How to disable logs from k8s_cluster on Stackdriver Logging?

7/3/2019

We have a Google Coud Platform project where we use a cluster to deploy our apps, we have noticed on our billing this month that Stackdriver Logging increased too much so we started to create exclusions.

We excluded logs from resource.type="container" without any problem, but we are not able to do it from resource.type="k8s_cluster"

filter to create our desired exclusion:

resource.type="k8s_cluster"
protoPayload.serviceName="k8s.io"
protoPayload.resourceName="app.k8s.io/v1beta1/namespaces/default/applications/prometheus-1"

A curious thing is that Stackdriver Monitoring doesn't detect any data (0B ingested) from there, neither from our gcp-project (https://console.cloud.google.com/logs/usage?project=xxxx) unless we filter it using the logs viewer, then we can see the logs.

Grafana is able to detect the data with Stackdriver Datasource, you can see it here

-- Kitsuness
google-cloud-platform
google-cloud-stackdriver
kubernetes
logging

1 Answer

7/3/2019

The filter for resource.type="k8s_cluster" contains Audit Logs for System Events that are always enabled, hence, they won't be excluded from Stackdriver Logging unlike resource.type="container" that only has container stdout and stderr logging.

Furthermore, you can determine which logs belong to the Audit Logs stream by adding the '@type' condition to your Stackdriver filter:

resource.type="k8s_cluster"
protoPayload.serviceName="k8s.io"
protoPayload.resourceName="app.k8s.io/v1beta1/namespaces/default/applications/prometheus-1"
protoPayload."@type"="type.googleapis.com/google.cloud.audit.AuditLog"

Finally, Grafana is able to display these log-based metrics since they're exported into it via Datasource instead of going into Stackdriver.

-- yyyyahir
Source: StackOverflow