Note: This page describes routing logs with syslog-ng. If you are using Fluentd to route your log messages, see Routing your logs with Fluentd match directives.

syslog-ng is supported only in Logging operator 4.0 or newer.

The first step to process your logs is to select which logs go where.

The match field of the SyslogNGFlow and SyslogNGClusterFlow resources define the routing rules of the logs.

Note: Fluentd can use only metadata to route the logs. When using syslog-ng filter expressions, you can filter both on metadata and log content as well.

The syntax of syslog-ng match statement is slightly different from the Fluentd match statements.

Available routing metadata keys:

Name Type Description Empty
namespaces []string List of matching namespaces All namespaces
labels map[string]string Key - Value pairs of labels All labels
hosts []string List of matching hosts All hosts
container_names []string List of matching containers (not Pods) All containers

Match statement 🔗︎

Match expressions are basically a combination of filtering functions using the and, or, and not boolean operators. Currently, only a pattern matching function is supported (called match in syslog-ng parlance, but renamed to regexp in the CRD to avoid confusion).

The match field can have one of the following options:

  match:
    and: <list of nested match expressions>  // Logical AND between expressions
    or: <list of nested match expressions>   // Logical OR between expressions
    not: <nested match expression>           // Logical NOT of an expression
    regexp: ... // Pattern matching on a field's value or a templated value

The regexp field (called match in syslog-ng parlance, but renamed to regexp in the CRD to avoid confusion)) can have the following fields:

  regexp:
    pattern: <a pattern string>                            // Pattern match against, e.g. "my-app-\d+". The pattern's type is determined by the type field.
    value: <a field reference>                             // Reference to a field whose value to match. If this field is set, the template field cannot be used.
    template: <a templated string combining field values>  // Template expression whose value to match. If this field is set, the value field cannot be used. For more info, see https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/74#TOPIC-1829197
    type: <pattern type>                                   // Pattern type. Default is PCRE. For more info, see https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/81#TOPIC-1829223
    flags: <list of flags>                                 // Pattern flags. For more info, see https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/81#TOPIC-1829224

CAUTION:

You need to use the json. prefix in field names.

You can reference fields using the dot notation, for example, if the log contains {"kubernetes": {"namespace_name": "default"}}, then you can reference the namespace_name field using json.kubernetes.namespace_name.

The following example filters for specific Pod labels:

  match:
    and:
    - regexp:
        value: json.kubernetes.labels.app.kubernetes.io/instance
        pattern: one-eye-log-generator
        type: string
    - regexp:
        value: json.kubernetes.labels.app.kubernetes.io/name
        pattern: log-generator
        type: string