ELK 日志收集

我会带着你远行 2024-04-03 06:53 185阅读 0赞

文章目录

  • 方案
  • 部署 FileBeat
    • helm部署
    • yaml 部署
  • 部署 Elastic
    • 安装 eck
    • 安装 elastic
  • 部署 Kibana

方案

  1. 部署 FileBeat 从集群每个节点采集日志
  2. FileBeat 发送日志到 ElasticSearch 并保存
  3. 部署 Kibana 展示 ElasticSearch 数据

采集

采集

采集

发送

发送

发送

展示

节点

FileBeat

节点

FileBeat

节点

FileBeat

Elastic

Kibana

部署 FileBeat

helm部署

官方文档: https://github.com/elastic/helm-charts/tree/master/filebeat

部署命令

  1. helm repo add elastic https://helm.elastic.co
  2. helm install fb elastic/filebeat -f values.yaml -n kube-system

当前最新为 8.5.1,但本文使用 7.17 版本
在这里插入图片描述

values.yaml 文件

配置参考文档:https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-container.html

input.paths:模糊匹配需要收集的日志路径
input.fields:定义收集日志的 key
input.fields_under_root:设置 ture,fields存储在输出文档的顶级位置,参考文章 :filebeat输出结果到elasticsearch的多个索引
setup.template:自定义索引
setup.ilm.enabled:设置 falsel;若启用,则忽略 output.elasticsearch.index 的设置
output.elasticsearch.indices.index:设置 elastic 的索引
output.elasticsearch.indices.when.contains:对应 input 的 fields

  1. filebeatConfig:
  2.   filebeat.yml: |
  3.     filebeat.inputs:
  4.     - type: container
  5.       paths:
  6.         - /var/log/containers/*dev_permission-service*.log
  7.       fields:
  8.         app_id: "dev-permission"
  9.       fields_under_root: true
  11.     - type: container
  12.       paths:
  13.         - /var/log/containers/*dev_converter-service*.log
  14.       fields:
  15.         app_id: "dev-converter"
  16.       fields_under_root: true
  18.     setup.template.enabled: true
  19.     setup.template.fields: fields.yml
  20.     setup.template.name: "k8s"
  21.     setup.template.pattern: "k8s-*"
  22.     setup.template.enabled: true
  23.     setup.ilm.enabled: false
  25.     output.elasticsearch:
  26.       index: "k8s-other"
  27.       username: 'elastic'
  28.       password: 'xxxxx'
  29.       protocol: http
  30.       hosts: ["http://elsmy.saas.api.gd-njc.com:80"]
  31.       indices:
  32.       - index: "k8s-dev-permission-%{+yyyy.MM.dd}"
  33.         when.contains:
  34.           app_id: "dev-permission"
  35.       - index: "k8s-dev-converter-%{+yyyy.MM.dd}"
  36.         when.contains:
  37.           app_id: "dev-converter"

