I deployed the Kubernetes integration to an ECK daemonset deployment version 8.2.2 in Amazon EKS running on Bottlerocket hosts. I’m not getting any container or audit logs. When I exec into one of the agent pods, there is no path for /var/log/kubernetesor/var/log/containers` . Is this expected or do I need to update the paths to something else?
Hello,
By default, Kubernetes integration collect logs using the /var/log/containers/*${kubernetes.container.id}.log path and the audit logs on /var/log/kubernetes/kube-apiserver-audit.log, if you are sending logs to another path you should adjust it accordingly,
You can read more about it here, Kubernetes | Elastic Documentation
Correct, however it appears that the problem is the default deployment of the agent via the operator does not include the volume mount/claims to be able to read those paths. I'm validating this now, but it appears that the following needs to be manually added for any ECK managed agents that will be configured to use the Kubernetes integration package:
containers:
- name: agent
volumeMounts:
- mountPath: /var/lib/docker/containers
name: varlibdockercontainers
- mountPath: /var/log/containers
name: varlogcontainers
- mountPath: /var/log/pods
name: varlogpods
volumes:
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: varlogcontainers
hostPath:
path: /var/log/containers
- name: varlogpods
hostPath:
path: /var/log/pods
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.