Filebeat收集K8S日志 - VPS主机优惠网

文章目录 展开

Kubernetes 中比较流行的日志收集解决方案是 Elasticsearch、Logstash和 Kibana（ELK）技术栈，今天来推荐EFK，即Logstash换成filebeat。

切换到EFK后，发现filebeat正则表达式不是很好实现，比如怎么在Filebeat收集日志按k8s命名空间索引存到Elasticsearch，该教程主要介绍该方法。

环境准备

Elasticsearch：http://10.0.0.1:9200″, “http://10.0.0.2:9200”, “http://10.0.0.3:9200
docker data-root: /data/docker
需求：将nginx-ingress收集到ES单独索引
所有日志标准输出

filebeat-kubernetes.yaml

—
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
namespace: kube-system
labels:
k8s-app: filebeat
data:
filebeat.yml: |-
#====================== input =================
filebeat.inputs:
# nginx-ingress
– type: container
paths:
– /var/log/containers/*_nginx-ingress_*.log
tags: [“nginx-ingress”]
fields:
index: “nginx-ingress”
processors:
– add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
– logs_path:
logs_path: “/var/log/containers/”
– decode_json_fields:
when:
regexp:
message: “{*}”
fields: [“message”]
overwrite_keys: true
target: “”
# oneinstack-prd
– type: container
paths:
– /var/log/containers/*_oneinstack-prd_*.log
tags: [“oneinstack-prd”]
fields:
index: “oneinstack-prd”
processors:
– add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
– logs_path:
logs_path: “/var/log/containers/”
– decode_json_fields:
when:
regexp:
message: “{*}”
fields: [“message”]
#overwrite_keys: true
target: “”
#================ output =====================
output.elasticsearch:
hosts: [“http://10.0.0.1:9200”, “http://10.0.0.2:9200”, “http://10.0.0.3:9200”]
indices:
– index: “nginx-ingress-%{+yyyy.MM.dd}”
when.contains:
fields:
index: “nginx-ingress”
– index: “oneinstack-prd-%{+yyyy.MM.dd}”
when.contains:
fields:
index: “oneinstack-prd”
#============== Elasticsearch template setting ==========
setup.ilm.enabled: false
setup.template.name: ‘k8s-logs’
setup.template.pattern: ‘k8s-logs-*’
processors:
– drop_fields:
fields: [“agent”,”kubernetes.labels”,”input.type”,”log”,”ecs.version”,”host.name”,”kubernetes.replicaset.name”,”kubernetes.pod.uid”,”kubernetes.pod.uid”,”tags”,”stream”,”kubernetes.container.name”]
—
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: filebeat
namespace: kube-system
labels:
k8s-app: filebeat
spec:
selector:
matchLabels:
k8s-app: filebeat
template:
metadata:
labels:
k8s-app: filebeat
spec:
serviceAccountName: filebeat
terminationGracePeriodSeconds: 30
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
tolerations:
– effect: NoSchedule
operator: Exists
containers:
– name: filebeat
image: elastic/filebeat:7.9.0
args: [
“-c”, “/etc/filebeat.yml”,
“-e”,
]
env:
– name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
runAsUser: 0
# If using Red Hat OpenShift uncomment this:
#privileged: true
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
– name: config
mountPath: /etc/filebeat.yml
readOnly: true
subPath: filebeat.yml
– name: data
mountPath: /usr/share/filebeat/data
– name: varlibdockercontainers
mountPath: /data/docker/containers
readOnly: true
– name: varlog
mountPath: /var/log
readOnly: true
volumes:
– name: config
configMap:
defaultMode: 0600
name: filebeat-config
– name: varlibdockercontainers
hostPath:
path: /data/docker/containers
– name: varlog
hostPath:
path: /var/log
# data folder stores a registry of read status for all files, so we don’t send everything again on a Filebeat pod restart
– name: data
hostPath:
path: /var/lib/filebeat-data
type: DirectoryOrCreate
—
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: filebeat
subjects:
– kind: ServiceAccount
name: filebeat
namespace: kube-system
roleRef:
kind: ClusterRole
name: filebeat
apiGroup: rbac.authorization.k8s.io
—
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: filebeat
labels:
k8s-app: filebeat
rules:
– apiGroups: [“”] # “” indicates the core API group
resources:
– namespaces
– pods
verbs:
– get
– watch
– list
—
apiVersion: v1
kind: ServiceAccount
metadata:
name: filebeat
namespace: kube-system
labels:
k8s-app: filebeat
—

部署filebeat

kubectl apply -f filebeat-kubernetes.yaml -n kube-system

Wed Jan 6 17:43:07 CST 2021