注意事项
1. 需要将namespace修改为自己项目中的命名空间
2. es换成对应的地址
3. filebeat-inputs中的两个配置(根据需要用任意一个就可以)
3.1 第一个配置是监听docker日志,由于系统日志太多所以这里只监听项目部署命名空间下的内容
- type: docker
containers.ids:
- "*"
exclude_files: ['.*/syslog.*']
multiline.pattern: '^\d{4}-\d{2}-\d{2}'
multiline.negate: true
multiline.match: after
processors:
- drop_fields:
fields: ["input_type", "offset", "stream", "beat"]
- add_kubernetes_metadata:
in_cluster: true
- drop_event:
when:
or:
- not:
or:
- equals:
kubernetes.container.name: "gateway"
- equals:
kubernetes.container.name: "api"
- contains:
message: "/health/status"
3.2 第二个是配置监听指定文件夹下的所有日志信息,日志有变更就会发送到es中(如果修改路径地址,需要把挂载logger-path路径一并改掉)
- type: log
enabled: true
paths:
- /home/k8s/logger/*/*.txt
multiline.pattern: '^\d{4}-\d{2}-\d{2}'
multiline.negate: true
multiline.match: after
fields_under_root: true
exclude_lines: ['^DEBUG']
exclude_files: ['.gz$']
完整配置
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
namespace: gitee
labels:
k8s-app: filebeat
data:
filebeat.yml: |-
filebeat.config:
inputs:
path: ${path.config}/inputs.d/*.yml
reload.enabled: true
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
output.elasticsearch:
hosts: ['elasticsearch.gitee:9200']
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-inputs
namespace: gitee
labels:
k8s-app: filebeat
data:
kubernetes.yml: |-
- type: docker
containers.ids:
- "*"
exclude_files: ['.*/syslog.*']
multiline.pattern: '^\d{4}-\d{2}-\d{2}'
multiline.negate: true
multiline.match: after
processors:
- drop_fields:
fields: ["input_type", "offset", "stream", "beat"]
- add_kubernetes_metadata:
in_cluster: true
- drop_event:
when:
and:
- not:
or:
- equals:
kubernetes.container.name: "gateway"
- equals:
kubernetes.container.name: "api"
- contains:
message: "/health/status"
file-logs.yml: |-
- type: log
enabled: true
paths:
- /home/k8s/logger/*/*.txt
multiline.pattern: '^\d{4}-\d{2}-\d{2}'
multiline.negate: true
multiline.match: after
fields_under_root: true
exclude_lines: ['^DEBUG']
exclude_files: ['.gz$']
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: filebeat
namespace: gitee
labels:
k8s-app: filebeat
spec:
selector:
matchLabels:
k8s-app: filebeat
template:
metadata:
labels:
k8s-app: filebeat
spec:
serviceAccountName: filebeat
terminationGracePeriodSeconds: 30
containers:
- name: filebeat
image: elastic/filebeat:7.9.2
args: [
"-c", "/etc/filebeat.yml",
"-e",
]
securityContext:
runAsUser: 0
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- name: config
mountPath: /etc/filebeat.yml
readOnly: true
subPath: filebeat.yml
- name: inputs
mountPath: /usr/share/filebeat/inputs.d
readOnly: true
- name: data
mountPath: /usr/share/filebeat/data
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
- name: logger-path
mountPath: /home/k8s/logger/
volumes:
- name: config
configMap:
defaultMode: 0600
name: filebeat-config
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: inputs
configMap:
defaultMode: 0600
name: filebeat-inputs
- name: data
hostPath:
path: /var/lib/filebeat-data
type: DirectoryOrCreate
- name: logger-path
hostPath:
path: /home/k8s/logger/
type: Directory
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: filebeat
subjects:
- kind: ServiceAccount
name: filebeat
namespace: gitee
roleRef:
kind: ClusterRole
name: filebeat
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: filebeat
labels:
k8s-app: filebeat
rules:
- apiGroups: [""]
resources:
- namespaces
- pods
verbs:
- get
- watch
- list
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: filebeat
namespace: gitee
labels:
k8s-app: filebeat
