Versions Compared

Old Version 7

changes.mady.by.user Jenni Wallin

Saved on

compared with

New Version 8

changes.mady.by.user Jenni Wallin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note
titleNote!

You need to have a proper EKS cluster setup in order to proceed with these steps. Refer to Set Up Kubernetes Cluster - AWS (4.1) to create the EKS cluster first.

By default Usage Engine deployed in Kubernetes outputs logging to disk and console output. If persistent disk storage is enabled, the logs end up on the mounted shared disk. But persistent disk is not always the desired log target, especially in a cloud environment where persistent data is typically accessed through services and APIs rather than as files. The console logs can be accessed through the "kubectl logs" command or from a Kubernetes dashboard. The buffer for storing the Kubernetes console logs is stored in memory only though and thus will be lost when a Pod terminates.

...

Note!

You need to have a proper EKS cluster setup in order to proceed with these steps. Refer to Set Up Kubernetes Cluster - AWS (4.3) to create the EKS cluster first.

Insert excerpt
Log Collection
Log Collection
nameKubernetes-output
nopaneltrue

To get a production ready log configuration you can use tools from the Kubernetes ecosystem and AWS CloudWatch. In this guide we show you how to set up:

  • Fluent-bit for log collection and log forwarding

  • Elasticsearch for log storage

  • Kibana for log visualization

  • AWS CloudWatch for monitoring

Thesetools give you powerful and flexible log collection, storage, monitoring and visualization. The Elasticsearch database storage also provides powerful tools to perform analytics on the log data. The AWS CloudWatch is a monitoring service built for DevOps engineers, developers, site reliability engineers (SREs), IT managers, and product owners. This guide doesn't describe these tools' functionality in details as it is outside the scope of this guide.

Prerequisite

Before setting up log collection, make sure your Usage Engine Private Edition was installed with JSON formatted logging enabled.

Code Block
linenumberstrue
log:
  # Format can be "json" or "raw". Default is "raw"
  format: json

See the official user documentation for detailed information about these tools.

Prerequisite

Insert excerpt
Log Collection
Log Collection
nameprereq
nopaneltrue

Setup AWS IAM OIDC Provider

To use AWS Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster's OIDC issuer URL. Prior to creating AWS policy and role,

...

you need to setup Identity Provider using EKS cluster's OpenID Connect Provider URL.

  1. Login to AWS Management Console, go to EKS > Clusters > Your Cluster Name.

  2. On Overview tab, section Details, click

...

  1. on the copy button under OpenID Connect Provider URL to copy the URL to the clipboard.Image Modified

  2. Go to IAM > Identity Providers.

  3. Add an Identity Provider and select OpenID Connect.

  4. Paste the copied URL as Provider

...

  1. URL.

...

  1. Enter "sts.amazonaws.com" as Audience.

  2. Click Add Provider and proceed to complete the Identity Providers creation 

Setup AWS IAM Policy and Role

In order for

...

Fluent-bit to send logs to AWS CloudWatch,

...

you need to setup AWS access policy to access the AWS CloudWatch and attach this policy to an AWS Role. 

  1. Login to AWS Management Console, go to IAM > Policies.

  2. Create

...

  1. a new policy using the JSON tab in the Policy Editor. Enter the permission statement in JSON format, as below:

    Code Block

...

  1. {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

  2. Click Next and proceed to create the policy.

  3. Back

...

  1. in the IAM Dashboard

...

  1. , go to IAM > Roles.

  2. Create a new role and select Web Identity.

...

  1. Select the OpenID Connect Provider Id as Identity Provider.

  2. Click Next and proceed to create the role.

Once the new role has been created,

...

you need to to edit the role's trust relationship to associate it to the Fluent-bit's Service Account.

  1. Go to IAM > Roles > Your Role Name.

  2. On the Trust relationship tab, edit trust policy.

  3. Edit the "StringEquals" field to use the Fluent-bit's namespace and Service Account Name, as below:

    Code Block

...

linenumberstrue
  1. {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::211006581866:oidc-provider/oidc.eks.ap-southeast-2.amazonaws.com/id/360F8C7227656FC5627D5DA70F181583"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.ap-southeast-2.amazonaws.com/id/360F8C7227656FC5627D5DA70F181583:sub": "system:serviceaccount:<Fluent-bit namespace>:<fluent-bit Service Account Name>"
                }
            }
        }
    ]
}

...

