I have a fairly simple Apache deployment in k8s using fluent-bit v1.5 as the log forwarder. My setup is nearly identical to the one in the repo below. I'm running AWS EKS and outputting the logs to AWS ElasticSearch Service.
https://github.com/fluent/fluent-bit-kubernetes-logging
The ConfigMap is here: https://github.com/fluent/fluent-bit-kubernetes-logging/blob/master/output/elasticsearch/fluent-bit-configmap.yaml
The Apache access (-> /dev/stdout) and error (-> /dev/stderr) log lines are both in the same container logfile on the node. The problem I'm having is that fluent-bit doesn't seem to autodetect which Parser to use, I'm not sure if it's supposed to, and we can only specify one parser in the deployment's annotation section, I've specified apache. So in the end, the error log lines, which are written to the same file but come from stderr, are not parsed. Should I be sending the logs from fluent-bit to fluentd to handle the error files, assuming fluentd can handle this, or should I somehow pump only the error lines back into fluent-bit, for parsing?
Am I missing something?
Thanks!
I was able to apply a second (and third) parser to the logs by using the FluentBit FILTER with the 'parser' plugin (Name), like below.
Documented here: https://docs.fluentbit.io/manual/pipeline/filters/parser
[FILTER]
Name parser
Match kube.*
Parser apache_error_custom
Parser apache_error
Preserve_Key On
Reserve_Data On
Key_Name log