Fluent Bit Essentials: A Guide to Setup and Configuration

Introduction to Fluent Bit

Fluent Bit is a specialized event capture and distribution tool that handles log events, metrics, and traces. It is a lightweight and efficient data collector and processor, making it ideal for environments where resource consumption is a critical consideration.

Fluent Bit is crucial in modern logging and monitoring architectures, particularly within cloud-native environments. It acts as an intermediary between log sources and log storage or analysis systems. Fluent Bit collects logs from various sources, processes and filters them as needed, and then forwards them to destinations such as Elasticsearch, Kafka, or cloud storage services.

Key features of Fluent Bit include

  • Lightweight and High Performance: Fluent Bit is designed to be resource-efficient, with a small memory footprint and low CPU usage, making it suitable for edge computing and IoT devices.
  • Flexible Configuration: It offers a flexible configuration system that allows users to define inputs, filters, and outputs to tailor log processing to specific needs.
  • Extensive Plugin Ecosystem: Fluent Bit supports a wide range of plugins for input, filtering, and output, enabling integration with various systems and formats.
  • Scalability: Fluent Bit can be deployed in large-scale environments, from single-node setups to distributed systems and Kubernetes clusters.

Setting Up Fluent Bit

To install Fluent Bit on a Linux machine, you need to run the following command. This command automatically configures the YUM repository and installs Fluent Bit:

[root@fluentbit ~]# curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3917  100  3917    0     0   7446      0 --:--:-- --:--:-- --:--:--  7446
 Fluent Bit Installation Script
This script requires superuser access to install packages.
You will be prompted for your password by sudo.
name = Fluent Bit
# Legacy server style
baseurl = https://packages.fluentbit.io/centos/$releasever/
Fluent Bit                                                                                                              440  B/s | 866  B     00:01
Rocky Linux 9 - BaseOS                                                                                                  4.1 kB/s | 4.1 kB     00:00
Rocky Linux 9 - AppStream                                                                                               4.7 kB/s | 4.5 kB     00:00
Rocky Linux 9 - Extras                                                                                                  3.6 kB/s | 2.9 kB     00:00
Package fluent-bit-3.0.5-1.x86_64 is already installed.
Dependencies resolved.
Nothing to do.

Installation completed. Happy Logging!
[root@fluentbit ~]#

Once Fluent Bit is installed, you can verify the installation with the following command:

[root@fluentbit ~]# fluent-bit --version
Fluent Bit v3.0.5
Git commit:
[root@fluentbit ~]#

Configuring Fluent Bit

Fluent Bit’s configuration is composed of three main sections: Inputs, Filters, and Outputs. Each section serves a different purpose in the log processing pipeline, allowing you to collect, process, and forward logs efficiently.

Configuration Structure

  1. Inputs: Define where Fluent Bit collects logs from. Common input plugins include tail for reading log files and systemd for reading systemd journal logs.
  2. Filters: Allow you to modify, enrich, or exclude log records before they are sent to the output.
  3. Outputs: Specify where the processed logs should be sent, such as Elasticsearch, Kafka, or cloud storage services.

Examples of Basic Input Plugins and Their Configurations

1. Tail Input Plugin

The tail input plugin reads log files and is commonly used to collect logs from applications or system logs. Below is an example configuration:

    Name        tail
    Path        /var/log/syslog
    Tag         syslog
    Refresh_Interval 5
    Rotate_Wait 30
    DB          /var/log/flb_kv.db
    Mem_Buf_Limit 5MB
  • Name: Specifies the input plugin name (tail in this case).
  • Path: The path to the log file(s) to be read.
  • Tag: A tag to identify the logs collected by this input.
  • Refresh_Interval: How often (in seconds) Fluent Bit checks for new data.
  • Rotate_Wait: Time to wait (in seconds) to read new files after rotation.
  • DB: Path to a database file to track file offsets.
  • Mem_Buf_Limit: Maximum buffer size before data is flushed to output.

2. Systemd Input Plugin

The systemd input plugin reads logs from the systemd journal. This is useful for collecting system logs on systems that use systemd. Here’s an example configuration:

    Name        systemd
    Tag         systemd
    Systemd_Filter  _SYSTEMD_UNIT=nginx.service
    Read_From_Tail  true
  • Name: Specifies the input plugin name (systemd in this case).
  • Tag: A tag to identify the logs collected by this input.
  • Systemd_Filter: Filters logs by systemd unit (e.g., nginx.service).
  • Read_From_Tail: Starts reading from the end of the journal.

