Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Starting with MOSK 25.2, the MOSK documentation set will cover all product layers, including MOSK management (formerly MCC). This means everything you need will be in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

StackLight logging indices¶

Available since MCC 2.26.0 (17.1.0 and 16.1.0)

StackLight logging indices are managed by OpenSearch data streams, which are introduced in OpenSearch 2.6. It is a convenient way to manage insert-only pipelines such as log message collection. The solution consists of the following elements:

Data stream objects that can be referred to as alias:
- Audit - dedicated for Container Cloud, MKE, and host audit logs, ensuring data integrity and security.
- System - replaces Logstash for system logs, provides a streamlined approach to log management.
Write index - current index where ingestion can be performed without removing a data stream.
Read indices - indices created after the rollover mechanism is applied.
Rollover policy - creating new write index for data stream based on the size of shards

Example of an initial index list:

health status index               uuid                    pri rep docs.count docs.deleted store.size pri.store.size
green  open   .ds-audit-000001    30q4HLGmR0KmpRR8Kvy5jw    1   1    2961719            0    496.3mb          248mb
green  open   .ds-system-000001   5_eFtMAFQa6aFB7nttHjkA    1   1       2476            0      6.1mb            3mb

Example of the index after the rollover is applied to the audit index:

health status index               uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .ds-audit-000001    30q4HLGmR0KmpRR8Kvy5jw   1   1    9819913            0      1.5gb        784.8mb
green  open   .ds-audit-000002    U1fbs0i9TJmOsAOoR7cERg   1   1    2961719            0    496.3mb          248mb
green  open   .ds-system-000001   5_eFtMAFQa6aFB7nttHjkA   1   1       2476            0      6.1mb            3mb

Audit and system index templates¶

The following table contains a simplified template of the audit and system indices. The user can perform aggregation queries over keyword fields.

Audit and system template¶
Field	Type	Description
`@timestamp`	date	Time when a log event was produced, if available in the parsed message. Otherwise time when the event was ingested.
`container.id`	keyword	Identifier of the Docker container that the application generating the event was running in.
`container.image`	text	Name of the Docker image defined as `<registry>/<repo>:<tag>`.
`container.name`	keyword	Name of the Docker container that the application generating the event was running in.
`event.source`	keyword	Source of the event: `"file"`, `"journal"`, or `"container"`.
`event.provider`	keyword	Name of the application that produced the message.
`host.hostname`	keyword	Name of the host that the message was collected from.
`log.file.path`	keyword	Path on the host to the source file for the message if the message was not produced by the application running in the container or system unit.
`log.level`	keyword	Severity level of the event taken from the parsed message content.
`message`	text	Unparsed content of the event message.
`orchestrator.labels`	flat_object	Kubernetes metadata labels of the pod that runs the Docker container of the application.
`orchestrator.namespace`	keyword	Kubernetes namespace where the application pod was running.
`orchestrator.pod`	keyword	Kubernetes pod name of the pod running the application Docker container.
`orchestrator.type`	keyword	Type of orchestrator: `"mke"` or `"kubernetes"`. Empty for host file logs and journal logs.

The following table contains a simplified template of extra fields for the system index that are not present in the audit template.

System template - extra fields¶
Field	Type	Description
`http.destination.address`	keyword	IP address of the HTTP request destination.
`http.destination.domain`	keyword	Name of the OpenStack service that the HTTP request was sent to.
`http.request.duration`	long	Request duration in nanoseconds.
`http.request.id`	keyword	Request ID generated by OpenStack.
`http.request.method`	keyword	HTTP request method.
`http.request.path`	keyword	Path of the HTTP URL request.
`http.response.status_code`	long	HTTP status code of the response.
`http.source.address`	keyword	IP address of the HTTP request source.

System index mapping to the Logstash index¶

The following table lists mapping of the system index fields to the Logstash ones:

System index fields mapped to Logstash index fields¶
System	Logstash ^{Removed in MCC 2.26.0 (17.1.0 and 16.1.0)}
`@timestamp`	`@timestamp`
`container.id`	`docker.container_id`
`container.image`	`kubernetes.container_image`
`container.name`	`kubernetes.container_name`
`event.source`	n/a
`event.provider`	`logger`
`host.hostname`	`hostname`
`http.destination.address`	`parsed.upstream_addr`
`http.destination.domain`	`parsed.upstream_name`
`http.request.duration`	`parsed.duration`
`http.request.id`	`parsed.req_id`
`http.request.method`	`parsed.method`
`http.request.path`	`parsed.path`
`http.response.status_code`	`parsed.code`
`http.source.address`	`parsed.host`
`log.file.path`	n/a
`log.level`	`severity_label`
`message`	`message`
`orchestrator.labels`	`kubernetes.labels`
`orchestrator.namespace`	`kubernetes.namespace_name`
`orchestrator.pod`	`kubernetes.pod_name`
`orchestrator.type`	n/a