# Configmap for Daemoset Agents. It includes all the datastreams except Kube-State-metrics # For more information https://github.com/elastic/elastic-agent/blob/main/docs/elastic-agent-ksm-sharding.md apiVersion: v1 kind: ConfigMap metadata: name: agent-node-datastreams namespace: kube-system labels: app.kubernetes.io/name: elastic-agent-standalone data: agent.yml: |- outputs: default: type: elasticsearch hosts: - >- ${ES_HOST} username: ${ES_USERNAME} password: ${ES_PASSWORD} agent: monitoring: enabled: true use_output: default logs: true metrics: true providers.kubernetes: node: ${NODE_NAME} scope: node #Uncomment to enable hints' support - https://www.elastic.co/guide/en/fleet/current/hints-annotations-autodiscovery.html #hints.enabled: true #hints.default_container_logs: true inputs: - id: kubernetes-cluster-metrics condition: ${kubernetes_leaderelection.leader} == true type: kubernetes/metrics use_output: default meta: package: name: kubernetes version: 1.52.0 data_stream: namespace: default streams: - data_stream: dataset: kubernetes.apiserver type: metrics metricsets: - apiserver bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token hosts: - 'https://${env.KUBERNETES_SERVICE_HOST}:${env.KUBERNETES_SERVICE_PORT}' period: 30s ssl.certificate_authorities: - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - data_stream: dataset: kubernetes.event type: metrics metricsets: - event period: 10s add_metadata: true - id: system-logs type: logfile use_output: default meta: package: name: system version: 1.20.4 data_stream: namespace: default streams: - data_stream: dataset: system.auth type: logs paths: - /var/log/auth.log* - /var/log/secure* exclude_files: - .gz$ multiline: pattern: ^\s match: after processors: - add_locale: null ignore_older: 72h - data_stream: dataset: system.syslog type: logs paths: - /var/log/messages* - /var/log/syslog* exclude_files: - .gz$ multiline: pattern: ^\s match: after processors: - add_locale: null ignore_older: 72h - id: windows-event-log type: winlog use_output: default meta: package: name: system version: 1.20.4 data_stream: namespace: default streams: - data_stream: type: logs dataset: system.application condition: '${host.platform} == ''windows''' ignore_older: 72h - data_stream: type: logs dataset: system.security condition: '${host.platform} == ''windows''' ignore_older: 72h - data_stream: type: logs dataset: system.system condition: '${host.platform} == ''windows''' ignore_older: 72h - id: container-log-${kubernetes.pod.name}-${kubernetes.container.id} type: filestream use_output: default meta: package: name: kubernetes version: 1.52.0 data_stream: namespace: default streams: - data_stream: dataset: kubernetes.container_logs type: logs prospector.scanner.symlinks: true parsers: - container: ~ # - ndjson: # target: json # - multiline: # type: pattern # pattern: '^\[' # negate: true # match: after paths: - /var/log/containers/*${kubernetes.container.id}.log - id: audit-log type: filestream use_output: default meta: package: name: kubernetes version: 1.52.0 data_stream: namespace: default streams: - data_stream: dataset: kubernetes.audit_logs type: logs exclude_files: - .gz$ parsers: - ndjson: add_error_key: true target: kubernetes_audit paths: - /var/log/kubernetes/kube-apiserver-audit.log # The default path of audit logs on Openshift: # - /var/log/kube-apiserver/audit.log processors: - rename: fields: - from: kubernetes_audit to: kubernetes.audit - script: id: dedot_annotations lang: javascript source: | function process(event) { var audit = event.Get("kubernetes.audit"); for (var annotation in audit["annotations"]) { var annotation_dedoted = annotation.replace(/\./g,'_') event.Rename("kubernetes.audit.annotations."+annotation, "kubernetes.audit.annotations."+annotation_dedoted) } return event; } function test() { var event = process(new Event({ "kubernetes": { "audit": { "annotations": { "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:kube-scheduler\" of ClusterRole \"system:kube-scheduler\" to User \"system:kube-scheduler\"" } } } })); if (event.Get("kubernetes.audit.annotations.authorization_k8s_io/decision") !== "allow") { throw "expected kubernetes.audit.annotations.authorization_k8s_io/decision === allow"; } } - id: system-metrics type: system/metrics use_output: default meta: package: name: system version: 1.20.4 data_stream: namespace: default streams: - data_stream: dataset: system.cpu type: metrics period: 10s cpu.metrics: - percentages - normalized_percentages metricsets: - cpu system.hostfs: '/hostfs' - data_stream: dataset: system.diskio type: metrics period: 10s diskio.include_devices: null metricsets: - diskio system.hostfs: '/hostfs' - data_stream: dataset: system.filesystem type: metrics period: 1m metricsets: - filesystem system.hostfs: '/hostfs' processors: - drop_event.when.regexp: system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - data_stream: dataset: system.fsstat type: metrics period: 1m metricsets: - fsstat system.hostfs: '/hostfs' processors: - drop_event.when.regexp: system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) - data_stream: dataset: system.load type: metrics condition: '${host.platform} != ''windows''' period: 10s metricsets: - load - data_stream: dataset: system.memory type: metrics period: 10s metricsets: - memory system.hostfs: '/hostfs' - data_stream: dataset: system.network type: metrics period: 10s network.interfaces: null metricsets: - network - data_stream: dataset: system.process type: metrics period: 10s processes: - .