Skip to content

Commit 5e860df

Browse files
hjiaweiclaude
andcommitted
Update log collector docs for the fluentd to fluent-bit migration (EV-6164)
Calico Enterprise removes the fluentd log collector in favour of Fluent Bit (calico-fluent-bit in calico-system; tigera/operator#4910). Update the next-version Calico Enterprise and Calico Cloud docs to match: - Rewrite "Filter flow logs" / "Filter DNS logs": examples move from fluentd <filter> syntax to Fluent Bit YAML filter lists, the ConfigMap is renamed fluentd-filters -> fluent-bit-filters, and an upgrade note explains that old fluentd-syntax filters are not translated (the operator raises a tigera status warning naming the offending key). - Metrics pages: Fluent Bit's built-in Prometheus endpoint (port 2020, /api/v2/metrics/prometheus, fluentbit_* metrics); the fluentd buffer-space alert becomes fluentbit_output_chunk_available_capacity_percent plus a dropped-chunks alert on fluentbit_output_retries_failed_total. - BYO Prometheus: the fluent-bit tab needs no client TLS (plain HTTP behind the allow-calico-fluent-bit policy); ServiceMonitor sample is fluent-bit-metrics-service-monitor.yaml. - Sweep of remaining pages: tigera-fluentd namespace -> calico-system, fluentd-node -> calico-fluent-bit (labels, secrets, packet capture retrieval via calico-node, diags output, resource override examples now use calicoFluentBitDaemonSet, architecture/overview descriptions, cc-arch-diagram ports, operator checklist). Not touched: versioned docs, releases.json (historical), and the generated installation API reference (regenerates from the operator release). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1 parent b0c267b commit 5e860df

27 files changed

Lines changed: 257 additions & 262 deletions

File tree

calico-cloud/_includes/components/ReqsSys.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -308,7 +308,7 @@ function NetworkRequirementsEnt(props) {
308308
<td>
309309
<strong>Logs and storage</strong>
310310
</td>
311-
<td>Elasticsearch with fluentd datastore</td>
311+
<td>Elasticsearch log storage</td>
312312
<td>TCP 9200 (default)</td>
313313
</tr>
314314
<tr className='odd'>

