Filter DNS logs
Calico Cloud supports filtering out DNS logs based on user provided configuration. Use filtering to suppress logs of low significance.
Configure DNS filtering
DNS log filtering is configured through a ConfigMap in the tigera-operator
namespace.
To enable DNS log filtering, follow these steps:
- Create a
filtersdirectory with a file nameddnswith the contents of your desired filter using Filter configuration files. If you are also adding flow filters also add theflowfile to the directory. - Create the
fluent-bit-filtersConfigMap in thetigera-operatornamespace with the following command.kubectl create configmap fluent-bit-filters -n tigera-operator --from-file=filters
The operator inserts the filters inline into the log collector configuration and rolls the
calico-fluent-bit daemonset automatically.
Filter configuration files
Each file holds a YAML list of Fluent Bit filter entries. The
upstream Fluent Bit documentation
describes how to write the grep filter used in the examples below; the
calico-fluent-bit log collector also ships the record_modifier, parser, and
lua filters. Filters in the dns file are applied to DNS logs automatically;
you do not need to set a match on each entry. The DNS log schema
can be referred to for the specification of the various fields you can filter based on.
:::note Upgrading from a release that used Fluentd
Earlier releases collected logs with Fluentd and read filters in Fluentd <filter>
syntax from a ConfigMap named fluentd-filters. That ConfigMap is no longer read,
and Fluentd filter syntax cannot be translated automatically. Recreate your filters
as Fluent Bit YAML filter lists under the new fluent-bit-filters name. If a filter
key does not parse as Fluent Bit YAML, the operator skips that filter, reports a
warning on the tigera status output naming the offending key, and continues to
ship unfiltered logs.
:::
Example 1: filter out cluster-internal lookups
This example filters out lookups for domain names ending with ".cluster.local". More
logs could be filtered by adjusting the regular expression, or by adding
additional exclude rules.
- name: grep
exclude: qname \.cluster\.local$
Example 2: keep logs only for particular domain names
This example will filter out all logs except those for domain names ending .co.uk.
- name: grep
regex: qname \.co\.uk$