Skip to main content

Collecting Kubernetes Events

You can collect Kubernetes events from the Kubernetes API server and send them to Sumo Logic as logs.

This feature is enabled by default. To disable it, set the sumologic.events.enabled property to false.

The event collector collects events by requesting all Kubernetes events from the Kubernetes API server. Note that the resource API used is core v1 and not events.k8s.io/v1. The events are sent as logs in their original JSON format to Sumo Logic.

Example Kubernetes event:

{
  "object": {
    "apiVersion": "v1",
    "count": 19736,
    "eventTime": null,
    "firstTimestamp": "2022-03-12T20:48:26Z",
    "involvedObject": {
      "apiVersion": "v1",
      "fieldPath": "spec.containers{aws-node}",
      "kind": "Pod",
      "name": "aws-node-sshmk",
      "namespace": "kube-system",
      "resourceVersion": "55028103",
      "uid": "96a623cd-e201-4ba5-9595-231cdf3da63d"
    },
    "kind": "Event",
    "lastTimestamp": "2022-07-05T01:47:09Z",
    "message": "Pulling image \"602401143452.dkr.ecr.us-west-1.amazonaws.com/amazon-k8s-cni:v1.7.5-eksbuild.1\"",
    "metadata": {
      "creationTimestamp": "2022-07-05T01:47:09Z",
      "name": "aws-node-sshmk.16dbbd30f2200271",
      "namespace": "kube-system",
      "resourceVersion": "86640936",
      "selfLink": "/api/v1/namespaces/kube-system/events/aws-node-sshmk.16dbbd30f2200271",
      "uid": "d7a69a2e-3842-4f26-abec-f9949158f189"
    },
    "reason": "Pulling",
    "reportingComponent": "",
    "reportingInstance": "",
    "source": {
      "component": "kubelet",
      "host": "ip-172-16-8-171.us-west-1.compute.internal"
    },
    "type": "Normal"
  },
  "timestamp": 1656985629543,
  "type": "ADDED"
}

Configuration​

Event collection configuration can be found under the sumologic.events key of the values.yaml file.

Setting source name and category​

It's possible to customize the [source name][/docs/send-data/reference-information/metadata-naming-conventions/#source-name] and [category][/docs/send-data/reference-information/metadata-naming-conventions/#source-category] for events:

sumologic:
  events:
    sourceName: myEventSource
    sourceCategory: myCustomSourceCategory

Customizing persistence​

By default, the event collector provisions and uses a Kubernetes PersistentVolume to persist some information over service restarts. In particular, the collector remembers the most recently processed Event this way, thus avoiding having to reprocess past Events after restart. The Persistent Volume is also used to buffer Event data if the remote destination is inaccessible.

Persistence can be customized via the sumologic.events.persistence section:

sumologic:
  events:
    persistence:
      size: 10Gi
      path: /var/lib/storage/events
      accessMode: ReadWrite

Disabling persistence​

Persistence can be disabled by setting sumologic.events.persistence.enabled to false. Keep in mind that doing so will cause either duplication or data loss whenever the collector is restarted. By default, the collector reads Events 1 minute into the past from its start time.

Disabling Kubernetes events collection​

To disable the collection of Kubernetes events, set the sumologic.events.enabled property to false:

sumologic:
  events:
    enabled: false
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.