Amazon S3 plugin for Fluentd 🔗︎
Overview 🔗︎
s3 output plugin buffers event logs in local file and upload it to S3 periodically. This plugin splits files exactly by using the time of event logs (not the time when the logs are received). For example, a log ‘2011-01-02 message B’ is reached, and then another log ‘2011-01-03 message B’ is reached in this order, the former one is stored in “20110102.gz” file, and latter one in “20110103.gz” file.
Example: S3 Output Deployment
Example output configurations 🔗︎
spec:
s3:
aws_key_id:
valueFrom:
secretKeyRef:
name: logging-s3
key: awsAccessKeyId
aws_sec_key:
valueFrom:
secretKeyRef:
name: logging-s3
key: awsSecretAccessKey
s3_bucket: logging-amazon-s3
s3_region: eu-central-1
path: logs/${tag}/%Y/%m/%d/
buffer:
timekey: 10m
timekey_wait: 30s
timekey_use_utc: true*/
Configuration 🔗︎
Output Config 🔗︎
| Variable Name | Type | Required | Default | Description |
|---|---|---|---|---|
| aws_key_id | *secret.Secret | No | - | AWS access key id Secret |
| aws_sec_key | *secret.Secret | No | - | AWS secret key. Secret |
| check_apikey_on_start | string | No | - | Check AWS key on start |
| grant_read | string | No | - | Allows grantee to read the object data and its metadata |
| overwrite | string | No | - | Overwrite already existing path |
| path | string | No | - | Path prefix of the files on S3 |
| grant_write_acp | string | No | - | Allows grantee to write the ACL for the applicable object |
| check_bucket | string | No | - | Check bucket if exists or not |
| sse_customer_key | string | No | - | Specifies the customer-provided encryption key for Amazon S3 to use in encrypting data |
| sse_customer_key_md5 | string | No | - | Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321 |
| compute_checksums | string | No | - | AWS SDK uses MD5 for API request/response by default |
| warn_for_delay | string | No | - | Given a threshold to treat events as delay, output warning logs if delayed events were put into s3 |
| use_bundled_cert | string | No | - | Use aws-sdk-ruby bundled cert |
| s3_endpoint | string | No | - | Custom S3 endpoint (like minio) |
| ssekms_key_id | string | No | - | Specifies the AWS KMS key ID to use for object encryption |
| s3_metadata | string | No | - | Arbitrary S3 metadata headers to set for the object |
| force_path_style | string | No | - | If true, the bucket name is always left in the request URI and never moved to the host as a sub-domain |
| auto_create_bucket | string | No | - | Create S3 bucket if it does not exists |
| index_format | string | No | - | sprintf format for %{index} |
| signature_version | string | No | - | Signature version for API Request (s3,v4) |
| enable_transfer_acceleration | string | No | - | If true, S3 Transfer Acceleration will be enabled for uploads. IMPORTANT: You must first enable this feature on your destination S3 bucket |
| ssl_verify_peer | string | No | - | If false, the certificate of endpoint will not be verified |
| proxy_uri | string | No | - | URI of proxy environment |
| grant_read_acp | string | No | - | Allows grantee to read the object ACL |
| check_object | string | No | - | Check object before creation |
| sse_customer_algorithm | string | No | - | Specifies the algorithm to use to when encrypting the object |
| use_server_side_encryption | string | No | - | The Server-side encryption algorithm used when storing this object in S3 (AES256, aws:kms) |
| s3_region | string | No | - | S3 region name |
| acl | string | No | - | Permission for the object in S3 |
| grant_full_control | string | No | - | Allows grantee READ, READ_ACP, and WRITE_ACP permissions on the object |
| hex_random_length | string | No | - | The length of %{hex_random} placeholder(4-16) |
| s3_object_key_format | string | No | %{path}%{time_slice}%{uuid_hash}%{index}.%{file_extension} | The format of S3 object keys (default: %{path}%{time_slice}%{uuid_hash}%{index}.%{file_extension}) |
| s3_bucket | string | Yes | - | S3 bucket name |
| store_as | string | No | - | Archive format on S3 |
| storage_class | string | No | - | The type of storage to use for the object(STANDARD,REDUCED_REDUNDANCY,STANDARD_IA) |
| aws_iam_retries | string | No | - | The number of attempts to load instance profile credentials from the EC2 metadata service using IAM role |
| buffer | *Buffer | No | - | Buffer |
| format | *Format | No | - | Format |
| assume_role_credentials | *S3AssumeRoleCredentials | No | - | Assume Role Credentials |
| instance_profile_credentials | *S3InstanceProfileCredentials | No | - | Instance Profile Credentials |
| shared_credentials | *S3SharedCredentials | No | - | Shared Credentials |
| oneeye_format | bool | No | false | One-eye format trigger |
| clustername | string | No | one-eye | Custom cluster name |
Assume Role Credentials 🔗︎
assume_role_credentials 🔗︎
| Variable Name | Type | Required | Default | Description |
|---|---|---|---|---|
| role_arn | string | Yes | - | The Amazon Resource Name (ARN) of the role to assume |
| role_session_name | string | Yes | - | An identifier for the assumed role session |
| policy | string | No | - | An IAM policy in JSON format |
| duration_seconds | string | No | - | The duration, in seconds, of the role session (900-3600) |
| external_id | string | No | - | A unique identifier that is used by third parties when assuming roles in their customers’ accounts. |
Instance Profile Credentials 🔗︎
instance_profile_credentials 🔗︎
| Variable Name | Type | Required | Default | Description |
|---|---|---|---|---|
| ip_address | string | No | 169.254.169.254 | IP address |
| port | string | No | 80 | Port number |
| http_open_timeout | string | No | - | Number of seconds to wait for the connection to open |
| http_read_timeout | string | No | - | Number of seconds to wait for one block to be read |
| retries | string | No | - | Number of times to retry when retrieving credentials |
Shared Credentials 🔗︎
shared_credentials 🔗︎
| Variable Name | Type | Required | Default | Description |
|---|---|---|---|---|
| profile_name | string | No | - | Profile name. Default to ‘default’ or ENV[‘AWS_PROFILE’] |
| path | string | No | $HOME/.aws/credentials | Path to the shared file. |
