This diagram illustrates the systems that are typically used to parse log data on OpenShift. Fluentd collects the log data from the containers and passes the log data onto Elastic Search. Optionally, Kibana can be used as a tool that may make it easier to visualize the logs.

This is similar to the ELK stack (Elastic Search, Logstash, Kibana), but would actually be the EFK stack (Elastic Search, Fluentd, Kibana).

Instead of using Logstash or Fluentd, filebeat can be used to collect the log data from the containers.

You configure logging by first installing the Loki Operator or OpenShift Elasticsearch Operator to manage your log storage followed by the OpenShift Logging Operator to manage the components of logging. The oc get operators command can be used to list the installed Operators. In this example, the Loki and Elasticsearch and OpenShift Cluster Logging Operators have already been installed.

~]$ oc get operators
NAME                                                              AGE
cluster-logging.openshift-logging                                 604d
elasticsearch-operator.openshift-operators-redhat                 604d
loki-operator.openshift-operators-redhat                          181d

The oc get pods command can be used list the filebeat pods in whatever project filebeat has been deployed to, which is kube-system by default.

oc get pods -n kube-system

Something like this should be returned.

NAME             READY   STATUS    RESTARTS   AGE
filebeat-2ll47   1/1     Running   0          47d
filebeat-4bf2j   1/1     Running   37         18d
filebeat-4btc5   1/1     Running   0          47d
filebeat-4lpk7   1/1     Running   39         18d
filebeat-5srrs   1/1     Running   1          47d
filebeat-5zsds   1/1     Running   39         18d
filebeat-6v4jk   1/1     Running   0          47d
filebeat-7wnzv   1/1     Running   0          47d
filebeat-c4ddh   1/1     Running   0          47d
filebeat-dk9dp   1/1     Running   0          47d
filebeat-h2228   1/1     Running   0          47d
filebeat-lcrkp   1/1     Running   461        47d
filebeat-mmszn   1/1     Running   2251       47d
filebeat-n48jw   1/1     Running   506        47d
filebeat-n62pm   1/1     Running   3942       47d
filebeat-pj2w9   1/1     Running   1          47d
filebeat-qwmfr   1/1     Running   39         18d
filebeat-rc87z   1/1     Running   0          47d
filebeat-rzv8h   1/1     Running   0          47d
filebeat-tcnkd   1/1     Running   0          47d
filebeat-wcfg9   1/1     Running   1          47d
filebeat-wg8nc   1/1     Running   0          47d
filebeat-wrqsd   1/1     Running   0          47d
filebeat-x7bvn   1/1     Running   0          47d
filebeat-z7twl   1/1     Running   0          47d
filebeat-zwlw8   1/1     Running   1          47d

The oc logs command can be used to view the logs in the filebeat pods.

oc logs pod/filebeat-2ll47