2

We've seen our Log Analytics costs spike and found that the ContainerLog table had grown drastically. This appears to be all stdout/stderr logs from the containers.

Is it possible to restrict logging to this table, at least for some deployments or containers, without disabling Log Analytics on the cluster? We still want performance logging and insights.

Dave New
  • 38,496
  • 59
  • 215
  • 394

2 Answers2

1

AFAIK the stdout and stderr logs under ContainerLog table are basically the logs which we see when we manually run the command "kubectl logs " so it would be possible to restrict logging to ContainerLog table without disabling Log Analytics on the cluster by having the deployment file something like shown below which would write logs to logfile within the container.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: xxxxxxx
spec:
  selector:
    matchLabels:
      app: xxxxxxx
  template:
    metadata:
      labels:
        app: xxxxxxx
    spec:
      containers:
      - name: xxxxxxx
        image: xxxxxxx/xxxxxxx:latest
        command: ["sh", "-c",  "./xxxxxxx.sh &> /logfile"]

However, the best practice would be to send log messages to stdout for applications running in a container so the above process is not a preferrable way.

So you may create an alert when data collection is higher than expected as explained in this article and / or occasionally delete unwanted data as explained in this article by leveraging purge REST API (but make sure you are purging only unwanted data because the deletes in Log Analytics are non-reversible!).

Hope this helps!!

KrishnaG
  • 3,340
  • 2
  • 6
  • 16
1

Recently faced a similar problem in one of our Azure Clusters. Due to some incessant logging in the code the container logs went berserk. It is possible to restrict logging per namespace at the level of STDOUT or STDERR.

You have to configure this by deploying a config map on the kube-system namespace upon which, logging ingestion to the log analytics workspace can be disabled/restricted per namespace. The omsagent pods in kube-system namespace will absorb these new configs in a few mins.

Download the below file and apply it on your Azure Kubernetes cluster

container-azm-ms-agentconfig.yaml The file contains the flags to enable/disable logging and namespaces can be excluded in the rule.

# kubectl apply -f <path to container-azm-ms-agentconfig.yaml>

This only prevents the log collection in the Log analytics Workspace but not the log generation in the individual containers.

Details on each config flag in the file is available here

Sumukh
  • 660
  • 7
  • 11