Install Fluent-bit
To stream 
...
container logs to CloudWatch Logs, install AWS for Fluent
...
-bit:
  1. Create a namespace called amazon-cloudwatch 
...
  1. with the following command:
     Code Block
...
linenumberstrue
  1. kubectl create namespace amazon-cloudwatch
  2. Create a ConfigMap called fluent-bit-cluster-info 
...
  1. and replace my-cluster-name and my-cluster-region with your cluster's name and Region
...
  1. , as below:
     Code Block
    ClusterName=<my-cluster-name>
RegionName=<my-cluster-region>
FluentBitHttpPort='2020'
FluentBitReadFromHead='Off'
[[ ${FluentBitReadFromHead} = 'On' ]] && FluentBitReadFromTail='Off'|| FluentBitReadFromTail='On'
[[ -z ${FluentBitHttpPort} ]] && FluentBitHttpServer='Off' || FluentBitHttpServer='On'
kubectl create configmap fluent-bit-cluster-info \
--from-literal=cluster.name=${ClusterName} \
--from-literal=http.server=${FluentBitHttpServer} \
--from-literal=http.port=${FluentBitHttpPort} \
--from-literal=read.head=${FluentBitReadFromHead} \
--from-literal=read.tail=${FluentBitReadFromTail} \
--from-literal=logs.region=${RegionName} -n amazon-cloudwatch
  2. Deploy the Fluent
...
  1. -bit DaemonSet to the cluster 
...
  1. with the following command:
     Code Block
...
  1. kubectl apply -f https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml
  2. Associate the IAM role to cloudwatch-agent and fluent-bit service accounts 
...
  1. and replace ACCOUNT_ID
...
  1.  and IAM_ROLE_NAME
...
  1.  with AWS Account ID and the IAM role used for service accounts 
...
  1. with the following command:
     Code Block
...
linenumberstrue
  1. kubectl annotate serviceaccounts fluent-bit -n amazon-cloudwatch "eks.amazonaws.com/role-arn=arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME"
  2. Go to CloudWatch > View logs 
...
  1. and verify that the following log groups 
...
  1. have been created
...
  1. :
     Code Block
...
linenumberstrue
  1. /aws/containerinsights/Your Cluster Name/application
/aws/containerinsights/Your Cluster Name/dataplane
/aws/containerinsights/Your Cluster Name/host
  2. For each log group, verify there are log streams available 
...
  1. in the Log stream
...
  1.  tab.Image Modified
Install Elastic Search
Elastic search will be installed to the same namespace as Fluent-bit, i.e., amazon-cloudwatch. 
  1. Add Elastic Search repository to Helm and update repository to retrieve the latest version with the following commands:
     Code Block
...
  1. helm repo add elastic https://helm.elastic.co
...
  1.  Code Block
    helm repo update
  2. Install Elastic Search. 
...
titleNote!
...
 Info
Example - Installing Elasticsearch without Persistent storage
This example installs Elasticsearch without persistent storage. Refer to Elasticsearch Helm chart documentation for help to enable persistent storage:
https://github.com/elastic/helm-charts/tree/master/elasticsearch 
 Code Block
...
...
helm install elasticsearch elastic/elasticsearch -n amazon-cloudwatch --set=persistence.enabled=false
Install Kibana
...
Kibana will be installed 
...
in the same namespace as Fluent-bit, 
...
that is amazon-cloudwatch. 
  1. Download the Kibana helm chart and unpack it in local directory 
...
  1. with the following command:
     Code Block
...
linenumberstrue
  1. helm fetch elastic/kibana --untar
  2. Change directory to kibana 
...
  1. and edit the values.yaml 
...
  1. file by adding service annotation to create an Internet-facing, Network type Load Balancer
...
  1. , as below:
     Code Block
...
...
  1. service:
  type: ClusterIP
  loadBalancerIP: ""
  port: 5601
  nodePort: ""
  labels: {}
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
  2. Install Kibana by path to an unpacked local directory with the following command:
     Code Block
...
  1. helm install kibana kibana -n amazon-cloudwatch --set=service.type=LoadBalancer --set=service.port=80
Configure Fluent-bit to send logs to Elastic 
...
Search 
These are additional steps to configure fluent-bit ConfigMap named fluent-bit-config.
  1. Get the service name of 