calico-cloud/get-started/cc-arch-diagram.mdx

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ The following diagram shows the major components in a managed cluster, followed
3333
| calico-node | Bundles key components that are required for networking containers with $[prodname]:<br/><br />&bull; Felix<br />&bull; BIRD<br />&bull; confd | &bull; TCP 5473 to Typha<br />&bull; TCP 9900 and 9081 from Prometheus API service |
3434
| Container threat detection | A threat detection engine that analyzes observed file and process activity to detect known malicious and suspicious activity. Monitors the following types of suspicious activity within containers:<br/><br />&bull; Access to sensitive system files and directories<br />&bull; Defense evasion<br />&bull; Discovery<br />&bull; Execution<br />&bull; Persistence<br />&bull; Privilege escalation<br/><br />Includes these components:<br /><br />**Runtime Security Operator**<br />An operator to manage and reconcile container threat defense components.<br/><br />**Runtime Reporter Pods**<br />Pods running on each node in the cluster to perform the detection activity outlined above.They send activity reports to Elasticsearch for analysis by $[prodname]. | TCP to Kubernetes API server |
3535
| Compliance | Generates compliance reports for the Kubernetes cluster. Reports are based on archived flow and audit logs for Calico Cloud resources, plus any audit logs you’ve configured for Kubernetes resources in the Kubernetes API server. Compliance reports provide the following high-level information:<br /><br />&bull; Endpoints explicitly protected using ingress or egress policy<br />&bull; Policies and services<br /> - Policies and services associated with endpoints<br /> - Policy audit logs <br />&bull; Traffic<br /> - Allowed ingress/egress traffic to/from namespaces, and to/from the internet Compliance includes these components: <br /><br />**compliance-snapshotter** <br />Handles listing of required Kubernetes and $[prodname]configuration and pushes snapshots to Elasticsearch. Snapshots give you visibility into configuration changes, and how the cluster-wide configuration has evolved within a reporting interval.<br /><br />**compliance-reporter**<br />Handles report generation. Reads configuration history from Elasticsearch and determines time evolution of cluster-wide configuration, including relationships between policies, endpoints, services, and network sets. Data is then passed through a zero-trust aggregator to determine the “worst-case outliers” in the reporting interval.<br /><br />**compliance-controller**<br />Reads report configuration and manages creation, deletion, and monitoring of report generation jobs.<br /><br />**compliance-benchmarker**<br />A daemonset that runs checks in the CIS Kubernetes Benchmark on each node so you can see if Kubernetes is securely deployed.<br /> | &bull; TCP 8080 to Guardian<br />&bull; TCP 6443 to Kubernetes API server |
36-
| Fluentd | Open-source data collector for unified logging. Collects and forwards $[prodname] logs (flows, DNS, L7) to log storage. | &bull; TCP 8080 to Guardian<br />&bull; TCP 9080 from Prometheus API service |
36+
| Fluent Bit | Open-source, lightweight log processor and forwarder. Collects and forwards $[prodname] logs (flows, DNS, L7) to log storage. | &bull; TCP 8080 to Guardian<br />&bull; TCP 2020 from Prometheus API service |
3737
| Guardian | An agent running in each managed cluster that proxies communication between the $[prodname] tunnel server and your managed cluster. Secured using TLS tunnels.<br /> | &bull; Port 9000 to tunnel server<br />&bull; TCP 6443 to Kubernetes API server<br />&bull; TCP 6443 from $[prodname] components |
3838
| Installation endpoints | Endpoints at `*.calicocloud.io` and `*.projectcalico.org`. | TCP 443 for both |
3939
| Intrusion detection controller | Handles integrations with threat intelligence feeds and $[prodname] custom alerts. | &bull; TCP 8080 to Guardian<br />&bull; TCP 6443 to Kubernetes API server |
@@ -42,7 +42,7 @@ The following diagram shows the major components in a managed cluster, followed
4242
| kube-controllers | Monitors the Kubernetes API and performs actions based on cluster state. $[prodname] kube-controllers container includes these controllers:<br/><br />&bull; Node<br />&bull; Service<br />&bull; Federated services<br />&bull; Authorization<br /> | &bull; TCP 9094 from Prometheus API service<br />&bull; TCP 6443 to Kubernetes API server |
4343
| Log storage | Storage for logs (flows, L7, DNS, audit). Data for each managed cluster is isolated and protected against unauthorized access. | n/a |
4444
| Packet capture API | Retrieves capture files (pcap format) generated by a packet capture for use with network protocol analysis tools like Wireshark. Packet capture data is visible in the web console and Service Graph. | &bull; TCP 8449 Guardian to Packet Capture API<br />&bull; TCP 6443 to Kubernetes API server |
45-
| Prometheus API service | Collects metrics from $[prodname] components and makes the metrics available to the web console. | &bull; TCP 6443 to Kubernetes API server<br />&bull; TCP 9080 to Fluentd<br />&bull; TCP 9900 and 9081 to Prometheus API service |
45+
| Prometheus API service | Collects metrics from $[prodname] components and makes the metrics available to the web console. | &bull; TCP 6443 to Kubernetes API server<br />&bull; TCP 2020 to Fluent Bit<br />&bull; TCP 9900 and 9081 to Prometheus API service |
4646
| Tigera API server | Allows users to manage $[prodname] resources such as policies and tiers through kubectl or the Kubernetes API server. | &bull; TCP 9095 to Prometheus API service<br />&bull; TCP 8080 from Kubernetes API server |
4747
| Typha | Increases scale by reducing each node’s impact on the datastore. | TCP 5473 from calico-node to Typha |
4848
| User access to the web console | Authenticated users can access the browser-based the web console, which provides network traffic visibility and troubleshooting, centralized multi-cluster management, threat-defense, container threat detection, policy lifecycle management, scan images for vulnerabilities, and compliance for multiple roles/stakeholders. | Port 443 to $[prodname] tunnel server |

