1.不使用logstash
2.步驟:
2.1 先獲取一個文件的日志
2.2 再獲取多個文件的日志
2.3 批量獲取文件日志
pod日志文件路徑
[root@worker hkd-eureka]# pwd
/var/log/pods/test_cloud-eureka-0_26292b87-08d2-495e-a141-81304dd9ef07/hkd-eureka
[root@worker hkd-eureka]# ll
總用量 0
lrwxrwxrwx 1 root root 165 7月 7 09:23 0.log -> /var/lib/docker/containers/24a1f5bc57a81fc61043ebc0ce4daff859096a8c026bf54497d434bdc538e7ee/24a1f5bc57a81fc61043ebc0ce4daff859096a8c026bf54497d434bdc538e7ee-json.log
2.1 先獲取一個文件的日志
filebeat.yml文件配置
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/pods/test_cloud-eureka-*/*/*.log
symlinks: true
fileds:
level: eureka
fields_under_root: true
json.keys_under_root: true
json.add_error_key: true
json.message_key: log
tail_files: true
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
multiline.timeout: 10s
output.elasticsearch:
hosts: ["192.168.75.21:9200"]
username: "elastic"
password: "IjGj8QwWYeXY7rVoLLQ6"
es的Discover中查看
{
"_index": "filebeat-7.5.0",
"_type": "_doc",
"_id": "7KAaJ3MBSoQZ5wHWGij-",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-07-07T02:28:03.237Z",
"ecs": {
"version": "1.1.0"
},
"container": {
"id": "hkd-eureka"
},
"log": {
"offset": 238675,
"file": {
"path": "/var/log/pods/test_cloud-eureka-0_26292b87-08d2-495e-a141-81304dd9ef07/hkd-eureka/0.log"
}
},
"stream": "stdout",
"time": "2020-07-07T02:28:02.722603324Z",
"input": {
"type": "log"
},
"host": {
"name": "worker",
"os": {
"platform": "centos",
"version": "7 (Core)",
"family": "redhat",
"name": "CentOS Linux",
"kernel": "3.10.0-1062.el7.x86_64",
"codename": "Core"
},
"id": "a392797746874909a0980d75e417dc04",
"containerized": false,
"hostname": "worker",
"architecture": "x86_64"
},
"agent": {
"version": "7.5.0",
"type": "filebeat",
"ephemeral_id": "411e333b-208a-44e7-9ae0-6d4ae4b6e694",
"hostname": "worker",
"id": "d45e4661-8b64-4ee5-8d63-884e20096aee"
}
},
"fields": {
"@timestamp": [
"2020-07-07T02:28:03.237Z"
],
"time": [
"2020-07-07T02:28:02.722Z"
]
},
"sort": [
1594088883237
]
}
查看日志可以發現,filebeat中配置的fields.level沒有生效,同時日志中有一個container.id,這個正好是容器名稱,這樣的話那就沒必要在filebeat中新增fields.level了,直接根據container.id來區分不同的pod日志來源
同時還有個重大問題,里面沒有日志數據,這倆問題還需要進一步處理
改造filebeat.yml配置文件
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/pods/test_cloud-eureka-*/*/*.log
symlinks: true
setup.ilm.enabled: false
setup.template.settings:
index.number_of_shards: 1
index.number_of_replicas: 0
index.codec: best_compression
output.elasticsearch:
hosts: ["192.168.75.21:9200"]
indices:
- index: "hkd-eureka_%{+yyyy.MM.dd}"
when.equals:
container.id: "hkd-eureka"
username: "elastic"
password: "IjGj8QwWYeXY7rVoLLQ6"
改造后es中Discover日志查看結果
{
"_index": "hkd-eureka_2020.07.07",
"_type": "_doc",
"_id": "W6BAJ3MBSoQZ5wHWHSto",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-07-07T03:09:41.177Z",
"input": {
"type": "log"
},
"agent": {
"id": "d45e4661-8b64-4ee5-8d63-884e20096aee",
"version": "7.5.0",
"type": "filebeat",
"ephemeral_id": "823fd876-9983-4382-91f7-bc9a263962c7",
"hostname": "worker"
},
"ecs": {
"version": "1.1.0"
},
"host": {
"name": "worker",
"architecture": "x86_64",
"os": {
"family": "redhat",
"name": "CentOS Linux",
"kernel": "3.10.0-1062.el7.x86_64",
"codename": "Core",
"platform": "centos",
"version": "7 (Core)"
},
"id": "a392797746874909a0980d75e417dc04",
"containerized": false,
"hostname": "worker"
},
"container": {
"id": "hkd-eureka"
},
"log": {
"offset": 372774,
"file": {
"path": "/var/log/pods/test_cloud-eureka-0_26292b87-08d2-495e-a141-81304dd9ef07/hkd-eureka/0.log"
}
},
"message": "{\"log\":\"2020-07-07 11:09:40.862 INFO 1 --- [a-EvictionTimer] c.n.e.r.AbstractInstanceRegistry : Running the evict task with compensationTime 3ms\\n\",\"stream\":\"stdout\",\"time\":\"2020-07-07T03:09:40.865567577Z\"}"
},
"fields": {
"@timestamp": [
"2020-07-07T03:09:41.177Z"
]
},
"sort": [
1594091381177
]
}
可以看到有message字段了,也就是pod日志文件中的日志數據
2.2 再獲取多個文件的日志
針對多個文件的配置
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/pods/test_cloud-eureka-*/*/*.log
symlinks: true
