The log restoration feature of One Eye allows you to retrieve a set of logs into an Elasticsearch instance where you can browse and analyze them. This is useful for example in auditing and troubleshooting situations.
Prerequisites 🔗︎
- Restoring logs is supported only from S3 outputs
- The Elastic operator must be installed on the cluster running One Eye. You can install the operator from the One Eye CLI.
- The cluster running One Eye must have enough resources to store the restored logs, and deploy an Elastic instance. The exact requirements depend on the amount of logs to be restored.
Restore logs 🔗︎
To restore archived log messages, complete the following steps.
- Open the One Eye web interface by running the one-eye ingress connect command.
- Select MENU > LOG RESTORATION.
- Click . The Log Restoration Wizard opens.
- Select the output from which you want to restore logs, then click Next.
- Select the cluster and the time interval for which you want to restore logs.
- To specify the details of the logs to be restored on the UI, select Simple Builder. Alternatively, you can select Advanced Builder, and paste a JSON that describes the logs to restore.
- To restore the logs of only specific namespaces, pods, and containers, search for the name of the respective resource, and select the ones you need. If you want to restore the logs of every resource, select Any. Note that searching for the resources returns only exact matches, unless you include the
.*
wildcard. - Set a prefix for the Elastic index. In addition to using it as a prefix for the Elastic index, currently the Elastic resources are named after this parameter.
- Set the namespace where the Elastic instance will be deployed to. The log restoration job is also run in this namespace.
- Before restoring the logs starts, review the settings of the process. If everything is as you intended, click Next.
- One Eye starts restoring the logs. Depending on the amount of logs to restore, this can take a long time.
- After the job is successfully completed, you can access the restored logs.
Access restored logs 🔗︎
To view your restored logs, complete the following steps.
- Open the One Eye web interface by running the one-eye ingress connect command.
- Select MENU > LOG RESTORATION. This page shows log restoration jobs and their details.
- Click the ID of a restoration job. The details for accessing the logs are displayed.
- Click the URL to open the Elasticsearch service where the logs are available, and use the username and password to access them (click the eye icon to display the password).
Delete the restored logs 🔗︎
If you’re done analyzing the restored logs, you can either:
- deleted the restored logs from Elasticsearch, or
- delete the whole Elasticsearch instance from the One Eye cluster.
Currently, the latter can only be performed manually, by deleting the Elasticsearch resource from the cluster. The Elasticsearch resource is named after the Index prefix parameter and exists in the namespace specified for the restoration job. For example, you can run the following command on the cluster:
kubectl delete elasticsearch -n <namespace> <index prefix>
Advanced builder JSON scheme 🔗︎
When selecting Advanced Builder, you can specify which logs you want to restore in a JSON object. The JSON has three fields, all of them are optional: namespaces, pods, and containers. Each field can contain a list of RE2 regular expressions that match the names of namespaces, pods, or containers to select. Note that:
- If a field is not set, set to
null
, or set to an empty list, it matches every possible value. - Elements of a list have logical OR relationship.
For example:
Match every pod and container of the namespaces beginning with kube-:
{"namespaces": ["kube-.*"]}
Match every pod and container of the default namespace, and namespaces beginning with kube-:
{"namespaces": ["default", "kube-.*"]}
Match the logs of the istio-proxy containers in the demo namespace:
{
"namespaces": ["demo"],
"containers": ["istio-proxy"]
}