0x00 背景
K8S内运行Spring Cloud微服务,根据定制容器架构要求log文件不落地,log全部输出到std管道,由基于docker的filebeat去管道采集,然后发往Kafka或者ES集群。
0x01 多行匹配和yaml文件
在filebeat启动的yaml文件内,指定相应的名称空间并配置java堆栈的多行解析规则,如下yaml文件输出端是kafka,如需要输出到es集群,可更改对应配置
apiVersion: v1 kind: Namespace metadata: name: logging --- apiVersion: v1 kind: ServiceAccount metadata: name: filebeat namespace: logging labels: k8s-app: filebeat --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: filebeat namespace: logging labels: k8s-app: filebeat rules: - apiGroups: [""] resources: - namespaces - pods verbs: - get - watch - list --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: filebeat namespace: logging subjects: - kind: ServiceAccount name: filebeat namespace: logging roleRef: kind: ClusterRole name: filebeat apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ConfigMap metadata: name: filebeat-config namespace: logging labels: k8s-app: filebeat kubernetes.io/cluster-service: "true" data: filebeat.yml: |- filebeat.config: # inputs: # path: ${path.config}/inputs.d/*.yml # reload.enabled: true modules: path: ${path.config}/modules.d/*.yml reload.enabled: true filebeat.autodiscover: providers: - type: kubernetes hints.enabled: true templates: - condition: equals: # java堆栈对行日志出现的名称空间为wfw kubernetes.namespace: wfw config: - type: docker containers.ids: - "${data.kubernetes.container.id}" # 配置java堆栈多行匹配规则 multiline: pattern: '^[[:space:]]+(at|\.{3}\b|^Caused by:)' negate: false match: after - condition: equals: kubernetes.namespace: kube-system config: - type: docker containers.ids: - "${data.kubernetes.container.id}" # 输出数据到kafka output.kafka: enable: true hosts: ["xx.xx.xx.xx:9092","xx.xx.xx.xx:9092","xx.xx.xx.xx:9092"] topic: k8s_log --- apiVersion: v1 kind: ConfigMap metadata: name: filebeat-inputs namespace: logging labels: k8s-app: filebeat kubernetes.io/cluster-service: "true" data: kubernetes.yml: |- - type: docker containers.ids: - "*" processors: - add_kubernetes_metadata: in_cluster: true multiline: pattern: '^[A-Za-z ]+[0-9]{2} (?:[01]d|2[0123]):(?:[012345]d):(?:[012345]d)' negate: true match: after --- apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: filebeat namespace: logging labels: k8s-app: filebeat spec: template: metadata: labels: k8s-app: filebeat spec: serviceAccountName: filebeat terminationGracePeriodSeconds: 30 containers: - name: filebeat image: 10.131.141.200/public/filebeat:6.5.4 args: [ "-c", "/usr/share/filebeat/filebeat.yml", "-e", ] securityContext: runAsUser: 0 # If using Red Hat OpenShift uncomment this: #privileged: true resources: limits: cpu: 100m memory: 200Mi requests: cpu: 100m memory: 200Mi volumeMounts: - name: config mountPath: /usr/share/filebeat/filebeat.yml readOnly: true subPath: filebeat.yml - name: inputs mountPath: /usr/share/filebeat/inputs.d readOnly: true - name: data mountPath: /usr/share/filebeat/data - name: varlibdockercontainers mountPath: /var/lib/docker/containers readOnly: true volumes: - name: config configMap: defaultMode: 0600 name: filebeat-config - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers - name: inputs configMap: defaultMode: 0600 name: filebeat-inputs # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart - name: data hostPath: path: /var/lib/filebeat-data type: DirectoryOrCreate --- apiVersion: v1 kind: ServiceAccount metadata: name: filebeat namespace: logging --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: filebeat roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: filebeat namespace: logging
0x02 结论
参考1 https://www.elastic.co/guide/en/beats/filebeat/6.7/_examples_of_multiline_configuration.html
多使用StackOverflow和Google,技术问题少问百度。