The following fields can be present in log records exported by the logging. Although log records are typically formatted as JSON objects, the same data model can be applied to other encodings.
To search these fields from Elasticsearch and Kibana, use the full dotted field name when searching. For example, with an Elasticsearch /_search URL, to look for a Kubernetes pod name, use /_search/q=kubernetes.pod_name:name-of-my-pod
.
The top level fields may be present in every record.
The original log entry text, UTF-8 encoded. This field may be absent or empty if a non-empty structured
field is present. See the description of structured
for more.
Data type |
text |
Example value |
|
Original log entry as a structured object. This field may be present if the forwarder was configured to parse structured JSON logs. If the original log entry was a valid structured log, this field will contain an equivalent JSON structure. Otherwise this field will be empty or absent, and the message
field will contain the original log message. The structured
field can have any subfields that are included in the log message, there are no restrictions defined here.
Data type |
group |
Example value |
map[message:starting fluentd worker pid=21631 ppid=21618 worker=0 pid:21631 ppid:21618 worker:0] |
A UTC value that marks when the log payload was created or, if the creation time is not known, when the log payload was first collected. The “@” prefix denotes a field that is reserved for a particular use. By default, most tools look for “@timestamp” with ElasticSearch.
Data type |
date |
Example value |
|
The name of the host where this log message originated. In a Kubernetes cluster, this is the same as kubernetes.host
.
Data type |
keyword |
The IPv4 address of the source server. Can be an array.
Data type |
ip |
The IPv6 address of the source server, if available. Can be an array.
Data type |
ip |
The logging level from various sources, including rsyslog(severitytext property)
, a Python logging module, and others.
The following values come from syslog.h
, and are preceded by their numeric equivalents:
0
= emerg
, system is unusable.
1
= alert
, action must be taken immediately.
2
= crit
, critical conditions.
3
= err
, error conditions.
4
= warn
, warning conditions.
5
= notice
, normal but significant condition.
6
= info
, informational.
7
= debug
, debug-level messages.
The two following values are not part of syslog.h
but are widely used:
8
= trace
, trace-level messages, which are more verbose than debug
messages.
9
= unknown
, when the logging system gets a value it does not recognize.
Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from python logging, you can match CRITICAL
with crit
, ERROR
with err
, and so on.
Data type |
keyword |
Example value |
|
The process ID of the logging entity, if available.
Data type |
keyword |
The name of the service associated with the logging entity, if available. For example, syslog’s APP-NAME
and rsyslog’s programname
properties are mapped to the service field.
Data type |
keyword |
Optional. An operator-defined list of tags placed on each log by the collector or normalizer. The payload can be a string with whitespace-delimited string tokens or a JSON list of string tokens.
Data type |
text |
The path to the log file from which the collector reads this log entry. Normally, this is a path in the /var/log
file system of a cluster node.
Data type |
text |
The offset value. Can represent bytes to the start of the log line in the file (zero- or one-based), or log line numbers (zero- or one-based), so long as the values are strictly monotonically increasing in the context of a single log file. The values are allowed to wrap, representing a new version of the log file (rotation).
Data type |
long |
The namespace for Kubernetes-specific metadata
Data type |
group |
The Kubernetes event obtained from the Kubernetes master API. This event description loosely follows type Event
in Event v1 core.
Data type |
group |
The type of event, ADDED
, MODIFIED
, or DELETED
Data type |
keyword |
Example value |
|
Information related to the location and time of the event creation
Data type |
group |
The name of the object that triggered the event creation
Data type |
keyword |
Example value |
|
The name of the namespace where the event originally occurred. Note that it differs from kubernetes.namespace_name
, which is the namespace where the eventrouter
application is deployed.
Data type |
keyword |
Example value |
|
A link to the event
Data type |
keyword |
Example value |
|
The object that the event is about.
Data type |
group |
The type of object
Data type |
keyword |
Example value |
|
The namespace name of the involved object. Note that it may differ from kubernetes.namespace_name
, which is the namespace where the eventrouter
application is deployed.
Data type |
keyword |
Example value |
|
The name of the object that triggered the event
Data type |
keyword |
Example value |
|
The unique ID of the object
Data type |
keyword |
Example value |
|
A short machine-understandable string that gives the reason for generating this event
Data type |
keyword |
Example value |
|
The component that reported this event
Data type |
keyword |
Example value |
|
The time at which the event was first recorded
Data type |
date |
Example value |
|