Default Edge Delta Configuration

Edge Delta includes a default pipeline.

3 minute read

Overview

When you create a new agent configuration, it includes a default pipeline configuration.

Input

Kubernetes Input

The default pipeline starts with a Kubernetes input. It is configured to ingest logs from certain Kubernetes resources, and not others. See more documentation on configuring a Kubernetes input here.

The node ingests logs from all namespaces in the cluster (see the include field). Of those, it excludes the following resources using the exclude field:

k8s.namespace.name=kube-system
k8s.namespace.name=kube-public
k8s.namespace.name=kube-node-lease
k8s.pod.name=edgedelta
k8s.pod.name=prometheus
k8s.pod.name=promtail
k8s.pod.name=node-exporter

Processors

Mask Node

The Kubernetes input node is connected to a Mask node named mask_ssn using a link. It is configured with a regex pattern that identifies US social security numbers and obfuscates them with he word REDACTED.

See more documentation on configuring a mask node here.

The mask_ssn node connects to a number of downstream processor nodes arranged in parallel. The parallel construction of the pipeline indicates that all output from mask_ssn is sent to each downstream processor i.e. the data is duplicated per link.

For conditional routing along parallel paths, where data is only sent down one of the paths based on its characteristics, you can use a Route node.

Regex Filter

A Regex filter node named drop_trace_level is one of the processors fed by the mask_ssn node in the default configuration.

It is configured to identify logs containing the string TRACE. The default behavior of a regex filter is to identify and pass only those logs that match the specified pattern. However, in this configuration the behavior is inverted by setting the Negate switch to True. Now the node will drop only those logs containing TRACE anywhere in the log, and it will pass all other logs. In the default configuration, the drop_trace_level node sends logs to the ed_archive_output, and they can be accessed using Log Search.

Log to Metrics

There are three log to metrics nodes that are fed logs from the mask_ssn node in the default configuration:

error_monitoring The error_monitoring log to metric node is configured to create metrics based on logs containing the Golang regex pattern (?i)error. This node will capture any logs containing the text error or any case variation.

It outputs sum and count metrics that you can view in the metrics explorer.

exception_monitoring The exception_monitoring log to metric node is configured to create metrics based on logs containing the Golang regex pattern (?i)exception. This node will capture any logs containing the text exception or any case variation.

It outputs sum and count metrics that you can view in the metrics explorer.

It outputs sum and count metrics that you can view in the metrics explorer.

See more documentation on configuring a log to metric node here.

Log to Pattern

A log to pattern node named log_to_pattern is connected downstream to the mask_ssn node in the default configuration. It reports every minute to the ed_patterns output node with any patterns and samples detected on the edge.

Patterns and samples detected by this node on the edge, as well as any detected in post-processing on the backend, can be explored on the Logs - Patterns page.

Outputs

The default configuration sends data to three Edge Delta outputs:

ed_archive is used to send archive data to the Edge Delta SaaS to power Log Search.
ed_metrics is used to send metrics to the Edge Delta SaaS to power the metrics explorer page as well Kubernetes Overview, Pipeline Status, filters and others. In addition it collects the agent version, agent heartbeats, and last activated data.
ed_pattern is used to send pattern data to the Edge Delta SaaS to power the Logs - Patterns page.