Stackdriver Logs – Why No sshd Logs on Stackdriver?

google-cloud-platformgoogle-stackdriverssh

On a GCP Compute Engine instance, OS is Ubuntu 18.04, Stackdriver logging agent is installed.

Any idea why Stackdriver doesn't ingest auth.log by default? What would be the best way to do it?

Best Answer

Ended up simply adding an additional entry in /etc/google-fluentd/config.d/syslog.conf

<source>
  @type tail

  # Parse the timestamp, but still collect the entire line as 'message'
  format /^(?<message>(?<time>[^ ]*\s*[^ ]* [^ ]*) .*)$/

  path /var/log/auth.log
  pos_file /var/lib/google-fluentd/pos/auth.log.pos
  read_from_head true
  tag auth
</source>

Related Solutions

Ubuntu – How to install Stackdriver’s monitoring agent on Ubuntu 18.04LTS

The Stackdriver Monitoring agent currently does not support Ubuntu 18.04 LTS. Operating systems

There is no information at present as per when this version will be supported but there's seems to be currently a feature request to have this version added. Unfortunately, there's no ETA. as to when Stackdriver will support Ubuntu 18.04 LTS. You can follow any updates on the progress of this feature request on the Google official issue tracker page

Logging – How to Extract Raw Plain Text Logs from Stackdriver

Sorry to answer my own question, but I spent a lot of time researching this and hopefully by posting it here I can save others the hassle.

The only way to achieve what I need seems to be use google cloud sdk from the command line and dump the result into a local text file, like so:

$ gcloud logging read 'resource.type=container resource.labels.cluster_name=your_cluster logName=the_specific_deployment_you_want_logs_from timestamp>="2015-05-01T00:00:00Z" (whatever text search filters are needed)' --limit 1000000000000 --order asc --format "value(textPayload)" > total.log

Best Answer

Related Solutions

Ubuntu – How to install Stackdriver’s monitoring agent on Ubuntu 18.04LTS

Logging – How to Extract Raw Plain Text Logs from Stackdriver

Related Topic