...
  1. the Elastic Search pods with the following command:
     Code Block
    kubectl get svc -n amazon-cloudwatch
    This service name is the value set to Host in [OUTPUT] directive. 
 Code Block
linenumberstrue
kubectl get svc -n amazon-cloudwatch
...
  1. Get username and password credential for Elastic X-Pack access. 
...
  1. with the following commands:
     Code Block
    kubectl get secrets --namespace=amazon-cloudwatch elasticsearch-master-credentials -ojsonpath='{.data.username}' | base64 -d
...
  1.  Code Block
    kubectl get secrets --namespace=amazon-cloudwatch elasticsearch-master-credentials -ojsonpath='{.data.password}' | base64 -d
    The decrypted username and password are the values set to HTTP_User and HTTP_Passwd in [OUTPUT] directive.
  2. Download the fluent-bit deamonset yaml file 
...
  1. into a local directory with the following command:
     Code Block
...
  1. curl https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml > fluent-bit.yaml
  2. Edit the fluent-bit.yaml 
...
  1. file by going to the ConfigMap 
...
  1. named fluent-bit-config
...
  1. , and for each config file, 
...
  1. add the output directive to send logs to Elastic Search
...
  1. , as below:
    application-log.conf
...
  1.  Code Block
...
  1.     [OUTPUT]
        Name                es
        Match               application.*
        Host                elasticsearch-master
        tls                 on
        tls.verify          off
        HTTP_User           elastic
        HTTP_Passwd         DbrfdbnzCNYympQZ
        Suppress_Type_Name  On
        Index               fluentbit.app
...
...
  1. dataplane-log.conf
...
  1.  Code Block
...
  1.     [OUTPUT]
        Name                es
        Match               dataplane.*
        Host                elasticsearch-master
        tls                 on
        tls.verify          off
        HTTP_User           elastic
        HTTP_Passwd         DbrfdbnzCNYympQZ
        Suppress_Type_Name  On
        Index               fluentbit.dataplane
...
  1. host-log.conf
...
  1.  Code Block
        [OUTPUT]
        Name                es
        Match               host.*
        Host                elasticsearch-master
        tls                 on
        tls.verify          off
        HTTP_User           elastic
        HTTP_Passwd         DbrfdbnzCNYympQZ
        Suppress_Type_Name  On
        Index               fluentbit.host
  2. Delete the existing fluent-bit pods, config map 
...
  1. with the following command:
     Code Block
...
linenumberstrue
  1. kubectl delete -f fluent-bit.yaml
  2. Install and apply the new configuration to fluent-bit pods, config 
...
  1. map  with the following command: 
     Code Block
    kubectl apply -f fluent-bit.yaml
  2. Re-associate the IAM role 
...
  1. with the cloudwatch-agent and fluent-bit service accounts
...
  1. , and replace ACCOUNT_ID
...
  1.  and IAM_ROLE_NAME
...
  1.  with AWS Account ID and the IAM role used for service accounts 
...
  1. with the following command:
     Code Block
...
...
  1. kubectl annotate serviceaccounts fluent-bit -n amazon-cloudwatch "eks.amazonaws.com/role-arn=arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME"
  2. Verify every Fluent-bit pod's log 
...
  1. with the following command:
     Code Block
...
linenumberstrue
  1. kubectl logs <fluent-bit pod name> -n amazon-cloudwatch
    You should not see any error or exception if connection to Elastic Search is established successfully.
Configure Kibana
Kibana is a visual interface tool that allows you to explore, visualize, and build a dashboard over the log data massed in Elastic Search cluster. 
Up to this stage, all pods under namespace amazon-cloudwatch should be up and running. 
 Code Block
NAME                             READY   STATUS    RESTARTS   AGE
elasticsearch-master-0           1/1     Running   0          4d3h
elasticsearch-master-1           1/1     Running   0          4d3h
fluent-bit-2kpgr                 1/1     Running   0          3d