calico-cloud/get-started/operator-checklist.mdx

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -493,19 +493,19 @@ intrusion-detection-es-job-installer-xm22v 1/1 Running 0 6
493493
494494
**6 - log-collector**
495495
496-
`log-collector` collects flow and other logs and forwards them to $[prodname]. Check the pods and logs in the `tigera-fluentd` namespace. You should have one pod running on each of your nodes.
496+
`log-collector` collects flow and other logs and forwards them to $[prodname]. Check the `calico-fluent-bit` pods and logs in the `calico-system` namespace. You should have one pod running on each of your nodes.
497497
498498
```bash
499-
kubectl get pods -n tigera-fluentd
499+
kubectl get pods -n calico-system -l k8s-app=calico-fluent-bit
500500
```
501501
502502
```
503-
NAME READY STATUS RESTARTS AGE
504-
fluentd-node-5mzh6 1/1 Running 0 70m
505-
fluentd-node-7vmxw 1/1 Running 0 70m
506-
fluentd-node-bbc4p 1/1 Running 0 70m
507-
fluentd-node-chfz4 1/1 Running 0 70m
508-
fluentd-node-d6f56 1/1 Running 0 70m
503+
NAME READY STATUS RESTARTS AGE
504+
calico-fluent-bit-5mzh6 1/1 Running 0 70m
505+
calico-fluent-bit-7vmxw 1/1 Running 0 70m
506+
calico-fluent-bit-bbc4p 1/1 Running 0 70m
507+
calico-fluent-bit-chfz4 1/1 Running 0 70m
508+
calico-fluent-bit-d6f56 1/1 Running 0 70m
509509
```
510510
511511
**7 - management-cluster-connection**
@@ -643,7 +643,7 @@ If cluster does not have enough capacity, it will not be able to deploy pods. Th
643643
644644
The high-level components $[prodname] needs to run are:
645645
646-
- Per node: 1 fluentd, 1 compliance benchmarker
646+
- Per node: 1 fluent-bit, 1 compliance benchmarker
647647
- On top of per node: 3 alertmanager (from statefulset), 1 prometheus, 1 prometheus operator, 1 kube-controllers, 2 compliance snapshotter and controller, 1 guardian, 1 ids controller, 1 apiserver
648648
649649
Some clusters have limited pod-networked pod capacity.
Lines changed: 33 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
description: Suppress low-value Calico Cloud DNS log entries with Fluentd filters configured through a ConfigMap in the operator namespace of connected clusters.
2+
description: Suppress low-value Calico Cloud DNS log entries with Fluent Bit filters configured through a ConfigMap in the operator namespace of connected clusters.
33
---
44

55
# Filter DNS logs
@@ -18,46 +18,53 @@ To enable DNS log filtering, follow these steps:
1818
your desired filter using [Filter configuration files](#filter-configuration-files).
1919
If you are also adding [flow filters](../flow/filtering.mdx) also add the `flow` file
2020
to the directory.
21-
1. Create the `fluentd-filters` ConfigMap in the `tigera-operator` namespace
21+
1. Create the `fluent-bit-filters` ConfigMap in the `tigera-operator` namespace
2222
with the following command.
2323
```bash
24-
kubectl create configmap fluentd-filters -n tigera-operator --from-file=filters
24+
kubectl create configmap fluent-bit-filters -n tigera-operator --from-file=filters
2525
```
2626

27+
The operator inlines the filters into the log collector configuration and rolls the
28+
`calico-fluent-bit` daemonset automatically.
29+
2730
## Filter configuration files
2831

29-
The filters defined by the ConfigMap are inserted into the fluentd configuration file.
30-
The [upstream fluentd documentation](https://docs.fluentd.org/filter/grep)
31-
describes how to write fluentd filters. The [DNS log schema](dns-logs.mdx) can be referred to
32-
for the specification of the various fields you can filter based on. Remember to ensure
33-
that the config file is properly indented in the ConfigMap.
32+
Each file holds a YAML list of Fluent Bit filter entries. The
33+
[upstream Fluent Bit documentation](https://docs.fluentbit.io/manual/data-pipeline/filters/grep)
34+
describes how to write the `grep` filter used in the examples below; the
35+
`calico-fluent-bit` log collector also ships the `record_modifier`, `parser`, and
36+
`lua` filters. Filters in the `dns` file are applied to DNS logs automatically;
37+
you do not need to set a `match` on each entry. The [DNS log schema](dns-logs.mdx)
38+
can be referred to for the specification of the various fields you can filter based on.
39+
40+
:::note Upgrading from a release that used fluentd
41+
42+
Earlier releases collected logs with fluentd and read filters in fluentd `<filter>`
43+
syntax from a ConfigMap named `fluentd-filters`. That ConfigMap is no longer read,
44+
and fluentd filter syntax cannot be translated automatically. Recreate your filters
45+
as Fluent Bit YAML filter lists under the new `fluent-bit-filters` name. If a filter
46+
key does not parse as Fluent Bit YAML, the operator skips that filter, reports a
47+
warning on the `tigera status` output naming the offending key, and continues to
48+
ship unfiltered logs.
49+
50+
:::
3451