- type: log
enabled: true
paths:
- /var/log/pods/test_cloud-config-*/*/*.log
symlinks: true
setup.ilm.enabled: false
setup.template.settings:
index.number_of_shards: 1
index.number_of_replicas: 0
index.codec: best_compression
output.elasticsearch:
hosts: ["192.168.75.21:9200"]
indices:
- index: "filebeat-hkd-eureka_%{+yyyy.MM.dd}"
when.equals:
container.id: "hkd-eureka"
- index: "filebeat-hkd-config_%{+yyyy.MM.dd}"
when.equals:
container.id: "hkd-config"
username: "elastic"
password: "IjGj8QwWYeXY7rVoLLQ6"
多個文件的es中Discover日志查看
{
"_index": "filebeat-hkd-eureka_2020.07.07",
"_type": "_doc",
"_id": "66B4J3MBSoQZ5wHWJjKY",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-07-07T04:10:53.451Z",
"container": {
"id": "hkd-eureka"
},
"log": {
"offset": 166290,
"file": {
"path": "/var/log/pods/test_cloud-eureka-0_6a964a51-f1de-4b5a-8cc4-03b495c42e82/hkd-eureka/0.log"
}
},
"message": "{\"log\":\"2020-07-07 12:10:52.750 INFO 1 --- [a-EvictionTimer] c.n.e.r.AbstractInstanceRegistry : Running the evict task with compensationTime 0ms\\n\",\"stream\":\"stdout\",\"time\":\"2020-07-07T04:10:52.751269899Z\"}",
"input": {
"type": "log"
},
"ecs": {
"version": "1.1.0"
},
"host": {
"containerized": false,
"name": "worker",
"hostname": "worker",
"architecture": "x86_64",
"os": {
"version": "7 (Core)",
"family": "redhat",
"name": "CentOS Linux",
"kernel": "3.10.0-1062.el7.x86_64",
"codename": "Core",
"platform": "centos"
},
"id": "a392797746874909a0980d75e417dc04"
},
"agent": {
"type": "filebeat",
"ephemeral_id": "cea92563-33c5-450e-baf1-0dc1eb3059ca",
"hostname": "worker",
"id": "db1fe7ec-6e4e-468b-a9d9-d28e6a695b09",
"version": "7.5.0"
}
},
"fields": {
"@timestamp": [
"2020-07-07T04:10:53.451Z"
]
},
"sort": [
1594095053451
]
}
########################## 分割線 ##################################################
{
"_index": "filebeat-hkd-config_2020.07.07",
"_type": "_doc",
"_id": "xqB1J3MBSoQZ5wHW7jI5",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-07-07T04:08:28.817Z",
"container": {
"id": "hkd-config"
},
"log": {
"file": {
"path": "/var/log/pods/test_cloud-config-0_cca3f5ee-16f1-44b4-9306-11d65e5ffc54/hkd-config/0.log"
},
"offset": 42984
},
"message": "{\"log\":\"2020-07-07 12:08:19.752 INFO 1 --- [trap-executor-0] c.n.d.s.r.a.ConfigClusterResolver : Resolving eureka endpoints via configuration\\n\",\"stream\":\"stdout\",\"time\":\"2020-07-07T04:08:19.753343937Z\"}",
"input": {
"type": "log"
},
"host": {
"name": "worker",
"hostname": "worker",
"architecture": "x86_64",
"os": {
"version": "7 (Core)",
"family": "redhat",
"name": "CentOS Linux",
"kernel": "3.10.0-1062.el7.x86_64",
"codename": "Core",
"platform": "centos"
},
"id": "a392797746874909a0980d75e417dc04",
"containerized": false
},
"agent": {
"type": "filebeat",
"ephemeral_id": "cea92563-33c5-450e-baf1-0dc1eb3059ca",
"hostname": "worker",
"id": "db1fe7ec-6e4e-468b-a9d9-d28e6a695b09",
"version": "7.5.0"
},
"ecs": {
"version": "1.1.0"
}
},
"fields": {
"@timestamp": [
"2020-07-07T04:08:28.817Z"
]
},
"sort": [
1594094908817
]
}
2.3 批量獲取文件日志
在不使用logstash的情況下,暫時沒有想到啥好辦法能獲取到指定索引,所以這次是獲取所有日志文件寫入到一個索引文件中,區分查找的話根據container.id字段的值進行操作
同時也提供了一個思路,在使用logstash的情況下,可以根據container.id的值來區分開不同的日志來源,並創建使用相對應的索引,這個有待后續研究
filebeat.yml配置文件
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/pods/*/*/*.log
symlinks: true
output.elasticsearch:
hosts: ["192.168.75.21:9200"]
username: "elastic"
password: "IjGj8QwWYeXY7rVoLLQ6"
es中discover日志查看
使用logstash處理日志來源並在es中創建相應的索引文件
filebeat.yml配置文件
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/pods/*/*/*.log
symlinks: true
output.logstash:
hosts: ["192.168.75.21:5044"]
logstash配置文件:./config/conf.d/pods.conf
input {
beats {
port => "5044"
}
}
output {
#stdout {
# codec => rubydebug
#}
elasticsearch {
hosts => ["192.168.75.21:9200"]
index => "%{[container][id]}-%{+yyyy.MM.dd}" # 注意這個數據
user => "elastic"
password => "IjGj8QwWYeXY7rVoLLQ6"
}
}
效果展示:
稍微延申一下,多個日志文件的話也可以使用logstash來這樣處理
算是不怎么完美的解決這個問題了。