Separate logging for each namespace

[collimarco]

Hello,

I have a Kubernetes cluster with multiple applications (i.e. different websites), each one in its own namespace.

Each application should send the logs (only for that specific app / namespace) to a different Logz.io account.

Is it possible to achieve that?

Basically I would like logging limited to a specific namespace, and not for the whole cluster.

[mirii1994]

Hi @collimarco ,
I think it's possible, with a few modifications to the instructions.

1. When creating a secret with credentials, add your tokens. It should be something like:

kubectl create secret generic logzio-logs-secret \
--from-literal=logzio-log-shipping-token-1='<<SHIPPING-TOKEN-1>>' \
--from-literal=logzio-log-shipping-token-2='<<SHIPPING-TOKEN-2>>' \
... ADD MORE TOKENS IF NEEDED ...
--from-literal=logzio-log-listener='https://<<LISTENER-HOST>>:8071' \
-n monitoring

2. Edit your daemonset, and add more env vars with the tokens from the previous steps. Should look something like this:

env:
- name: LOGZIO_LOG_SHIPPING_TOKEN_1
  valueFrom:
    secretKeyRef:
      name: logzio-logs-secret
      key: logzio-log-shipping-token-1
- name: LOGZIO_LOG_SHIPPING_TOKEN_2
  valueFrom:
    secretKeyRef:
      name: logzio-logs-secret
      key: logzio-log-shipping-token-2
... REST OF ENV VARS ...

3. Edit your configmap. Create a logzio output for each namespace, and configure the logzio url. For example, let's say we want to send NAMESPACE_1 to account with the token LOGZIO_LOG_SHIPPING_TOKEN_1, and NAMESPACE_2 to LOGZIO_LOG_SHIPPING_TOKEN_2 (where LOGZIO_LOG_SHIPPING_TOKEN_1, LOGZIO_LOG_SHIPPING_TOKEN_2 are the env vars that we added in the previous step).
   Your outputs should look like this:

    <match "kubernetes.var.log.containers.**_NAMESPACE_1_**">
      @type logzio_buffered
      @id out_logzio
      endpoint_url "#{ENV['LOGZIO_LOG_LISTENER']}?token=#{ENV['LOGZIO_LOG_SHIPPING_TOKEN'_1]}"
... REST OF REQUIRED CONFIG FOR THE LOGZIO OUTPUT ...
    </match>

 <match "kubernetes.var.log.containers.**_NAMESPACE_2_**">
      @type logzio_buffered
      @id out_logzio
      endpoint_url "#{ENV['LOGZIO_LOG_LISTENER']}?token=#{ENV['LOGZIO_LOG_SHIPPING_TOKEN'_2]}"
... REST OF REQUIRED CONFIG FOR THE LOGZIO OUTPUT ...
    </match>

Note that in this snippet it's not the entire config for the Logzio output, I just copied the part you'd need to edit. Full config can be found here.

Once all of these changes are applied, I think you should accomplish what you wanted.
Let me know if it worked for you :)

[collimarco]

@mirii1994 Thank you! Very appreciated. It would be possible to keep the Logz.io configs inside their own namespace? In your example everything would be stored in a global "monitoring" namespace. I am wondering if each team, which owns only the namespace for their app, can configure logging using only their app namespace (and not the global "monitoring" namespace).

[mirii1994]

That's an interesting idea.
We haven't tried doing that, and don't have an ETA for testing it at the moment.
If you do manage to accomplish that, it will be great if you'll share how you did it.

[mirii1994]

@collimarco Closing this issue as your original question was answered :)