centralized-logging-with-opensearch icon indicating copy to clipboard operation
centralized-logging-with-opensearch copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

Log entries divided by Containerd into separate lines aren't parsed by fluent bit

Open gnom7 opened this issue 8 months ago • 2 comments

Describe the bug

I use EKS log source with fluent bit DaemonSet config generated by centralized-logging-with-opensearch v1.0.1.

Sometimes my JSON log entries exceed containerd limit for log line size and I can see under /var/log/containers/* how such logs are divided into multiple lines by containerd.

This is mostly relevant to important entries of ERROR level as they contain long stack traces from java/spring based apps.

While I see ConfigMap with dedicated support for containerd it doesn't seem to be able to parse such divided multiline JSON entries and I ended up with some logs missing in OpenSearch and alerts.

Expected Behavior

Fluent bit configuration should be updated to aggregate such divided log entries to original parseable JSON.

Current Behavior

Log entries are missing in OpenSearch and Alerts.

Reproduction Steps

Log JSON entry which exceeds containerd limit (~16Kb) and verify that log entry didn't get to OpenSearch.

Possible Solution

Parsing JSON log message issue with Fluent Bit and containerd (CRI) logging format

Additional Information/Context

No response

Solution Version

v1.0.1

AWS Region. e.g., us-east-1

No response

Other information

No response

gnom7 avatar Oct 13 '23 16:10 gnom7