Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now
Technical “How-To’s”

Kubernetes Logging Simplified – Pt 2: Kubernetes Events

Joe Howell
Joe Howell
Share:

Overview

In my first post in the Kubernetes Logging Simplified blog series, I touched on some of the ‘need to know’ concepts and architectures to effectively manage your application logs in Kubernetes – providing steps on how to implement a Cluster-level logging solution to debug and analyze your application workloads.

In my second post, I will touch on another signal to keep an eye on Kubernetes events. Kubernetes events are essential objects that can provide visibility into your cluster resources and help correlate with your application and system logs.

What is a Kubernetes Event?

Kubernetes events are JSON objects made accessible via the Kubernetes API that signify a state change of a Kubernetes resource. These changes are reported to the API using their related component. For example, suppose a pod is evicted or created. In that case, a container fails to start, or a node restarts – all these state changes would generate a Kubernetes Event, made accessible via API via kubectl commands.

Unlike container logs, Kubernetes events don’t ultimately get logged to a file somewhere; Kubernetes lacks a built-in mechanism to ship these events to an external backend. As a result, attempting to utilize a typical node-level log agent architecture to grab these events may not work. These events can be captured with a custom application, several OSS tools, or an observIQ Event Collector, which I’ll walkthrough below.

What information does a Kubernetes Event Contain?

In addition to helpful environment metadata, a Kubernetes Event contains the following key bits of information.

  • When the event occurred
  • Severity of the event (info, warning, error)
  • Reason the event occurred (abbreviated description of the event)
  • Kind of Kubernetes resource (node, pod, container)
  • Description of the event
  • Component that reported the event (kubelet, kube-proxy, kube-API, etc.)

Why is a Kubernetes Event Useful for Capturing?

Postmortems

Tracking Kubernetes Events can help you understand what’s happening in your cluster over time, which can be particularly helpful when reviewing during a postmortem. Digging into the ‘when’ and ‘why’ over time can reveal useful trends and a good discussion point when an application or service fails.

Custom Kubernetes Events dashboard in observIQ

Real-Time Environment Awareness

Suppose you’re using a complete Cluster-Level Logging solution likeobservIQ. In that case, KubernetesEvents can be used to create informational or error-level alerts that notify Slack, for example, that provide real-time notifications that can keep your entire time in the loop as the state of your cluster resources changes.

Container Log Correlation

Having visibility into the state of your resources can help provide valuable hints as to what’s happening with your applications. Kubernetes Events gathered by observIQ are automatically enriched with Kubernetes Metadata like namespace, deployment, and pod names – all of which allow you to correlate an application log directly to a resource event with a single filter.

Correlating container logs and Kubernetes events with a resource filter in observIQ

How do I get Kubernetes Events?

By default, events are stored in etcd for a limited time, typically ~60 minutes, and are made accessible by kubectl commands. Though the commands are helpful to learn and employ in certain situations, utilizing a custom application or implementing a complete Cluster-level logging solution that captures, ships, and stores events for long-term analysis is highly recommended.

Accessing Kubernetes Events with Kubectl

Here are a few commands that will allow you to see your events:

kubectl describe pods

Describing a pod will provide you with related Kubernetes event information, if available:

kubectl get events

Provides a list of current Kubernetes events for all resources:

kubectl get events -o json

Same as above, but each Kubernetes Event is presented as the raw JSON object:

Accessing Kubernetes Events with OSS Tools:

Both kube-events and Kubernetes-event-exporter are nifty, highly customizable tools that can capture and forward Kubernetes events to a preferred output or sink (e.g., S3, Kafka, etc.)

Kube Events

https://github.com/kubesphere/kube-events

Kubernetes Event Explorer

https://github.com/opsgenie/kubernetes-event-exporter

Accessing Kubernetes Events with observIQ

With observIQ, you can easily enable Kubernetes Event collection by deploying the observIQ log agent as an Event Collector. Just select the option on your Kubernetes Template.

See the steps below:

Deploying the observIQ Agent as a Kubernetes Event Collector

In my first post in the series, I explored how to create a Kubernetes Template and enable container log collection. With observIQ, you can easily enable or disable logging options from your template, even after you’ve deployed agents to your cluster. In this example, we’ll allow event collection in our existing template, re-apply the observ-agent.yaml, and add an observIQ Event Collector to our existing deployment. This will leave us with 1) an observIQ agent daemonset that will gather the application’s logs and 2) a single Event Collector deployment that will gather the Kubernetes Events, running side by side.

Update your Kubernetes Template in observIQ

You can just navigate to the Fleet > Templates page and choose your previously created Kubernetes template. Select the ‘Enable Cluster Events’ option, then click ‘Update’.

Enabling Kubernetes Events in observIQ Kubernetes Template

Next, click ‘Add Agents’.

On the Install Kubernetes Agents page, download and copy the newly-generated observiq-agent.yaml to your cluster, and apply by running kubectl apply -f observiq-agent.yaml command. After 15-30 seconds, you’ll see the new Event Collector in the discovery panel below.

observIQ daemonset agents + event collector

View your Kubernetes Events in observIQ

After a few minutes, you’ll see Kubernetes Events on the observIQ Explore page. The messages will be typed as k8s.events.

Opening up one of the k8s.events, you can see parsed JSON objects and valuable labels and metadata that have been automatically added to the event to help correlate to a specific application.

Kubernetes event in with Kubernetes Labels and Metadata

Wrapping up

Gathering your Kubernetes events is essential if you want a complete understanding of what’s going on in your cluster. Kubernetes Events are easily accessible with kubectl commands but are short-lived. Container logs and Kubernetes events can be correlated together – but it can be challenging without the right tool.

For a complete log management solution that will capture your Kubernetes Events, Container logs, and more, sign up here.

Joe Howell
Joe Howell
Share:

Related posts

All posts

Get our latest content
in your inbox every week

By subscribing to our Newsletter, you agreed to our Privacy Notice

Community Engagement

Join the Community

Become a part of our thriving community, where you can connect with like-minded individuals, collaborate on projects, and grow together.

Ready to Get Started

Deploy in under 20 minutes with our one line installation script and start configuring your pipelines.

Try it now