3552
## Example 1: filter out cluster-internal lookups
3653

3754
This example filters out lookups for domain names ending with ".cluster.local". More
38-
logs could be filtered by adjusting the regular expression "pattern", or by adding
39-
additional `exclude` blocks.
55+
logs could be filtered by adjusting the regular expression, or by adding
56+
additional `exclude` rules.
4057

41-
```
42-
<filter dns>
43-
@type grep
44-
<exclude>
45-
key qname
46-
pattern /\.cluster\.local$/
47-
</exclude>
48-
</filter>
58+
```yaml
59+
- name: grep
60+
exclude: qname \.cluster\.local$
4961
```
5062
5163
## Example 2: keep logs only for particular domain names
5264
5365
This example will filter out all logs _except_ those for domain names ending `.co.uk`.
5466

55-
```
56-
<filter dns>
57-
@type grep
58-
<regexp>
59-
key qname
60-
pattern /\.co\.uk$/
61-
</regexp>
62-
</filter>
67+
```yaml
68+
- name: grep
69+
regex: qname \.co\.uk$
6370
```

calico-cloud/observability/elastic/flow/filtering.mdx

Lines changed: 25 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
description: Filter Calico Cloud flow logs through Fluentd to drop low-significance traffic and reduce managed Elasticsearch volume and cost.
2+
description: Filter Calico Cloud flow logs through Fluent Bit to drop low-significance traffic and reduce managed Elasticsearch volume and cost.
33
---
44

55
# Filter flow logs
@@ -53,56 +53,49 @@ reporter packetsIn packetsOut bytesIn bytesOut action
5353

5454
### Create flow log filters
5555

56-
Create your [fluentd filters](https://docs.fluentd.org/filter/grep).
56+
Filters are written as a YAML list of [Fluent Bit filter](https://docs.fluentbit.io/manual/data-pipeline/filters/grep) entries. The `calico-fluent-bit` log collector ships the `grep`, `record_modifier`, `parser`, and `lua` filters. Filters you add under the `flow` key are applied to flow logs automatically; you do not need to set a `match` on each entry.
5757

5858
**Example: filter out a specific namespace**
5959

60-
This example filters out all flow logs whose source or destination namespace is "dev". Additional namespaces could be filtered by adjusting the regular expression "pattern"s, or by adding additional `exclude` blocks.
60+
This example filters out all flow logs whose source or destination namespace is "dev". A record is dropped when it matches any of the `exclude` rules; additional namespaces could be filtered by adjusting the regular expressions, or by adding more `exclude` rules.
6161

62-
```
63-
<filter flows>
64-
@type grep
65-
<exclude>
66-
key source_namespace
67-
pattern dev
68-
</exclude>
69-
<exclude>
70-
key dest_namespace
71-
pattern dev
72-
</exclude>
73-
</filter>
62+
```yaml
63+
- name: grep
64+
exclude:
65+
- source_namespace dev
66+
- dest_namespace dev
7467
```
7568
7669
**Example: filter out internet traffic to a specific deployment**
7770
78-
This example filters inbound internet traffic to the deployment with pods named, `nginx-internet-*`. Note the use of the `and` directive to filter out traffic that is both to the deployment, and from the internet (source `pub`).
71+
This example filters inbound internet traffic to the deployment with pods named, `nginx-internet-*`. Note the use of `logical_op: and` to filter out only the traffic that is both to the deployment, and from the internet (source `pub`).
7972

80-
```
81-
<filter flows>
82-
@type grep
83-
<and>
84-
<exclude>
85-
key dest_name_aggr
86-
pattern ^nginx-internet
87-
</exclude>
88-
<exclude>
89-
key source_name_aggr
90-
pattern pub
91-
</exclude>
92-
</and>
93-
</filter>
73+
```yaml
74+
- name: grep
75+
logical_op: and
76+
exclude:
77+
- dest_name_aggr ^nginx-internet
78+
- source_name_aggr pub
9479
```
9580

9681
### Add filters to ConfigMap file
9782

9883
1. Create a `filters` directory with a file called `flow` with your desired filters. If you are also adding [dns filters](../dns/filtering-dns.mdx), add the `dns` file to the directory.
9984

100-
1. Create the `fluentd-filters` ConfigMap in the `tigera-operator` namespace with the following command.
85+
1. Create the `fluent-bit-filters` ConfigMap in the `tigera-operator` namespace with the following command.
10186

