal
 <source>
   type tail
+  # Not parsing this, because it doesn't have anything particularly useful to
+  # parse out of it (like severities).
   format none
   path /var/log/etcd.log
   pos_file /var/log/gcp-etcd.log.pos
   tag etcd
 </source>
 
+# Example:
+# I0204 07:32:30.020537    3368 server.go:1048] POST /stats/container/: (13.972191ms) 200 [[Go-http-client/1.1] 10.244.1.3:40537]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kubelet.log
   pos_file /var/log/gcp-kubelet.log.pos
   tag kubelet
 </source>
 
+# Example:
+# I0204 07:00:19.604280       5 handlers.go:131] GET /api/v1/nodes: (1.624207ms) 200 [[kube-controller-manager/v1.1.3 (linux/amd64) kubernetes/6a81b50] 127.0.0.1:38266]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-apiserver.log
   pos_file /var/log/gcp-kube-apiserver.log.pos
   tag kube-apiserver
 </source>
 
+# Example:
+# I0204 06:55:31.872680       5 servicecontroller.go:277] LB already exists and doesn't need update for service kube-system/kube-ui
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-controller-manager.log
   pos_file /var/log/gcp-kube-controller-manager.log.pos
   tag kube-controller-manager
 </source>
 
+# Example:
+# W0204 06:49:18.239674       7 reflector.go:245] pkg/scheduler/factory/factory.go:193: watch of *api.Service ended with: 401: The event in requested index is outdated and cleared (the requested history has been cleared [2578313/2577886]) [2579312]
 <source>
   type tail
-  format none
+  format /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)$/
+  time_format %m%d %H:%M:%S.%N
   path /var/log/kube-scheduler.log
   pos_file /var/log/gcp-kube-scheduler.log.pos
   tag kube-scheduler

From e5c5f7640222e3cb2db1619b2b6a553986fb4c62 Mon Sep 17 00:00:00 2001
From: Alex Robinson <arob@google.com>
Date: Thu, 4 Feb 2016 23:29:27 +0000
Subject: [PATCH 2/2] Update the default fluentd images to parse system logs.

---
 cluster/addons/fluentd-elasticsearch/fluentd-es-image/Makefile | 2 +-
 cluster/addons/fluentd-gcp/fluentd-gcp-image/Makefile          | 2 +-
 cluster/saltbase/salt/fluentd-es/fluentd-es.yaml               | 2 +-
 cluster/saltbase/salt/fluentd-gcp/fluentd-gcp.yaml             | 2 +-
 docs/getting-started-guides/logging.md                         | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Makefile b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Makefile
index 4dc3d137acb..6b818c1f3ee 100644
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Makefile
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Makefile
@@ -15,7 +15,7 @@
 .PHONY:	build push
 
 IMAGE = fluentd-elasticsearch
-TAG = 1.13
+TAG = 1.14
 
 build:	
 	docker build -t gcr.io/google_containers/$(IMAGE):$(TAG) .
diff --git a/cluster/addons/fluentd-gcp/fluentd-gcp-image/Makefile b/cluster/addons/fluentd-gcp/fluentd-gcp-image/Makefile
index efbe6a8aa92..4dcbd83c404 100644
--- a/cluster/addons/fluentd-gcp/fluentd-gcp-image/Makefile
+++ b/cluster/addons/fluentd-gcp/fluentd-gcp-image/Makefile
@@ -28,7 +28,7 @@
 
 .PHONY:	kbuild kpush
 
-TAG = 1.15
+TAG = 1.16
 
 # Rules for building the test image for deployment to Dockerhub with user kubernetes.
 
diff --git a/cluster/saltbase/salt/fluentd-es/fluentd-es.yaml b/cluster/saltbase/salt/fluentd-es/fluentd-es.yaml
index af662a74811..1341aa9bcd3 100644
--- a/cluster/saltbase/salt/fluentd-es/fluentd-es.yaml
+++ b/cluster/saltbase/salt/fluentd-es/fluentd-es.yaml
@@ -8,7 +8,7 @@ metadata:
 spec:
   containers:
   - name: fluentd-elasticsearch
-    image: gcr.io/google_containers/fluentd-elasticsearch:1.13
+    image: gcr.io/google_containers/fluentd-elasticsearch:1.14
     resources:
       limits:
         cpu: 100m
diff --git a/cluster/saltbase/salt/fluentd-gcp/fluentd-gcp.yaml b/cluster/saltbase/salt/fluentd-gcp/fluentd-gcp.yaml
index 61869685fbd..8a2b008731b 100644
--- a/cluster/saltbase/salt/fluentd-gcp/fluentd-gcp.yaml
+++ b/cluster/saltbase/salt/fluentd-gcp/fluentd-gcp.yaml
@@ -8,7 +8,7 @@ metadata:
 spec:
   containers:
   - name: fluentd-cloud-logging
-    image: gcr.io/google_containers/fluentd-gcp:1.15
+    image: gcr.io/google_containers/fluentd-gcp:1.16
     resources:
       limits:
         cpu: 100m
diff --git a/docs/getting-started-guides/logging.md b/docs/getting-started-guides/logging.md
index 273065f6764..7315ada3182 100644
--- a/docs/getting-started-guides/logging.md
+++ b/docs/getting-started-guides/logging.md
@@ -172,7 +172,7 @@ metadata:
 spec:
   containers:
   - name: fluentd-cloud-logging
-    image: gcr.io/google_containers/fluentd-gcp:1.15
+    image: gcr.io/google_containers/fluentd-gcp:1.16
     resources:
       limits:
         cpu: 100m