Filefollow ingester is a great start for this, here is a sample config to get you started.
Note: We're currently working on a more elegant solution for Kubernetes logging that more effectively makes use of the great features k8 provides.
Until we ship a more elegant solution you can always ship the logs out of the container directly with our file follower process. The filefollow will also intelligently handle log rotation, so using the suggested kubernetes logging architecture of a pod writing to a log with logrotate enabled will work seamlessly with filefollow.
Assuming logs are in the default Kubernetes location (/var/log/containers), the following filefollow configuration should get you started:
[Global]
Ingest-Secret = IngestSecrets
Connection-Timeout = 0
Insecure-Skip-TLS-Verify = false
Cleartext-Backend-target=172.20.0.1:4023
State-Store-Location=/opt/gravwell/etc/file_follow.state
Log-Level=ERROR
Max-Files-Watched=64
[Follower "kubernetes"]
Base-Directory="/var/log/containers"
File-Filter="*.log"
Tag-Name=kubernetes
Assume-Local-Timezone=true
Still have some questions? Reach out to support@gravwell.io and we're happy to help!