10287
```bash
103-
kubectl create configmap fluentd-filters -n tigera-operator --from-file=filters
88+
kubectl create configmap fluent-bit-filters -n tigera-operator --from-file=filters
10489
```
10590

91+
The operator inlines the filters into the log collector configuration and rolls the `calico-fluent-bit` daemonset automatically.
92+
93+
:::note Upgrading from a release that used fluentd
94+
95+
Earlier releases collected logs with fluentd and read filters in fluentd `<filter>` syntax from a ConfigMap named `fluentd-filters`. That ConfigMap is no longer read, and fluentd filter syntax cannot be translated automatically. Recreate your filters as Fluent Bit YAML filter lists under the new `fluent-bit-filters` name. If a filter key does not parse as Fluent Bit YAML, the operator skips that filter, reports a warning on the `tigera status` output naming the offending key, and continues to ship unfiltered logs.
96+
97+
:::
98+
10699
## Additional resources
107100

108101
- [Flow log aggregation](aggregation.mdx)

calico-cloud/observability/elastic/overview.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ Because of their high-volume, flow and dns logs support aggregation.
4545

4646
### Default log configuration and security
4747

48-
$[prodname] automatically installs fluentd on all nodes and collects flow, audit, and DNS logs. You can configure additional destinations like Amazon S3, Syslog, Splunk.
48+
$[prodname] automatically installs Fluent Bit on all nodes and collects flow, audit, and DNS logs. You can configure additional destinations like Amazon S3, Syslog, Splunk.
4949

5050
$[prodname] enables user authentication in Elasticsearch, and secures access to Elasticsearch and Kibana instances using network policy.
5151

calico-cloud/observability/kube-audit.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ rules:
8484
8585
The following updates require a restart to the Kubernetes API Server.
8686
87-
To enable Kubernetes resource audit logs to be read by $[prodname] in fluentd, follow these steps.
87+
To enable Kubernetes resource audit logs to be read by the $[prodname] Fluent Bit log collector, follow these steps.
8888
8989
On the Kubernetes API Server, update these flags.
9090

calico-cloud/observability/packetcapture.mdx

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -226,19 +226,19 @@ status:
226226
Get the pod on the node with the packet capture that you want.
227227

228228
```bash
229-
kubectl get pods -n tigera-fluentd --no-headers --field-selector spec.nodeName="<REPLACE_WITH_NODE_NAME>"
229+
kubectl get pods -n calico-system -l k8s-app=calico-node --no-headers --field-selector spec.nodeName="<REPLACE_WITH_NODE_NAME>"
230230
```
231231

232232
Copy the packet capture using the pod information.
233233

234234
```bash
235-
kubectl cp tigera-fluentd/<REPLACE_WITH_POD_NAME>:var/log/calico/pcap/sample/sample-capture/ .
235+
kubectl cp calico-system/<REPLACE_WITH_POD_NAME>:var/log/calico/pcap/sample/sample-capture/ .
236236
```
237237

238238
**Delete packet capture files**
239239

240240
```bash
241-
kubectl exec -it tigera-fluentd/<REPLACE_WITH_POD_NAME> -- sh -c "rm -r /var/log/calico/pcap/sample/sample-capture/"
241+
kubectl exec -it -n calico-system <REPLACE_WITH_POD_NAME> -- sh -c "rm -r /var/log/calico/pcap/sample/sample-capture/"
242242
```
243243

244244
### Store and rotate capture files

calico-cloud/operations/comms/index.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ The **Deployed to** column shows the namespace where the operator places the sec
5656
| `node-certs` | `typha-client` | `calico-system` | Installation/default |
5757
| `node-certs` | `typha-client` | `tigera-dpi` | IntrusionDetection/tigera-secure |
5858
| `tigera-ee-elasticsearch-metrics-tls` | `tigera-elasticsearch-metrics` | `tigera-elasticsearch` | LogStorage/tigera-secure |
59-
| `tigera-fluentd-prometheus-tls` | `fluentd-http-input` | `tigera-fluentd` | LogCollector/tigera-secure |
59+
| `calico-fluent-bit-tls` | `calico-fluent-bit-http-input` | `calico-system` | LogCollector/tigera-secure |
6060
| `typha-certs` | `typha-server` | `calico-system` | Installation/default |
6161
| `typha-certs-noncluster-host` | `typha-server-noncluster-host` | `calico-system` | Installation/default |
6262

0 commit comments

Comments
 (0)