Bird
Raised Fist0
Kubernetesdevops~5 mins

Centralized logging (EFK stack) in Kubernetes - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What does the EFK stack stand for in centralized logging?
EFK stands for Elasticsearch, Fluentd, and Kibana. These tools work together to collect, store, and visualize logs from multiple sources.
Click to reveal answer
beginner
What role does Fluentd play in the EFK stack?
Fluentd collects logs from various sources, processes them, and forwards them to Elasticsearch for storage and indexing.
Click to reveal answer
beginner
Why is Elasticsearch important in the EFK stack?
Elasticsearch stores and indexes logs so they can be quickly searched and analyzed. It acts like a powerful log database.
Click to reveal answer
beginner
What is the purpose of Kibana in the EFK stack?
Kibana provides a user-friendly web interface to visualize and explore logs stored in Elasticsearch. It helps users understand log data through charts and dashboards.
Click to reveal answer
intermediate
How does centralized logging with EFK help in Kubernetes environments?
It gathers logs from all containers and nodes in one place, making it easier to monitor, troubleshoot, and analyze system behavior without checking each pod individually.
Click to reveal answer
Which component in the EFK stack is responsible for storing and indexing logs?
AElasticsearch
BFluentd
CKibana
DPrometheus
What is Fluentd's main function in the EFK stack?
AManage Kubernetes pods
BVisualize logs
CStore logs
DCollect and forward logs
Which tool provides dashboards and charts to explore logs in the EFK stack?
AElasticsearch
BFluentd
CKibana
DGrafana
Why is centralized logging useful in Kubernetes?
AIt replaces container logs
BIt collects logs from all pods in one place
CIt scales pods automatically
DIt manages network policies
Which of these is NOT part of the EFK stack?
APrometheus
BFluentd
CKibana
DElasticsearch
Explain how the EFK stack components work together to provide centralized logging in Kubernetes.
Think about the flow from log collection to visualization.
You got /4 concepts.
    Describe the benefits of using centralized logging with the EFK stack in a Kubernetes cluster.
    Consider how logs are managed without EFK.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of the EFK stack in Kubernetes?
      easy
      A. To collect, store, and visualize logs from all pods centrally
      B. To manage Kubernetes cluster networking
      C. To automate deployment of applications
      D. To monitor CPU and memory usage only

      Solution

      1. Step 1: Understand EFK components

        The EFK stack consists of Fluentd (log collector), Elasticsearch (log storage), and Kibana (log viewer).

      2. Step 2: Identify the main goal

        Its main goal is to centralize logs from all Kubernetes pods for easier troubleshooting and monitoring.

      3. Final Answer:

        To collect, store, and visualize logs from all pods centrally -> Option A

      4. Quick Check:

        EFK = Centralized logging [OK]
      Hint: EFK means Fluentd, Elasticsearch, Kibana for logs [OK]
      Common Mistakes:
      • Confusing EFK with monitoring CPU/memory
      • Thinking EFK manages networking
      • Assuming EFK automates deployments
      2. Which Kubernetes resource is typically used to deploy Fluentd as a log collector in the EFK stack?
      easy
      A. ServiceAccount
      B. DaemonSet
      C. Deployment
      D. ConfigMap

      Solution

      1. Step 1: Understand Fluentd deployment needs

        Fluentd must run on every node to collect logs from all pods on that node.

      2. Step 2: Choose correct Kubernetes resource

        DaemonSet ensures one pod per node, perfect for log collectors like Fluentd.

      3. Final Answer:

        DaemonSet -> Option B

      4. Quick Check:

        Fluentd runs as DaemonSet [OK]
      Hint: DaemonSet runs pods on all nodes [OK]
      Common Mistakes:
      • Using Deployment which may not run on all nodes
      • Confusing ConfigMap with deployment type
      • Thinking ServiceAccount deploys pods
      3. Given this Fluentd config snippet in Kubernetes:
      match ** {
  @type elasticsearch
  host elasticsearch.logging.svc.cluster.local
  port 9200
}

      What is the main effect of this configuration?
      medium
      A. Fluentd sends all logs to Elasticsearch service at port 9200
      B. Fluentd collects logs only from pods named elasticsearch
      C. Fluentd stores logs locally on each node
      D. Fluentd forwards logs to Kibana directly

      Solution

      1. Step 1: Analyze Fluentd match directive

        The match ** means all logs are matched and processed by this output plugin.

      2. Step 2: Understand output plugin settings

        @type elasticsearch with host and port means logs are sent to Elasticsearch service at that address.

      3. Final Answer:

        Fluentd sends all logs to Elasticsearch service at port 9200 -> Option A

      4. Quick Check:

        match ** + elasticsearch output = send all logs to ES [OK]
      Hint: match ** means all logs sent to Elasticsearch [OK]
      Common Mistakes:
      • Thinking logs go directly to Kibana
      • Assuming logs are stored locally
      • Confusing match pattern with pod names
      4. You deployed the EFK stack but Kibana shows no logs. Which of these is the most likely cause?
      medium
      A. Kibana is configured to use wrong Elasticsearch URL
      B. Elasticsearch service port is set to 8080 instead of 9200
      C. All of the above
      D. Fluentd DaemonSet is not running on nodes

      Solution

      1. Step 1: Check Fluentd status

        If Fluentd pods are not running, logs won't be collected or sent.

      2. Step 2: Verify Elasticsearch connectivity

        Wrong port on Elasticsearch service means Fluentd can't send logs properly.

      3. Step 3: Confirm Kibana configuration

        If Kibana points to wrong Elasticsearch URL, it can't display logs.

      4. Final Answer:

        All of the above -> Option C

      5. Quick Check:

        Any broken link in EFK stops logs [OK]
      Hint: Check Fluentd, Elasticsearch port, Kibana URL [OK]
      Common Mistakes:
      • Checking only one component
      • Ignoring service port mismatch
      • Assuming Kibana auto-fixes URLs
      5. You want to filter out logs from Kubernetes system namespaces (like kube-system and default) before sending to Elasticsearch in Fluentd. Which configuration snippet achieves this?
      hard
      A. 
      filter ** {
  @type grep
  
    key kubernetes.namespace_name
    pattern ^kube-system$
  
}
      B. 
      filter ** {
  @type record_transformer
  remove_keys kubernetes.namespace_name
}
      C. 
      filter ** {
  @type grep
  
    key kubernetes.namespace_name
    pattern ^kube-system$
  
}
      D. 
      filter ** {
  @type grep
  
    key kubernetes.namespace_name
    pattern ^(kube-system|default)$
  
}

      Solution

      1. Step 1: Understand filtering with Fluentd grep plugin

        The grep plugin can exclude logs matching certain patterns using blocks.

      2. Step 2: Identify namespaces to exclude

        We want to exclude system namespaces like kube-system and default, so pattern must match both.

      3. Step 3: Compare options

        filter ** {
  @type grep
  
    key kubernetes.namespace_name
    pattern ^(kube-system|default)$
  
}
        excludes both kube-system and default namespaces correctly; others exclude only one or do wrong action.

      4. Final Answer:

        filter ** { @type grep key kubernetes.namespace_name pattern ^(kube-system|default)$ } -> Option D

      5. Quick Check:

        Exclude system namespaces with grep exclude pattern [OK]
      Hint: Use grep exclude with regex for system namespaces [OK]
      Common Mistakes:
      • Excluding only one namespace
      • Using include instead of exclude
      • Removing keys instead of filtering logs