Filtering Logs

Filters are a critical component of Fluent Bit’s log processing pipeline. They allow you to modify and exclude log records based on specific criteria before forwarding them to the desired output. Filters help ensure that only relevant and properly formatted logs reach their destination, which can improve performance, reduce storage costs, and facilitate more efficient log analysis.

Importance of Filters

  1. Data Enrichment: Filters can add additional information to log records, such as metadata or tags, to provide more context.
  2. Data Reduction: By excluding unnecessary logs, filters can help reduce the volume of data sent to storage or analysis systems, saving bandwidth and storage space.
  3. Data Transformation: Filters can modify log records to ensure they meet the format requirements of the destination system, improving compatibility and readability.
  4. Selective Processing: Filters allow you to process only specific types of log records, which can be crucial in complex environments where different logs require different handling.

Basic Examples of Using Filters

1. Parser Filter

The parser filter is used to parse and restructure log records. For instance, you can use it to parse JSON logs or to apply a custom parser to a log field.

Example configuration:

    Name       parser
    Match      *
    Key_Name   log
    Parser     json
  • Name: Specifies the filter plugin name (parser).
  • Match: Defines which logs this filter should apply to (using a tag or wildcard).
  • Key_Name: The key of the log record to apply the parser to.
  • Parser: The name of the parser to use (e.g., json).

2. Grep Filter

The grep filter includes or excludes log records based on matching criteria. This is useful for filtering logs that contain specific keywords or patterns.

Example configuration to include only logs containing the keyword “ERROR”:

    Name       grep
    Match      *
    Regex      log ERROR
  • Name: Specifies the filter plugin name (grep).
  • Match: Defines which logs this filter should apply to (using a tag or wildcard).
  • Regex: The regular expression to match log records that should be included.

Example configuration to exclude logs containing the keyword “DEBUG”:

    Name       grep
    Match      *
    Exclude    log DEBUG

Exclude: The regular expression to match log records that should be excluded.

Sending Logs to a Destination

Fluent Bit uses output plugins to send processed log data to various destinations, such as log storage systems, databases, or analysis tools. Configuring these output plugins ensures that your logs are forwarded to the appropriate location where they can be stored, visualized, or further analyzed.

Configuring Output Plugins

Fluent Bit offers multiple output plugins for various destinations such as Elasticsearch, S3, and Kafka. Each of these plugins requires unique configurations to connect and communicate with the target system.

Example Configuration for Sending Logs to Elasticsearch

Elasticsearch is a popular destination for storing and analyzing log data due to its powerful search and analytics capabilities. Below is an example configuration for sending logs to Elasticsearch:

    Name        tail
    Path        /var/log/syslog
    Tag         syslog
    Refresh_Interval 5

    Name        parser
    Match       syslog
    Key_Name    log
    Parser      json

    Name        grep
    Match       syslog
    Regex       log ERROR

    Name        record_modifier
    Match       syslog
    Record      hostname ${HOSTNAME}

    Name        es
    Match       syslog
    Host        elasticsearch.local
    Port        9200
    Index       fluentbit
    Type        _doc
    HTTP_User   fluent_user
    HTTP_Passwd fluent_password
    tls         On
    tls.verify  Off
  • Name: Specifies the output plugin name (es for Elasticsearch).
  • Match: Defines which logs should be sent to this output (using a tag or wildcard).
  • Host: The hostname or IP address of the Elasticsearch server.
  • Port: The port on which Elasticsearch is listening (default is 9200).
  • Index: The Elasticsearch index where logs should be stored.
  • Type: The document type (deprecated in newer Elasticsearch versions but still required in some setups).
  • HTTP_User: Username for HTTP basic authentication (if required).
  • HTTP_Passwd: Password for HTTP basic authentication (if required).
  • tls: Enables TLS for secure communication.
  • tls.verify: Disables TLS verification (useful for testing but not recommended for production).

Setting up Fluent Bit involves configuring input plugins to collect logs, filters to process and enrich them, and output plugins to forward the logs to desired destinations. This modular approach allows you to build a highly efficient and customizable logging pipeline.

By following these guidelines, you can effectively use Fluent Bit to manage your logging needs, ensuring that your logs are collected, processed, and stored efficiently. Whether you are working with simple log files or complex distributed systems, Fluent Bit provides the flexibility and performance required for modern logging solutions. Stay tuned for more advanced configurations and use cases in our next blog post.

Feel free to reach out with any questions or share your experiences with Fluent Bit in the comments below. Happy logging!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top