1 默认配置
1.1 filebeat
filebeat-7.17.yml,从网关中下载k8s的配置,指定es和kibana的配置
通过kibana查询可以查询到日志了,但此时还不知道具体怎么用。
1.2 kibana
在Discover中创建索引格式:filebeat-*,得到如下图,可以看出acc-statement-server的日志最多。但里面的字段太多了,下面应该怎么看呢?
再跟进查看日志,filebeat应该是每一样记录一次,这个浪费了很多存储空间。另外排查问题也并不好查。
2 多行合并输出
如果使用默认的配置,每一行日志,就会产生一条记录。
2.1 filebeat
增加多行规则匹配
设置索引,符合条件走自己的索引,否则则为默认索引
output.elasticsearch:hosts: ['10.101.10.2:9200','10.101.10.3:9200','10.101.10.4:9200']username: ${ELASTICSEARCH_USERNAME}password: ${ELASTICSEARCH_PASSWORD}indices:- index: acc-accountbook-server-%{+yyyy.MM.dd}when.contains:kubernetes.container.name: acc-accountbook-server- index: acc-analysis-server-%{+yyyy.MM.dd}when.contains:kubernetes.container.name: acc-analysis-serverindex: filebeat-7.17.25-%{+yyyy.MM.dd}在kibana中跟进日志,发现少部分日志输出成功,大多失败,这是什么原因呢?
为什么有些可以添加数据,有些不能呢
调试发现,我在索引前面加上了eayc就可以了,看来问题就出现在索引策略
2.2 logback
上面的时间分割,是需要logback配置与之对应。如我的系统日志打印出来的是这个,那么filebeat中就无法实现多行合并了。
如下图修改logback配置。
2.3 pipeline
在elasticsearch中创建pipeline,参考了【ELK】到【EFK】,【Filebeat】收集【SpringBoot】日志,但最终还是放弃了,还是按照k8s自带的格式,这样便于处理,不需要非得自定义格式。
PUT _ingest/pipeline/eayc_log_pipeline
{"description": "岁月云日志管道","processors": [{"remove": {"field": "agent.name","ignore_missing": true}},{"remove": {"field": "agent.ephemeral_id","ignore_missing": true}},{"remove": {"field": "log.file.path","ignore_missing": true}},{"remove": {"field": "input.type","ignore_missing": true}},{"remove": {"field": "kubernetes.node.labels.kubernetes_io/hostname","ignore_missing": true}},{"remove": {"field": "kubernetes.labels.k8s_kuboard_cn/layer","ignore_missing": true}},{"remove": {"field": "kubernetes.deployment.name","ignore_missing": true}},{"remove": {"field": "container.runtime","ignore_missing": true}},{"remove": {"field": "ecs.version","ignore_missing": true}},{"remove": {"field": "host.architecture","ignore_missing": true}},{"remove": {"field": "host.containerized","ignore_missing": true}},{"remove": {"field": "host.mac","ignore_missing": true}},{"remove": {"field": "host.os.codename","ignore_missing": true}},{"remove": {"field": "host.os.name","ignore_missing": true}},{"remove": {"field": "host.os.platform","ignore_missing": true}},{"remove": {"field": "kubernetes.labels.k8s_kuboard_cn/name","ignore_missing": true}},{"remove": {"field": "kubernetes.labels.pod-template-hash","ignore_missing": true}},{"remove": {"field": "kubernetes.namespace_uid","ignore_missing": true}},{"remove": {"field": "kubernetes.node.labels.beta_kubernetes_io/arch","ignore_missing": true}},{"remove": {"field": "kubernetes.node.labels.beta_kubernetes_io/os","ignore_missing": true}},{"remove": {"field": "log.flags","ignore_missing": true}},{"remove": {"field": "log.offset","ignore_missing": true}},{"remove": {"field": "kubernetes.container.id","ignore_missing": true}},{"remove": {"field": "kubernetes.pod.uid","ignore_missing": true}}]
}创建索引策略
PUT _ilm/policy/eayc_log_policy
{"policy": {"phases": {"hot": {"min_age": "0ms","actions": {"rollover": {"max_size": "50gb","max_age": "30d"}}},"delete": {"min_age": "90d","actions": {"delete": {}}}}}
}2.4 elasticsearch
在k8s中启动filebeat中,查看filebeat的日志发现
2024-10-29T07:55:33.935Z ERROR [elasticsearch] elasticsearch/client.go:226 failed to perform any bulk index operations: 500 Internal Server Error: {"error":{"root_cause":[{"type":"illegal_state_exception","reason":"There are no ingest nodes in this cluster, unable to forward request to an ingest node."}],"type":"illegal_state_exception","reason":"There are no ingest nodes in this cluster, unable to forward request to an ingest node."},"status":500}则需要在elasticsearch.yml中增加配置
node.roles: [ingest]创建组合模板
PUT _component_template/filebeat_settings
{"template": {"settings": {"number_of_shards": 1,"number_of_replicas": 1}}
}PUT _component_template/filebeat_mappings
{"template": {"mappings": {"properties": {"@timestamp": {"type": "date"},"message": {"type": "text"}}}}
}PUT _component_template/eayc_mappings
{"template": {"mappings": {"properties": {"@timestamp": {"type": "date"},"message": {"type": "text"},"custom_field": {"type": "keyword"}}}}
}PUT _component_template/acc_mappings
{"template": {"mappings": {"properties": {"@timestamp": {"type": "date"},"message": {"type": "text"},"custom_field": {"type": "keyword"}}}}
}PUT _index_template/filebeat
{"index_patterns": ["filebeat-*"],"composed_of": ["filebeat_settings", "filebeat_mappings"],"priority": 100,"template": {"settings": {"index.lifecycle.name": "eayc_log_policy","index.lifecycle.rollover_alias": "filebeat-write"}}
}PUT _index_template/eayc
{"index_patterns": ["eayc-*"],"composed_of": ["filebeat_settings", "eayc_mappings"],"priority": 100,"template": {"settings": {"index.lifecycle.name": "eayc_log_policy","index.lifecycle.rollover_alias": "filebeat-write"}}
}PUT _index_template/acc
{"index_patterns": ["acc-*"],"composed_of": ["filebeat_settings", "acc_mappings"],"priority": 100,"template": {"settings": {"index.lifecycle.name": "eayc_log_policy","index.lifecycle.rollover_alias": "filebeat-write"}}
}
接着再看acc添加进去了
再看日志数据出来了
)
运行环境)
)
:FrameLayout遇到的坑)
:适配器模式、装饰器模式)
