Skip to main content
Calico Cloud documentation

Filter DNS logs

Calico Cloud supports filtering out DNS logs based on user provided configuration. Use filtering to suppress logs of low significance.

Configure DNS filtering

DNS log filtering is configured through a ConfigMap in the tigera-operator namespace.

To enable DNS log filtering, follow these steps:

  1. Create a filters directory with a file named dns with the contents of your desired filter using Filter configuration files. If you are also adding flow filters also add the flow file to the directory.
  2. Create the fluent-bit-filters ConfigMap in the tigera-operator namespace with the following command.
    kubectl create configmap fluent-bit-filters -n tigera-operator --from-file=filters

The operator inserts the filters inline into the log collector configuration and rolls the calico-fluent-bit daemonset automatically.

Filter configuration files

Each file holds a YAML list of Fluent Bit filter entries. The upstream Fluent Bit documentation describes how to write the grep filter used in the examples below; the calico-fluent-bit log collector also ships the record_modifier, parser, and lua filters. Filters in the dns file are applied to DNS logs automatically; you do not need to set a match on each entry. The DNS log schema can be referred to for the specification of the various fields you can filter based on.

:::note Upgrading from a release that used Fluentd

Earlier releases collected logs with Fluentd and read filters in Fluentd <filter> syntax from a ConfigMap named fluentd-filters. That ConfigMap is no longer read, and Fluentd filter syntax cannot be translated automatically. Recreate your filters as Fluent Bit YAML filter lists under the new fluent-bit-filters name. If a filter key does not parse as Fluent Bit YAML, the operator skips that filter, reports a warning on the tigera status output naming the offending key, and continues to ship unfiltered logs.

:::

Example 1: filter out cluster-internal lookups

This example filters out lookups for domain names ending with ".cluster.local". More logs could be filtered by adjusting the regular expression, or by adding additional exclude rules.

- name: grep
exclude: qname \.cluster\.local$

Example 2: keep logs only for particular domain names

This example will filter out all logs except those for domain names ending .co.uk.

- name: grep
regex: qname \.co\.uk$