Centralized logging on FCOS?

eabucay · September 26, 2023, 1:35am

Currently, there is no centralized logging package installed (e.g., rsyslog, syslog-ng). What do you use for this? And I think this will not be possible on toolbox and I don’t want to add new layer using rpm-ostree.

My use case is for host security like (sshd, sudo calls, custom firewall logging).

vwbusguy · September 26, 2023, 4:18am

There is journald. I recommend fluentbit, personally.

Here’s the journald/systemd input for it to ship your FCOS los to a central logging system(s) of your choice:

This will also work for toolbox and other podman containers since logs end up in journald as well.

sudo dnf install fluent-bit to install it

eabucay · September 26, 2023, 6:19am

I wan’t to run it like daemon without allocated tty more of like a systemd process. Ah yes fluentbit, I’ve tried it earlier but its unable to output the SSHD logs inside, it only outputs user journald logs. I am still trying to figure the config out for that.

siosm · September 26, 2023, 9:28am

I think it should possible to run any log forwarding daemon as a privileged container.

eabucay · September 26, 2023, 10:47am

Yes, that’s what I’m doing but it seems there is a problem on my config for fluent-bit. It’s running on --privileged mode but I only get user journald logs.
podman run --rm -it --privileged \
  -v /etc/machine-id:/etc/machine-id:ro \
  -v /run/log/journal:/run/log/journal:ro \
  -v /var/log/journal:/var/log/journal:ro \
  docker.io/fluent/fluent-bit:latest \
  fluent-bit -i systemd \
    -p read_from_tail=on \
    -p systemd_filter="_SYSTEMD_UNIT=sshd.service" \
    -p tag=host.* \
    -o stdout

Found the solution as the journald gets ingested in fluent it renames the _SYSTEMD_UNIT to different session names so best is to debug it using a busybox or any container that has bash access. For sshd I used _COMM=sshd.

dustymabe · September 26, 2023, 7:05pm

I take this to mean you figured out the problem?

vwbusguy · September 26, 2023, 7:11pm

Fluentbit absolutely can be ran as a service. I test it by running the command and when the output looks right, add it to the /etc/fluentbit config. The fluentbit docs give examples for both CLI and conf file syntax. If you really want to use a container instead of the native packaged fluentbit in Fedora (via rpm-ostree install fluent-bit), then you can use podman generate systemd to generate the systemd service for it as a podman container.

eabucay · September 27, 2023, 3:31am

I have used quadlet instead of the generate systemd as that one is already, I think deprecated. Instead of going for fluent-bit I did go for timberio/datadog vector as log collector. As this also collects metrics.

vwbusguy · September 27, 2023, 6:54pm

TIL:

github.com/containers/podman

Deprecate podman generate systemd

containers:main ← rhatdan:systemd

opened 03:00PM - 28 Jul 23 UTC

rhatdan

+30 -7

Now that Quadlets are fully supported, it is time to Depracate podman generate s…ystemd command.  #### Does this PR introduce a user-facing change?  ```release-note The `podman generate systemd` command is deprecated. Use Quadlet for running containers and pods under systemd. ```

nemric · October 3, 2023, 8:10pm

My 2 cents : I’m using a containerized promtail service to collect logs from journald and send them to a loki instance, then, I can query logs with grafana

fifofonix · October 4, 2023, 12:02am

This is the solution I have too. Works well.