I've spent the last few years debugging production logging pipelines across EKS, GKE, and AKS clusters, and the same failure modes keep appearing:
IPv6 pod addresses break your IP regex – Dual-stack Kubernetes clusters fail silently on the naive
(\d{1,3}\.){3}\d{1,3}pattern. A log line with[::ffff:10.0.1.42]:8080gets skipped entirely. Your alerts never fire.CRI-O fragments your Java stack traces – The
P(partial) andF(final) markers break log reassembly. A 30-line stack trace becomes 30 individual events, none actionable.Timestamp skew breaks event ordering – Kubernetes carries three timestamps (app, runtime, collector). Using the wrong one makes events appear out of order in Loki/Elasticsearch.
Buffer overflows silently drop long lines – Fluent Bit defaults to 32KB per line. One large debug log or blob and the event vanishes. Most configs don't catch this.
Each failure mode is validated against real production log lines. I've catalogued 50+ of these across Docker json-file, containerd, CRI-O, journald; across Vector, Fluent Bit, Logstash; across AWS EKS, GCP GKE, Azure AKS.
I've packaged them into a reference guide: Production Log Parsing Pack – 50+ copy-paste regex patterns and complete aggregator configs, each with the real log line that breaks the naive version and the production-safe replacement.
The guide covers:
- IPv4/IPv6 dual-stack patterns
- CRI-O multiline reassembly (Vector/Fluent Bit configs)
- Timestamp selection strategies
- Buffer limit tuning
- Common Logstash GROK patterns
- Error detection patterns
Available on Gumroad for £9.50.
Happy to answer questions about specific stacks or edge cases in the comments.
Top comments (0)