* process.include_top_n.by_cpu: 5 process.include_top_n.by_memory: 5 process.cmdline.cache.enabled: true process.cgroups.enabled: false process.include_cpu_ticks: false metricsets: - process system.hostfs: '/hostfs' - data_stream: dataset: system.process_summary type: metrics period: 10s metricsets: - process_summary system.hostfs: '/hostfs' - data_stream: dataset: system.socket_summary type: metrics period: 10s metricsets: - socket_summary system.hostfs: '/hostfs' - data_stream: type: metrics dataset: system.uptime metricsets: - uptime period: 10s - id: kubernetes-node-metrics type: kubernetes/metrics use_output: default meta: package: name: kubernetes version: 1.52.0 data_stream: namespace: default streams: - data_stream: dataset: kubernetes.controllermanager type: metrics metricsets: - controllermanager bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token hosts: - 'https://${kubernetes.pod.ip}:10257' period: 10s ssl.verification_mode: none condition: ${kubernetes.labels.component} == 'kube-controller-manager' # On Openshift condition should be adjusted: # condition: ${kubernetes.labels.app} == 'kube-controller-manager' - data_stream: dataset: kubernetes.scheduler type: metrics metricsets: - scheduler bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token hosts: - 'https://${kubernetes.pod.ip}:10259' period: 10s ssl.verification_mode: none condition: ${kubernetes.labels.component} == 'kube-scheduler' # On Openshift condition should be adjusted: # condition: ${kubernetes.labels.app} == 'openshift-kube-scheduler' - data_stream: dataset: kubernetes.proxy type: metrics metricsets: - proxy hosts: - 'localhost:10249' # On Openshift port should be adjusted: # - 'localhost:29101' period: 10s - data_stream: dataset: kubernetes.container type: metrics metricsets: - container add_metadata: true bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token hosts: - 'https://${env.NODE_NAME}:10250' period: 10s ssl.verification_mode: none # On Openshift ssl configuration must be replaced: # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token # ssl.certificate_authorities: # - /path/to/ca-bundle.crt - data_stream: dataset: kubernetes.node type: metrics metricsets: - node add_metadata: true bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token hosts: - 'https://${env.NODE_NAME}:10250' period: 10s ssl.verification_mode: none # On Openshift ssl configuration must be replaced: # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token # ssl.certificate_authorities: # - /path/to/ca-bundle.crt - data_stream: dataset: kubernetes.pod type: metrics metricsets: - pod add_metadata: true bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token hosts: - 'https://${env.NODE_NAME}:10250' period: 10s ssl.verification_mode: none # On Openshift ssl configuration must be replaced: # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token # ssl.certificate_authorities: # - /path/to/ca-bundle.crt - data_stream: dataset: kubernetes.system type: metrics metricsets: - system add_metadata: true bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token hosts: - 'https://${env.NODE_NAME}:10250' period: 10s ssl.verification_mode: none # On Openshift ssl configuration must be replaced: # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token # ssl.certificate_authorities: # - /path/to/ca-bundle.crt - data_stream: dataset: kubernetes.volume type: metrics metricsets: - volume add_metadata: true bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token hosts: - 'https://${env.NODE_NAME}:10250' period: 10s ssl.verification_mode: none # On Openshift ssl configuration must be replaced: # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token # ssl.certificate_authorities: # - /path/to/ca-bundle.crt # Add extra input blocks here, based on conditions # so as to automatically identify targeted Pods and start monitoring them # using a predefined integration. For instance: #- id: redis-metrics # type: redis/metrics # use_output: default # meta: # package: # name: redis # version: 0.3.6 # data_stream: # namespace: default # streams: # - data_stream: # dataset: redis.info # type: metrics # metricsets: # - info # hosts: # - '${kubernetes.pod.ip}:6379' # idle_timeout: 20s # maxconn: 10 # network: tcp # period: 10s # condition: ${kubernetes.labels.app} == 'redis'