K8S：使用Filebeat收集K8S内Pod应用日志

之前是针对标准输出进行采集，现在来看一下针对于容器当中的日志，是在pod当中添加一个日志采集器，这里部署一个应用，单独部署一个容器，这个容器是filebeat日志采集器，这一块就通过emptydir来实现数据的共享。

filebeat的配置放在configmap当中，指明了日志采集的路径在哪，这个日志没有在标准输出当中，虽然是个nginx镜像。所以这里的日志还是存放在容器当中的。

apiVersion: apps/v1
kind: Deployment
metadata:
name: app-log-logfile
spec:
replicas: 3
selector:
matchLabels:
project: microservice
app: nginx-logfile
template:
metadata:
labels:
project: microservice
app: nginx-logfile
spec:
containers:
# 应用容器
- name: nginx
image: lizhenliang/nginx-php
# 将数据卷挂载到日志目录
volumeMounts:
- name: nginx-logs
mountPath: /usr/local/nginx/logs
# 日志采集器容器
- name: filebeat
image: elastic/filebeat:7.9.2
args: [
"-c", "/etc/filebeat.yml",
"-e",
]
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
memory: 500Mi
securityContext:
runAsUser: 0
volumeMounts:
# 挂载filebeat配置文件
- name: filebeat-config
mountPath: /etc/filebeat.yml
subPath: filebeat.yml
# 将数据卷挂载到日志目录
- name: nginx-logs
mountPath: /usr/local/nginx/logs
# 数据卷共享日志目录
volumes:
- name: nginx-logs
emptyDir: {}
- name: filebeat-config
configMap:
name: filebeat-nginx-config
---
apiVersion: v1
kind: Service
metadata:
name: app-log-logfile
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
project: microservice
app: nginx-logfile
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-nginx-config

data:
# 配置文件保存在ConfigMap
filebeat.yml: |-
filebeat.inputs:
- type: log
paths:
- /usr/local/nginx/logs/access.log
# tags: ["access"]
fields_under_root: true
fields:
project: microservice
app: nginx

setup.ilm.enabled: false
setup.template.name: "nginx-access"
setup.template.pattern: "nginx-access-*"

output.elasticsearch:
hosts: ['elasticsearch.ops:9200']
index: "nginx-access-%{+yyyy.MM.dd}"



#这里是给项目打上了标签，标明日志来源
fields:
project: microservice
app: nginx
[root@master elk]# kubectl run -it busybox --image=busybox:1.28.4 --rm sh
If you don't see a command prompt, try pressing enter.
/ # nslookup elasticsearch.ops
Server: 169.254.25.10
Address 1: 169.254.25.10

Name: elasticsearch.ops
Address 1: 10.233.51.153 elasticsearch.ops.svc.cluster.local
/ #


[root@master ~]# kubectl get svc -n ops
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch ClusterIP 10.233.51.153 <none> 9200/TCP 12h
kibana NodePort 10.233.17.6 <none> 5601:30601/TCP 12h
现在日志采集器采集到日志之后会推送到elastic里面

[root@master elk]# kubectl get pod -n ops
NAME READY STATUS RESTARTS AGE
app-log-logfile-75b98c44bd-dmkhn 2/2 Running 0 13m
elasticsearch-549b496f94-rzt85 1/1 Running 1 13h
filebeat-d9hm5 1/1 Running 1 13h
filebeat-j49lr 1/1 Running 1 13h
kibana-5c7bd6f4c5-ccnvt 1/1 Running 1 13h



[root@master elk]# kubectl get svc -n ops
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
app-log-logfile ClusterIP 10.233.1.237 <none> 80/TCP 15m
elasticsearch ClusterIP 10.233.51.153 <none> 9200/TCP 13h
kibana NodePort 10.233.17.6 <none> 5601:30601/TCP 13h


[root@master elk]# curl 10.233.1.237/status.html
ok
filebeat:
Container ID: docker://eeff7cfd77b7aebb62e5161e0828ea020b018fb2d92f84aae0df758a4d296e11
Image: elastic/filebeat:7.9.2
Image ID: docker-pullable://elastic/filebeat@sha256:4276cd8246821c085d1abb4547ab3bbb66f9f818e927a5270ffa1d4fb16ebead
Port: <none>
Host Port: <none>
Args:
-c
/etc/filebeat.yml
-e
State: Running
Started: Sat, 25 Sep 2021 11:09:39 +0800
Ready: True
Restart Count: 0
Limits:
memory: 500Mi
Requests:
cpu: 100m
memory: 100Mi
Environment: <none>
Mounts:
/etc/filebeat.yml from filebeat-config (rw,path="filebeat.yml")
/usr/local/nginx/logs from nginx-logs (rw)
/var/run/secrets/kubernetes.io/serviceaccount from default-token-sqqw5 (ro)




[root@master elk]# kubectl exec -it app-log-logfile-75b98c44bd-dmkhn -c filebeat -n ops sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
sh-4.2# cd /usr/local/nginx/logs
sh-4.2# ls
access.log error.log
sh-4.2# cat access.log
10.233.70.0 - - [25/Sep/2021:11:21:30 +0800] "GET / HTTP/1.1" 403 146 "-" "curl/7.29.0"
10.233.70.0 - - [25/Sep/2021:11:25:36 +0800] "GET / HTTP/1.1" 403 146 "-" "curl/7.29.0"
10.233.70.0 - - [25/Sep/2021:11:25:59 +0800] "GET /status.html HTTP/1.1" 200 3 "-" "curl/7.29.0"
可以看到索引了

project和app标志了项目的来源

所以，不同的应用名称索引名称和标签都需要修改！

output.elasticsearch:
hosts: ['elasticsearch.ops:9200']
index: "nginx-access-%{+yyyy.MM.dd}"

fields:
project: microservice
app: nginx
namespace: ops
deployment: app-log-logfile

文章知识点与官方知识档案匹配，可进一步学习相关知识
云原生入门技能树首页概览15272 人正在系统学习中
————————————————
版权声明：本文为CSDN博主「富士康质检员张全蛋」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/qq_34556414/article/details/120468826