News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
September 6, 2021 containersecurity

Collecting Kubernetes logs with NXLog

By Arielle Bonnici

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

Kubernetes is nowadays the de facto standard for the deployment and management of containerized applications. A Kubernetes deployment may contain hundreds, if not thousands, of nodes and pods. As with any other system, collecting logs from your Kubernetes environment is imperative to monitor the health of your cluster and to troubleshoot issues when they arise. In this post we will explore the logging challenges that Kubernetes poses, and how NXLog can be a key player in your logging solution.

Why collect logs from Kubernetes?

A Kubernetes deployment is a highly dynamic environment. Containers can be created, deleted, or rescheduled at any point in time, making the transient nature of containers a challenge to manage in itself. When containers crash or are deleted, the system removes all the data related to that container, including logs that could potentially hold valuable information for troubleshooting.

Kubernetes clusters also consist of multiple components, each creating their own logging in different locations and formats. This logging is extremely important for monitoring and troubleshooting cluster-level problems, however the volume of logging that is generated makes it impossible to manage manually while staying on top of any potential issues.

In view of these challenges, it is clear that you need to have a log collection strategy in place that unifies and aggregates logs to a single repository, be it a SIEM or a log management system.

How does NXLog fit in?

Kubernetes provides a logging framework that captures application logs written to the standard output and standard error streams and writes them to a log file. However, the Kubernetes platform does not have a native, centralized storage solution for aggregating cluster-level logging.

NXLog Enterprise Edition is a versatile and lightweight log collection solution that can ship Kubernetes logs collected from various components to a central location. It provides powerful log filtering and manipulation capabilities that you can use for normalization of log data, improving the quality of logs prior to ingestion, or for reducing log volume.

Additionally, Kubernetes application and system log records do not include data that can be traced back to the originating pod or node, making data enrichment a must if you want to make sense of your logs. NXLog provides the ability to enrich log records with metadata, such as the node name, pod name, and namespace, which will greatly help when analyzing your logs and troubleshooting issues related to specific nodes or pods.

Deploying NXLog in your Kubernetes cluster

There are various ways you can deploy NXLog Enterprise Edition to collect logs from your Kubernetes cluster. It can be installed on a node to collect logs directly from the host, or deployed in an application container to open up further possibilities. NXLog provides a Docker package that can be used to easily build an image and deploy NXLog Enterprise Edition in a container.

We will now look at two different approaches for deploying an NXLog application container to collect logs from your Kubernetes cluster. The two can be combined according to your requirements, to provide an all-encompassing log collection solution.

NXLog as a DaemonSet

Pros: Single log collection pod that processes application and system logs on every node without any need to change application containers

Cons: Logs from applications that do not write to standard output or standard error will not be collected

The most common method for deploying a log collector in Kubernetes is as a DaemonSet, which ensures that the pod runs on each node in your cluster. This method can be used for collecting application logs streamed to standard output and standard error, as well as to collect Kubernetes system and audit logs.

Kubernetes creates log files in /var/logs by default. When NXLog is deployed as a DaemonSet, it can be configured to collect logs from this location, process the log records according to the source, and forward them to a central repository. Deploying NXLog in this manner means that with a single configuration, you ensure that you are collecting the majority of the logs from all your nodes, without any need to modify application containers.

nxlog daemonset
Figure 1. NXLog deployed as a DaemonSet, collecting application, system, and audit logs

Interested in seeing a practical example? See how you can deploy NXLog as a DaemonSet in our Kubernetes integration guide.

NXLog as a sidecar

Pros: Possible to collect logs from applications that don’t write to standard output and standard error, collect logs which are not file-based

Cons: Must be deployed per pod, requires additional resource usage

In the event that you need to collect logs from an application that does not stream its logs to standard output and standard error, you can deploy NXLog Enterprise Edition as a sidecar container. When using this method, the log collection container runs in the same pod as the application. After logs are collected and processed, they can be streamed to standard output, which the Kubernetes engine writes to the container log file.

nxlog sidecar stdout
Figure 2. NXLog as a sidecar, writing application logs to standard output

Alternatively, you can configure NXLog to forward the logs directly to a central repository, removing the need for further processing.

nxlog sidecar direct
Figure 3. NXLog as a sidecar, forwarding application logs directly to a central repository

See a complete example of how to deploy NXLog as a sidecar in our Kubernetes integration guide.

Conclusion

In this post we have highlighted some of the challenges Kubernetes logging poses, and why implementing a log collection solution is important. The preferred method of collecting logs from Kubernetes is through a DaemonSet, however for applications that do not write logs to the standard output, a log collector can be deployed as a sidecar.

NXLog is a versatile log collector with a small footprint that can meet all your Kubernetes logging requirements. While cloud-based services like AWS and Microsoft Azure may offer log collection tools that function well within their own proprietary ecosystems, NXLog Enterprise Edition offers a vendor-agnostic logging solution that integrates with most third-party platforms. With its flexible, modular design you can continue to use NXLog with only minimal configuration changes should you decide to replace your SIEM or log management system later on.

Useful links

  • Kubernetes integration guide

  • Kubernetes Logging Architecture

  • Kubernetes System Logs

  • Kubernetes Auditing

GET STARTED TODAY:
CONTACT US Our experts are happy to help REQUEST A FREE TRIAL Give NXLog Enterprise Edition a try GET PRICING Request a quote
  • kubernetes
  • log collection
  • container
  • kubernetes logs
  • integration
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

Flexible, cloud-backed Modbus/TCP log collection with NXLog and Python
16 minutes | June 5, 2021
File-based logs? Yes, they’re still being used!
3 minutes | August 25, 2021
Top 5 Windows Security logs everyone should collect
4 minutes | July 15, 2021

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us