0
0
Kubernetesdevops~15 mins

Centralized logging (EFK stack) in Kubernetes - Deep Dive

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Overview - Centralized logging (EFK stack)
What is it?
Centralized logging with the EFK stack means collecting all logs from many computers or containers into one place. EFK stands for Elasticsearch, Fluentd, and Kibana. Elasticsearch stores and searches logs, Fluentd gathers and sends logs, and Kibana shows logs in a friendly way. This helps teams see and understand what is happening across their whole system easily.
Why it matters
Without centralized logging, logs are scattered across many machines or containers, making it hard to find problems or understand system behavior. This wastes time and can delay fixing issues. Centralized logging with EFK lets teams quickly search and analyze logs from everywhere, improving reliability and speed of troubleshooting. It also helps with security and compliance by keeping logs safe and organized.
Where it fits
Before learning EFK, you should understand basic Kubernetes concepts like pods and containers, and know what logs are. After mastering EFK, you can explore advanced monitoring tools, alerting systems, and log analysis techniques to improve system health and performance.
Mental Model
Core Idea
Centralized logging with EFK collects logs from many sources, stores them efficiently, and presents them visually to make troubleshooting simple and fast.
Think of it like...
Imagine a big office building where every room has a notebook logging what happens inside. Instead of checking each room's notebook, a helper collects all notes into one big book in the lobby, organizes them, and shows summaries on a screen for everyone to see.
┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  Kubernetes │     │   Fluentd   │     │ Elasticsearch│
│  Containers │───▶ │ (Log Agent) │───▶ │ (Log Store) │
└─────────────┘     └─────────────┘     └─────────────┘
                                         │
                                         ▼
                                  ┌─────────────┐
                                  │   Kibana    │
                                  │ (Log Viewer)│
                                  └─────────────┘
Build-Up - 7 Steps
1
FoundationWhat is logging and why it matters
🤔
Concept: Introduce the idea of logs as records of events in software systems.
Logs are like diaries for computers and applications. They record what happened, when, and sometimes why. For example, a web server logs every request it gets. These logs help us understand if things are working or if there are problems.
Result
You understand that logs are essential for knowing what your system is doing and for finding problems.
Knowing that logs are the system’s memory helps you see why collecting and reading them is crucial for managing software.
2
FoundationChallenges of scattered logs in Kubernetes
🤔
Concept: Explain why logs spread across many containers and nodes are hard to manage.
In Kubernetes, many containers run on many machines. Each container creates its own logs. If you want to find a problem, you must look in many places. This is slow and confusing, especially when containers restart or move.
Result
You realize that scattered logs make troubleshooting complex and slow.
Understanding this challenge sets the stage for why centralized logging is needed.
3
IntermediateRole of Fluentd as log collector
🤔Before reading on: do you think Fluentd stores logs or just moves them? Commit to your answer.
Concept: Fluentd collects logs from containers and sends them to storage but does not store them long-term.
Fluentd runs on each Kubernetes node. It watches container logs and forwards them to Elasticsearch. Fluentd can also filter or modify logs before sending. It acts like a mail carrier, picking up letters (logs) and delivering them to the post office (Elasticsearch).
Result
Logs from all containers start flowing into one place, ready for storage and search.
Knowing Fluentd’s role as a flexible log forwarder helps you understand how logs move reliably in the system.
4
IntermediateElasticsearch stores and indexes logs
🤔Before reading on: do you think Elasticsearch stores logs as plain text or indexes them for search? Commit to your answer.
Concept: Elasticsearch stores logs and creates indexes to make searching fast and efficient.
Elasticsearch is a database designed for searching large amounts of text quickly. It stores logs sent by Fluentd and builds indexes so you can find logs by time, error type, or any detail. This makes searching through millions of logs fast.
Result
Logs are stored safely and can be searched instantly by many criteria.
Understanding Elasticsearch’s indexing explains why searching logs is fast even at huge scale.
5
IntermediateKibana visualizes and explores logs
🤔
Concept: Kibana provides a user-friendly interface to view and analyze logs stored in Elasticsearch.
Kibana connects to Elasticsearch and shows logs in charts, tables, and dashboards. You can filter logs by time or keywords, create alerts, and spot trends. It turns raw logs into clear pictures that help teams understand system health.
Result
Users can easily explore logs visually without writing complex queries.
Knowing Kibana’s role helps you see how logs become actionable insights for teams.
6
AdvancedDeploying EFK stack on Kubernetes
🤔Before reading on: do you think EFK components run inside or outside Kubernetes? Commit to your answer.
Concept: EFK components run as pods inside Kubernetes, integrated with the cluster.
You deploy Fluentd as a DaemonSet so it runs on every node, collecting logs locally. Elasticsearch runs as a StatefulSet with persistent storage to keep logs safe. Kibana runs as a Deployment to provide the web interface. Together, they form a logging system inside Kubernetes.
Result
A working EFK stack collects, stores, and shows logs from all cluster containers.
Understanding deployment patterns ensures you can set up and scale EFK reliably in real clusters.
7
ExpertHandling log volume and retention in EFK
🤔Before reading on: do you think storing all logs forever is practical? Commit to your answer.
Concept: Managing log volume and retention policies is critical to keep Elasticsearch performant and costs manageable.
Logs can grow very fast, filling storage and slowing searches. Experts set retention policies to delete old logs automatically. They use index lifecycle management to move older logs to cheaper storage or delete them. They also tune Fluentd to filter unnecessary logs and compress data.
Result
EFK stack remains fast and cost-effective even with large log volumes.
