一键导入
log-aggregation
Set up Loki or ELK log aggregation for K8s workloads — structured logging, log routing, and log-based alerting.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Set up Loki or ELK log aggregation for K8s workloads — structured logging, log routing, and log-based alerting.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization.
Systematic diagnosis of Kubernetes pod failures — CrashLoopBackOff, OOMKilled, Pending, ImagePullBackOff, and service connectivity issues. Use when the user encounters pods not starting, container restart loops, scheduling failures, or service unreachability in a K8s cluster.
Implement distributed tracing with OpenTelemetry, Tempo/Jaeger — instrumentation, sampling, and trace-to-log correlation. Use when the user asks about distributed tracing, OpenTelemetry setup, span instrumentation, trace propagation, or connecting traces to logs and metrics.
Design reusable React components with compound patterns, controlled/uncontrolled hybrids, typed prop APIs, async state handling, and ARIA accessibility. Use when the user creates, refactors, or reviews React components, or mentions props, hooks, .tsx files, component APIs, or accessible UI patterns.
Apply STRIDE threat modeling to system designs, identify IDOR and authorization vulnerabilities, and build threat matrices for security reviews. Use when the user designs a new system, reviews an architecture, prepares for a security audit, or asks about common API vulnerabilities like IDOR or broken access control.
Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
| name | log-aggregation |
| type | skill |
| description | Set up Loki or ELK log aggregation for K8s workloads — structured logging, log routing, and log-based alerting. |
| related-rules | ["golden-signals.md","data-retention.md"] |
| allowed-tools | Read, Write, Edit, Bash |
Expertise: Loki (Grafana stack), Promtail/Fluent Bit, structured JSON logging, log-based alerting, ELK basics.
When setting up log collection, writing log queries, debugging missing logs, or adding log-based alerts.
# Promtail DaemonSet auto-discovers K8s pod logs
# Install via helm:
helm upgrade --install loki grafana/loki-stack \
-n monitoring \
-f loki-values.yaml
# loki-values.yaml
loki:
auth_enabled: false
limits_config:
retention_period: 720h # 30 days
ingestion_rate_mb: 16
max_streams_per_user: 10000
storage_config:
boltdb_shipper:
active_index_directory: /data/loki/boltdb-index
filesystem:
directory: /data/loki/chunks
promtail:
config:
clients:
- url: http://loki:3100/loki/api/v1/push
scrape_configs:
- job_name: kubernetes-pods
kubernetes_sd_configs:
- role: pod
pipeline_stages:
- docker: {} # parse Docker JSON log format
- json: # extract fields from app JSON logs
expressions:
level: level
trace_id: trace_id
service: service
- labels:
level:
service:
# All error logs from a service in last 5 min
{namespace="production", app="order-service"} |= "ERROR"
# Parse JSON and filter by field
{namespace="production"} | json | level="error" | trace_id != ""
# Count errors per service (for alerting)
sum by (service) (
count_over_time({namespace="production"} | json | level="error" [5m])
)
# Log rate (to detect log explosion)
sum(rate({namespace="production"}[5m])) by (app)
# Find slow requests from logs
{app="api-gateway"} | json | response_time_ms > 500
# Python — structlog
import structlog
log = structlog.get_logger()
# Always include: service, version, trace_id, span_id, level
log.info("order.created",
order_id="ord-123",
user_id="usr-456", # OK in log; NOT in metrics labels
amount_cents=4999,
# trace_id injected automatically via TraceContextFilter
)
# Output (JSON):
# {"event": "order.created", "level": "info", "order_id": "ord-123",
# "trace_id": "abc123def456", "span_id": "789xyz", "timestamp": "..."}
// Go — slog (stdlib, Go 1.21+)
logger := slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
Level: slog.LevelInfo,
}))
slog.SetDefault(logger)
slog.Info("order.created",
"order_id", "ord-123",
"amount_cents", 4999,
"trace_id", traceID, // inject from context
)
# loki-rules.yaml
groups:
- name: application.logs
rules:
- alert: HighErrorLogRate
expr: |
sum(rate({namespace="production"} | json | level="error" [5m])) by (app)
> 10
for: 2m
labels:
severity: warning
annotations:
summary: "Error log rate > 10/s — {{ $labels.app }}"
runbook_url: "https://runbooks.internal/high-error-logs"
# fluent-bit-config.yaml (K8s ConfigMap)
[INPUT]
Name tail
Path /var/log/containers/*.log
Parser docker
Refresh_Interval 5
[FILTER]
Name kubernetes
Match kube.*
Kube_Tag_Prefix kube.var.log.containers.
Merge_Log On
Keep_Log Off
[OUTPUT]
Name loki
Match kube.*
Host loki
Port 3100
Labels job=fluent-bit, namespace=$kubernetes['namespace_name']