Log Record Fields

To search these fields from Elasticsearch and Kibana, use the full dotted field name when searching. For example, with an Elasticsearch /_search URL, to look for a Kubernetes pod name, use .

The top level fields may be present in every record.

The original log entry text, UTF-8 encoded. This field may be absent or empty if a non-empty structured field is present. See the description of structured for more.

structured

Original log entry as a structured object. This field may be present if the forwarder was configured to parse structured JSON logs. If the original log entry was a valid structured log, this field will contain an equivalent JSON structure. Otherwise this field will be empty or absent, and the message field will contain the original log message. The structured field can have any subfields that are included in the log message, there are no restrictions defined here.

@timestamp

A UTC value that marks when the log payload was created or, if the creation time is not known, when the log payload was first collected. The “@” prefix denotes a field that is reserved for a particular use. By default, most tools look for “@timestamp” with ElasticSearch.

hostname

The name of the host where this log message originated. In a Kubernetes cluster, this is the same as kubernetes.host.

The IPv4 address of the source server. Can be an array.

ipaddr6

The IPv6 address of the source server, if available. Can be an array.

level

The logging level from various sources, including rsyslog(severitytext property), a Python logging module, and others.

The following values come from , and are preceded by their numeric equivalents:

• 0 = emerg, system is unusable.

• 1 = alert, action must be taken immediately.

• 2 = crit, critical conditions.

• 3 = err, error conditions.

• 4 = warn, warning conditions.

• 5 = notice, normal but significant condition.

• = info, informational.

• 7 = debug, debug-level messages.

The two following values are not part of syslog.h but are widely used:

• 8 = trace, trace-level messages, which are more verbose than debug messages.

• 9 = unknown, when the logging system gets a value it doesn’t recognize.

Map the log levels or priorities of other logging systems to their nearest match in the preceding list. For example, from , you can match CRITICAL with crit, ERROR with err, and so on.

pid

The process ID of the logging entity, if available.

The name of the service associated with the logging entity, if available. For example, syslog’s APP-NAME and rsyslog’s programname properties are mapped to the service field.

tags

Optional. An operator-defined list of tags placed on each log by the collector or normalizer. The payload can be a string with whitespace-delimited string tokens or a JSON list of string tokens.

file

The path to the log file from which the collector reads this log entry. Normally, this is a path in the /var/log file system of a cluster node.

offset

The offset value. Can represent bytes to the start of the log line in the file (zero- or one-based), or log line numbers (zero- or one-based), so long as the values are strictly monotonically increasing in the context of a single log file. The values are allowed to wrap, representing a new version of the log file (rotation).

The namespace for Kubernetes-specific metadata

The name of the pod

kubernetes.pod_id

The Kubernetes ID of the pod

kubernetes.namespace_name

The name of the namespace in Kubernetes

The ID of the namespace in Kubernetes

kubernetes.host

The Kubernetes node name

kubernetes.container_name

The name of the container in Kubernetes

Annotations associated with the Kubernetes object

kubernetes.labels

Labels present on the original Kubernetes Pod

kubernetes.event

The Kubernetes event obtained from the Kubernetes master API. This event description loosely follows type Event in Event v1 core.

kubernetes.event.verb

The type of event, ADDED, MODIFIED, or DELETED

kubernetes.event.metadata

Information related to the location and time of the event creation

kubernetes.event.metadata.name

The name of the object that triggered the event creation

kubernetes.event.metadata.namespace

The name of the namespace where the event originally occurred. Note that it differs from kubernetes.namespace_name, which is the namespace where the eventrouter application is deployed.

kubernetes.event.metadata.selfLink

A link to the event

kubernetes.event.metadata.uid

The unique ID of the event

kubernetes.event.metadata.resourceVersion

A string that identifies the server’s internal version of the event. Clients can use this string to determine when objects have changed.

kubernetes.event.involvedObject

The object that the event is about.

kubernetes.event.involvedObject.kind

The type of object

kubernetes.event.involvedObject.namespace

The namespace name of the involved object. Note that it may differ from kubernetes.namespace_name, which is the namespace where the eventrouter application is deployed.

kubernetes.event.involvedObject.name

The name of the object that triggered the event

kubernetes.event.involvedObject.uid

The unique ID of the object

kubernetes.event.involvedObject.apiVersion

The version of kubernetes master API

kubernetes.event.involvedObject.resourceVersion

A string that identifies the server’s internal version of the pod that triggered the event. Clients can use this string to determine when objects have changed.

kubernetes.event.reason

A short machine-understandable string that gives the reason for generating this event

kubernetes.event.source_component

The component that reported this event

kubernetes.event.firstTimestamp

The time at which the event was first recorded

kubernetes.event.count

The number of times this event has occurred

kubernetes.event.type

The type of event, Normal or Warning. New types could be added in the future.

OpenShift

The namespace for openshift-logging specific metadata

Labels added by the Cluster Log Forwarder configuration