fluent-bit-6wtnr                 1/1     Running   0          3d
fluent-bit-ns42z                 1/1     Running   0          3d
kibana-kibana-658dc749cd-hbc8s   1/1     Running   0          3d4h
...
If all looks good, you can proceed to login to Kibana dashboard web UI. 
  1. Retrieve the public access hostname of the Kibana dashboard.
     Code Block
...
linenumberstrue
  1. kubectl get service -n amazon-cloudwatch kibana-kibana -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'
  2. Login to Kibana dashboard web UI with username password same 
...
  1. as HTTP_User 
...
  1. and HTTP_Passwd configured in previous section
  2. Go to Management > Stack Management > Index Management. Create the Index Template with Index Pattern matching the indexes configured in previous sectionImage Modified
  3. If Fluent-bit connection to Elastic Search established successfully, the Indices is created 
...
  1. automatically  Image Modified
  2. Go to Management > Stack Management > Kibana. Create Data view matching the index patternImage Modified
  3. Go to Analytics > Discover to search for logs belong to each index pattern respectively. Image Modified
  4. User can filter logs using KQL syntax. For instance, enter "kubernetes.pod_name:platform-0" in the KQL filter input fieldImage Modified
  5. Log record in json format is parsed into fields
     Code Block
    {
  "_p": [
    "F"
  ],
  "_p.keyword": [
    "F"
  ],
  "@timestamp": [
    "2024-02-21T09:14:49.079Z"
  ],
  "kubernetes.container_hash": [
    "ghcr.io/digitalroute-public/usage-engine-private-edition@sha256:fceb32e07cfae86db58d9a83328e4539eb5f42455cd6a0463e9ac955b3642848"
  ],
  "kubernetes.container_hash.keyword": [
    "ghcr.io/digitalroute-public/usage-engine-private-edition@sha256:fceb32e07cfae86db58d9a83328e4539eb5f42455cd6a0463e9ac955b3642848"
  ],
  "kubernetes.container_image": [
    "ghcr.io/digitalroute-public/usage-engine-private-edition:4.0.0-operator"
  ],
  "kubernetes.container_image.keyword": [
    "ghcr.io/digitalroute-public/usage-engine-private-edition:4.0.0-operator"
  ],
  "kubernetes.container_name": [
    "manager"
  ],
  "kubernetes.container_name.keyword": [
    "manager"
  ],
  "kubernetes.docker_id": [
    "9af8ba62db2aacbb39435ed8894bc078013ea1126a561a85a1d486ee8e12367d"
  ],
  "kubernetes.docker_id.keyword": [
    "9af8ba62db2aacbb39435ed8894bc078013ea1126a561a85a1d486ee8e12367d"
  ],
  "kubernetes.host": [
    "ip-192-168-34-51.ap-southeast-2.compute.internal"
  ],
  "kubernetes.host.keyword": [
    "ip-192-168-34-51.ap-southeast-2.compute.internal"
  ],
  "kubernetes.namespace_name": [
    "uepe"
  ],
  "kubernetes.namespace_name.keyword": [
    "uepe"
  ],
  "kubernetes.pod_id": [
    "5a911c45-d2b0-4f53-b474-ae8aee304d4a"
  ],
  "kubernetes.pod_id.keyword": [
    "5a911c45-d2b0-4f53-b474-ae8aee304d4a"
  ],
  "kubernetes.pod_name": [
    "uepe-operator-controller-manager-6fdc476cb5-9282q"
  ],
  "kubernetes.pod_name.keyword": [
    "uepe-operator-controller-manager-6fdc476cb5-9282q"
  ],
  "log": [
    "{\"level\":\"info\",\"ts\":\"2024-02-21T09:14:49Z\",\"logger\":\"controllers.ECDeployment\",\"msg\":\"Reconciling\",\"ECDeployment\":\"uepe/http2\"}"
  ],
  "log_processed.ECDeployment": [
    "uepe/http2"
  ],
  "log_processed.ECDeployment.keyword": [
    "uepe/http2"
  ],
  "log_processed.level": [
    "info"
  ],
  "log_processed.level.keyword": [
    "info"
  ],
  "log_processed.logger": [
    "controllers.ECDeployment"
  ],
  "log_processed.logger.keyword": [
    "controllers.ECDeployment"
  ],
  "log_processed.msg": [
    "Reconciling"
  ],
  "log_processed.msg.keyword": [
    "Reconciling"
  ],
  "log_processed.ts": [
    "2024-02-21T09:14:49.000Z"
  ],
  "log.keyword": [
    "{\"level\":\"info\",\"ts\":\"2024-02-21T09:14:49Z\",\"logger\":\"controllers.ECDeployment\",\"msg\":\"Reconciling\",\"ECDeployment\":\"uepe/http2\"}"
  ],
  "stream": [
    "stderr"
  ],
  "stream.keyword": [
    "stderr"
  ],
  "time": [
    "2024-02-21T09:14:49.079Z"
  ],
  "_id": "ijvyyo0B9xu2H_IDTAqi",
  "_index": "fluentbit.app",
  "_score": null
}