Knowing how to manage log lifecycle prevents system overload and keeps logging sustainable in production.
Under the Hood
Fluentd runs as an agent on each Kubernetes node, reading container logs from files or stdout. It buffers and processes logs, then sends them via HTTP or TCP to Elasticsearch. Elasticsearch stores logs in indexes, which are optimized data structures for fast search. Kibana queries Elasticsearch and renders logs in dashboards using web technologies. The system uses APIs and persistent storage to ensure logs are durable and searchable.
Why designed this way?
EFK was designed to handle large, distributed systems where logs come from many sources. Fluentd’s pluggable architecture allows flexible log collection and transformation. Elasticsearch’s indexing enables fast search over huge data. Kibana provides a user-friendly way to explore logs without coding. Alternatives like direct log storage or manual collection were too slow or complex for modern cloud-native environments.
┌─────────────┐       ┌─────────────┐       ┌─────────────┐       ┌─────────────┐
│ Kubernetes  │       │  Fluentd    │       │ Elasticsearch│       │   Kibana    │
│ Containers  │──────▶│ (Collector) │──────▶│ (Indexer &   │──────▶│ (Visualizer)│
│ (Log Source)│       │             │       │  Storage)   │       │             │
└─────────────┘       └─────────────┘       └─────────────┘       └─────────────┘
Myth Busters - 4 Common Misconceptions
Quick: Does Fluentd store logs permanently or just forward them? Commit to your answer.
Common Belief:Fluentd stores all logs permanently on each node.
Tap to reveal reality
Reality:Fluentd only collects and forwards logs; it does not store them long-term.
Why it matters:Believing Fluentd stores logs can lead to missing logs if nodes fail, causing data loss.
Quick: Is Kibana a log storage system or just a visualization tool? Commit to your answer.
Common Belief:Kibana stores logs and manages their retention.
Tap to reveal reality
Reality:Kibana only visualizes logs stored in Elasticsearch; it does not store logs itself.
Why it matters:Misunderstanding this can cause confusion about where to manage log data and retention.
Quick: Can you keep all logs forever without issues? Commit to your answer.
Common Belief:Storing all logs forever is always best for troubleshooting.
Tap to reveal reality
Reality:Storing all logs indefinitely causes storage overload and slows down search performance.
Why it matters:Ignoring log retention leads to system crashes and high costs.
Quick: Does centralized logging solve all monitoring problems alone? Commit to your answer.
Common Belief:Centralized logging replaces the need for other monitoring tools.
Tap to reveal reality
Reality:Centralized logging complements but does not replace metrics and tracing tools.
Why it matters:Relying only on logs can miss performance issues that metrics or tracing reveal.
Expert Zone
1
Fluentd’s buffering and retry mechanisms prevent log loss during network or Elasticsearch outages, but misconfiguration can cause delays or duplicates.
2
Elasticsearch index sharding and replication settings greatly affect performance and fault tolerance; tuning these is key for large clusters.
3
Kibana’s saved searches and dashboards can be shared and versioned, enabling team collaboration and consistent incident response.
When NOT to use
EFK is not ideal for extremely high log volumes without scaling Elasticsearch properly; alternatives like Loki or Splunk may be better. For simple or small setups, lightweight log collectors or cloud-managed logging services might be easier.
Production Patterns
In production, teams deploy Fluentd as a DaemonSet with custom filters to reduce noise. Elasticsearch uses index lifecycle management to automate retention. Kibana dashboards are customized per team needs. Logs are secured with role-based access control and encrypted transport.
Connections
Distributed Tracing
Complementary tool for understanding request flows alongside logs
Knowing centralized logging helps you appreciate how tracing fills gaps by showing how requests move through services, not just what happened.
Database Indexing
Similar concept of indexing data for fast search
Understanding Elasticsearch indexing is easier if you know how databases create indexes to speed up queries.
Library Cataloging Systems
Both organize large amounts of information for quick retrieval
Centralized logging’s indexing and search is like a library catalog helping find books quickly among thousands.
Common Pitfalls
#1Not configuring Fluentd to handle log rotation causes missing logs.
Wrong approach:fluentd.conf without proper file input settings: @type tail path /var/log/containers/*.log pos_file /var/log/fluentd.pos tag kubernetes.*
Correct approach:fluentd.conf with log rotation handling: @type tail path /var/log/containers/*.log pos_file /var/log/fluentd.pos tag kubernetes.* read_from_head true refresh_interval 5
Root cause:Ignoring how container logs rotate leads Fluentd to miss new logs or read old ones repeatedly.
#2Storing all logs forever without retention causes Elasticsearch to slow down and run out of disk.
Wrong approach:No index lifecycle management configured; all indexes kept indefinitely.
Correct approach:Set index lifecycle policy to delete or archive logs older than 30 days.
Root cause:Not planning log retention leads to resource exhaustion and degraded cluster performance.
#3Running Kibana without securing access exposes sensitive logs to anyone.
Wrong approach:Kibana deployed with default settings and no authentication.
Correct approach:Enable authentication and role-based access control in Kibana and Elasticsearch.
Root cause:Overlooking security risks exposes logs containing sensitive information.
Key Takeaways
Centralized logging with the EFK stack collects logs from many containers into one searchable place.
Fluentd gathers and forwards logs, Elasticsearch stores and indexes them, and Kibana visualizes logs for easy analysis.
Without centralized logging, troubleshooting distributed systems is slow and error-prone.
Proper deployment and management of EFK components ensure reliable, scalable, and secure logging.
Managing log volume and retention is essential to keep the system performant and cost-effective.