We’re here at KubeCon this week, and we’re showing something that finally makes distributed Kubernetes logging sane. If you’re running clusters in retail stores, manufacturing lines, remote facilities, or anywhere outside your main data center, come talk to us. We’ll be on the show floor all week.
Kubernetes has pushed far beyond the data center. Clusters now sit in stores, factories, warehouses, fleet hubs, and edge locations where data is generated. That’s great for latency, resilience, and autonomy—until you try to centralize logs.
The Problem Everyone Keeps Running Into
Once you deploy K3S or OpenShift across dozens or hundreds of sites, observability gets ugly fast. Logging pipelines designed for centralized infrastructure don’t survive the realities of the edge:
- Limited or unreliable bandwidth
- High latency that makes troubleshooting slow
- Sensitive data crossing networks unnecessarily
- Massive log volumes, most of which add zero value centrally
One retail operator we spoke with runs Kubernetes in 100+ stores. Each site emits gigabytes of logs per day. Shipping everything to their Elasticsearch cluster wasn’t just expensive—it became impossible. Worse, 95% of those logs never needed to leave the store in the first place.
They didn’t need a firehose of “request successful.” They needed anomaly detection, trend metrics, and alerts—without the central system drowning in noise.
A Better Model: Process Logs Before You Ship Them
Instead of collecting everything and filtering later, process logs where they’re created. Keep the useful data, drop the noise, extract structure, and ship only what matters.
That’s the architecture Expanso enables. Expanso is a distributed data processing engine that runs directly inside your Kubernetes clusters, giving each location the ability to filter, parse, enrich, redact, aggregate, and route logs before they ever leave the building.
Your existing logging stack stays the same—Elasticsearch, Splunk, Datadog, CloudWatch, whatever you’re already paying for. Expanso simply ensures only high-signal data flows into it.
This pattern has been proven in the wild. Edge pioneers—like the engineering teams at Chick-fil-A—use in-cluster processing to handle data locally and avoid overwhelming central systems. Here’s an example of that approach in action.
What This Looks Like in Practice
Picture a manufacturing facility with 50 K3S nodes running equipment monitoring and automation workloads.
The old way
Stream every log line back to a central data lake. Wait hours (or days) to detect issues. Investigation turns into archaeology.
The new way
Expanso runs as an agent in each cluster, processing logs in real time:
- Routine messages filtered out
- Anomalies detected instantly
- Metrics aggregated locally
- Only critical data shipped upstream
The outcome? One customer saw bandwidth usage drop by over 80%, immediate alerts triggered on-site, and compliance requirements met by processing sensitive data inside their own environment.
How It Works
You deploy Expanso as a lightweight container alongside your K3S or OpenShift clusters—at any scale from five sites to thousands. You define pipelines describing:
- What to collect: container logs, application logs, CRI logs, system metrics
- How to process them: filtering, parsing, enrichment, redaction, aggregation
- Where to send outputs: your existing logging platform, S3, object storage, SIEM, etc.
Here’s a simplified example pipeline:
input:
subprocess:
name: kubectl
args:
- logs
- --all-containers
- --all-namespaces
- --follow
- --tail=0
codec: lines
restart_on_exit: true
pipeline:
processors:
- mapping: |
# Keep only errors and warnings
root = if this.level.or("info") in ["error", "warn"] {
this
} else { deleted() }
output:
elasticsearch:
urls: ["https://logs.yourcompany.com"]
No rip-and-replace migration. No new vendor lock-in. Just smarter data flow at every location.
Common Problems We Solve
Teams use Expanso to fix the edge observability headaches that traditional logging stacks weren’t built for:
- Archiving without paying for real-time analytics? Stream everything to S3 for compliance, send only high-value events to your expensive logging platform.
- Logs missing context? Enrich log lines with namespace, pod, container, and node metadata automatically.
- Drowning in “INFO” logs? Filter out routine messages and ship only what matters.
- Uncontrolled logging bills? Route only critical errors to expensive platforms while archiving everything else in cheap storage.
- Signal buried under dev/stage noise? Target log collection to specific namespaces and add automated priority tagging.
See It Live at KubeCon
We’re running live demos all week showing how Expanso manages logs across K3S clusters in retail environments, OpenShift deployments in manufacturing, and everything in between.
Whether you’re operating 10 sites or 1,000, we can show you how to get observability without blowing out your bandwidth budget.
Book time with us on the show floor and let’s make your distributed logging pipeline manageable.
Not at KubeCon? Start now with our Getting Started guide. You can deploy your first pipeline in minutes—and run it in production across hundreds of locations.
We’ll see you at KubeCon.
Ready to get started? Visit cloud.expanso.io to try Expanso for free, or explore our documentation for detailed examples and deployment guides.