CRI source

The cri source reads Kubernetes Container Runtime Interface (CRI) log files. It parses the CRI log format and extracts metadata like namespace, pod name, and container name from the file path.

CRI logs are typically found at /var/log/pods/ on Kubernetes nodes. The path format is /var/log/pods/<namespace>_<pod>_<uid>/<container>/<rotation>.log.

Configuration

{
  "sources": {
    "containers": {
      "type": "cri",
      "path": "/var/log/pods/",
      "extension": ".log",
      "recursive": true
    }
  }
}

Options

Option	Type	Default	Description
`path`	string	required	Directory containing CRI logs
`extension`	string	`""`	File extension filter
`recursive`	bool	`false`	Watch subdirectories (typically set to `true` for pod logs)
`include`	string[]	`null`	Glob patterns to include
`exclude`	string[]	`null`	Glob patterns to exclude

Event fields

Field	Value
`sourceType`	`"cri"`
`rawLog`	Parsed log body (JSON extracted if present)
`eventTime`	Parsed from CRI timestamp (falls back to current time)
`tags.namespace`	Kubernetes namespace (extracted from path)
`tags.pod`	Pod name (extracted from path)
`service.name`	Container name (extracted from path)

High-watermark

The CRI source saves read positions to ~/.config/reveald/cri-hwm.json. On restart, it resumes from the last position.

Kubernetes DaemonSet

For running reveald as a DaemonSet to collect CRI logs across a cluster, see Kubernetes deployment.