0x00 背景
K8S內運行Spring Cloud微服務,根據定制容器架構要求log文件不落地,log全部輸出到std管道,由基於docker的filebeat去管道采集,然后發往Kafka或者ES集群。
0x01 多行匹配和yaml文件
在filebeat啟動的yaml文件內,指定相應的名稱空間並配置java堆棧的多行解析規則,如下yaml文件輸出端是kafka,如需要輸出到es集群,可更改對應配置
apiVersion: v1 kind: Namespace metadata: name: logging --- apiVersion: v1 kind: ServiceAccount metadata: name: filebeat namespace: logging labels: k8s-app: filebeat --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: filebeat namespace: logging labels: k8s-app: filebeat rules: - apiGroups: [""] resources: - namespaces - pods verbs: - get - watch - list --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: filebeat namespace: logging subjects: - kind: ServiceAccount name: filebeat namespace: logging roleRef: kind: ClusterRole name: filebeat apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ConfigMap metadata: name: filebeat-config namespace: logging labels: k8s-app: filebeat kubernetes.io/cluster-service: "true" data: filebeat.yml: |- filebeat.config: # inputs: # path: ${path.config}/inputs.d/*.yml # reload.enabled: true modules: path: ${path.config}/modules.d/*.yml reload.enabled: true filebeat.autodiscover: providers: - type: kubernetes hints.enabled: true templates: - condition: equals: # java堆棧對行日志出現的名稱空間為wfw kubernetes.namespace: wfw config: - type: docker containers.ids: - "${data.kubernetes.container.id}" # 配置java堆棧多行匹配規則 multiline: pattern: '^[[:space:]]+(at|\\.{3}\\b|^Caused by:)' negate: false match: after - condition: equals: kubernetes.namespace: kube-system config: - type: docker containers.ids: - "${data.kubernetes.container.id}" # 輸出數據到kafka output.kafka: enable: true hosts: ["xx.xx.xx.xx:9092","xx.xx.xx.xx:9092","xx.xx.xx.xx:9092"] topic: k8s_log --- apiVersion: v1 kind: ConfigMap metadata: name: filebeat-inputs namespace: logging labels: k8s-app: filebeat kubernetes.io/cluster-service: "true" data: kubernetes.yml: |- - type: docker containers.ids: - "*" processors: - add_kubernetes_metadata: in_cluster: true multiline: pattern: '^[A-Za-z ]+[0-9]{2} (?:[01]\d|2[0123]):(?:[012345]\d):(?:[012345]\d)' negate: true match: after --- apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: filebeat namespace: logging labels: k8s-app: filebeat spec: template: metadata: labels: k8s-app: filebeat spec: serviceAccountName: filebeat terminationGracePeriodSeconds: 30 containers: - name: filebeat image: 10.131.141.200/public/filebeat:6.5.4 args: [ "-c", "/usr/share/filebeat/filebeat.yml", "-e", ] securityContext: runAsUser: 0 # If using Red Hat OpenShift uncomment this: #privileged: true resources: limits: cpu: 100m memory: 200Mi requests: cpu: 100m memory: 200Mi volumeMounts: - name: config mountPath: /usr/share/filebeat/filebeat.yml readOnly: true subPath: filebeat.yml - name: inputs mountPath: /usr/share/filebeat/inputs.d readOnly: true - name: data mountPath: /usr/share/filebeat/data - name: varlibdockercontainers mountPath: /var/lib/docker/containers readOnly: true volumes: - name: config configMap: defaultMode: 0600 name: filebeat-config - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers - name: inputs configMap: defaultMode: 0600 name: filebeat-inputs # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart - name: data hostPath: path: /var/lib/filebeat-data type: DirectoryOrCreate --- apiVersion: v1 kind: ServiceAccount metadata: name: filebeat namespace: logging --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: filebeat roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: filebeat namespace: logging
0x02 結論
參考1 https://www.elastic.co/guide/en/beats/filebeat/6.7/_examples_of_multiline_configuration.html
多使用StackOverflow和Google,技術問題少問百度。