介绍
- 每个Node节点上的容器应用日志,默认都会在/var/log/containers (标准输出)
- Pod -> /var/log/containers/*.log -> Filebeat -> Logstash -> 其他输出
- app-*.log 是你的应用日志文件(可在宿主机的/var/log/containers/目录下查看自己的日志格式)
使用DaemonSet安装 filebeat (filebeat.yaml)
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: filebeat
name: filebeat-daemonset
spec:
selector:
matchLabels:
app: filebeat
template:
metadata:
labels:
app: filebeat
spec:
containers:
- name: filebeat-daemonset
image: docker.elastic.co/beats/filebeat:7.12.1
args: [
"-c", "/usr/share/filebeat/filebeat.yml",
"-e",
]
securityContext:
runAsUser: 0
volumeMounts:
- mountPath: /usr/share/filebeat/filebeat.yml
name: volume-configmap
subPath: filebeat.yml
readOnly: true
- mountPath: /data/app/docker/containers
name: varlibdockercontainers
readOnly: true
- name: varlog
mountPath: /var/log
readOnly: true
volumes:
- name: volume-configmap
configMap:
defaultMode: 420
name: filebeat-configmap
- name: varlibdockercontainers
hostPath:
path: /data/app/docker/containers
- name: varlog
hostPath:
path: /var/log
---
apiVersion: v1
data:
filebeat.yml: |-
filebeat.inputs:
- type: log
symlinks: true
paths:
- /var/log/containers/app-*.log
output.logstash:
hosts: ["172.12.17.166:5044"]
kind: ConfigMap
metadata:
name: filebeat-configmap
配置 logstash.conf
input {
beats {
port => "5044"
}
}
filter {
if "error" in [message]{
mutate{
add_field => {"logtag"=>"error"}
}
}else if "info" in [message]{
mutate{
add_field => {"logtag"=>"info"}
}
}else{
mutate{
add_field => {"logtag"=>"debug"}
}
}
}
output {
if [logtag]=="error"{
file {
path => "/path/to/k8s-error/%{+yyyy-MM-dd}.log.gz"
codec => line { format => "%{message}"}
gzip => true
}
}
if [logtag]=="info"{
file {
path => "/path/to/k8s-info/%{+yyyy-MM-dd}.log.gz"
codec => line { format => "%{message}"}
gzip => true
}
}
if [logtag]=="debug"{
file {
path => "/path/to/k8s-debug/%{+yyyy-MM}.log.gz"
codec => line { format => "%{message}"}
gzip => true
}
}
}