yaml 部署

官方文档:https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html

编辑 filebeat-kubernetes.yaml

  1. ---
  2. apiVersion: v1
  3. kind: ConfigMap
  4. metadata:
  5.   name: filebeat-config
  6.   namespace: kube-system
  7.   labels:
  8.     k8s-app: filebeat
  9. data:
  10.   filebeat.yml: |-
  11.     filebeat.inputs:
  12.     - type: container
  13.       paths:
  14.         - /var/log/containers/*dev_permission-service*.log
  15.       fields:
  16.         app_id: "dev-permission"
  17.       fields_under_root: true
  19.     - type: container
  20.       paths:
  21.         - /var/log/containers/*dev_converter-service*.log
  22.       fields:
  23.         app_id: "dev-converter"
  24.       fields_under_root: true
  26.     setup.template.enabled: true
  27.     setup.template.fields: fields.yml
  28.     setup.template.name: "k8s"
  29.     setup.template.pattern: "k8s-*"
  30.     setup.template.enabled: true
  31.     setup.ilm.enabled: false
  33.     output.elasticsearch:
  34.       index: "k8s-other"
  35.       username: 'elastic'
  36.       password: 'xxxxx'
  37.       protocol: http
  38.       hosts: ["http://elsmy.saas.api.gd-njc.com:80"]
  39.       indices:
  40.       - index: "k8s-dev-permission-%{+yyyy.MM.dd}"
  41.         when.contains:
  42.           app_id: "dev-permission"
  43.       - index: "k8s-dev-converter-%{+yyyy.MM.dd}"
  44.         when.contains:
  45.           app_id: "dev-converter"
  46. ---
  47. apiVersion: apps/v1
  48. kind: DaemonSet
  49. metadata:
  50.   name: filebeat
  51.   namespace: kube-system
  52.   labels:
  53.     k8s-app: filebeat
  54. spec:
  55.   selector:
  56.     matchLabels:
  57.       k8s-app: filebeat
  58.   template:
  59.     metadata:
  60.       labels:
  61.         k8s-app: filebeat
  62.     spec:
  63.       serviceAccountName: filebeat
  64.       terminationGracePeriodSeconds: 30
  65.       hostNetwork: true
  66.       dnsPolicy: ClusterFirstWithHostNet
  67.       containers:
  68.       - name: filebeat
  69.         image: docker.elastic.co/beats/filebeat:8.4.2
  70.         args: [
  71.           "-c", "/etc/filebeat.yml",
  72.           "-e",
  73.         ]
  74.         env:
  75.         - name: ELASTICSEARCH_HOST
  76.           value: elasticsearch
  77.         - name: ELASTICSEARCH_PORT
  78.           value: "9200"
  79.         - name: ELASTICSEARCH_USERNAME
  80.           value: elastic
  81.         - name: ELASTICSEARCH_PASSWORD
  82.           value: changeme
  83.         - name: ELASTIC_CLOUD_ID
  84.           value:
  85.         - name: ELASTIC_CLOUD_AUTH
  86.           value:
  87.         - name: NODE_NAME
  88.           valueFrom:
  89.             fieldRef:
  90.               fieldPath: spec.nodeName
  91.         securityContext:
  92.           runAsUser: 0
  93.           # If using Red Hat OpenShift uncomment this:
  94.           #privileged: true
  95.         resources:
  96.           limits:
  97.             memory: 200Mi
  98.           requests:
  99.             cpu: 100m
  100.             memory: 100Mi
  101.         volumeMounts:
  102.         - name: config
  103.           mountPath: /etc/filebeat.yml
  104.           readOnly: true
  105.           subPath: filebeat.yml
  106.         - name: data
  107.           mountPath: /usr/share/filebeat/data
  108.         - name: varlibdockercontainers
  109.           mountPath: /var/lib/docker/containers
  110.           readOnly: true
  111.         - name: varlog
  112.           mountPath: /var/log
  113.           readOnly: true
  114.       volumes:
  115.       - name: config
  116.         configMap:
  117.           defaultMode: 0640
  118.           name: filebeat-config
  119.       - name: varlibdockercontainers
  120.         hostPath:
  121.           path: /var/lib/docker/containers
  122.       - name: varlog
  123.         hostPath:
  124.           path: /var/log
  125.       # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
  126.       - name: data
  127.         hostPath:
  128.           # When filebeat runs as non-root user, this directory needs to be writable by group (g+w).
  129.           path: /var/lib/filebeat-data
  130.           type: DirectoryOrCreate
  131. ---
  132. apiVersion: rbac.authorization.k8s.io/v1
  133. kind: ClusterRoleBinding
  134. metadata:
  135.   name: filebeat
  136. subjects:
  137. - kind: ServiceAccount
  138.   name: filebeat
  139.   namespace: kube-system
  140. roleRef:
  141.   kind: ClusterRole
  142.   name: filebeat
  143.   apiGroup: rbac.authorization.k8s.io
  144. ---
  145. apiVersion: rbac.authorization.k8s.io/v1
  146. kind: RoleBinding
  147. metadata:
  148.   name: filebeat
  149.   namespace: kube-system
  150. subjects:
  151.   - kind: ServiceAccount
  152.     name: filebeat
  153.     namespace: kube-system
  154. roleRef:
  155.   kind: Role
  156.   name: filebeat
  157.   apiGroup: rbac.authorization.k8s.io
  158. ---
  159. apiVersion: rbac.authorization.k8s.io/v1
  160. kind: RoleBinding
  161. metadata:
  162.   name: filebeat-kubeadm-config
  163.   namespace: kube-system
  164. subjects:
  165.   - kind: ServiceAccount
  166.     name: filebeat
  167.     namespace: kube-system
  168. roleRef:
  169.   kind: Role
  170.   name: filebeat-kubeadm-config
  171.   apiGroup: rbac.authorization.k8s.io
  172. ---
  173. apiVersion: rbac.authorization.k8s.io/v1
  174. kind: ClusterRole
  175. metadata:
  176.   name: filebeat
  177.   labels:
  178.     k8s-app: filebeat
  179. rules:
  180. - apiGroups: [""] # "" indicates the core API group
  181.   resources:
  182.   - namespaces
  183.   - pods
  184.   - nodes
  185.   verbs:
  186.   - get
  187.   - watch
  188.   - list
  189. - apiGroups: ["apps"]
  190.   resources:
  191.     - replicasets
  192.   verbs: ["get", "list", "watch"]
  193. - apiGroups: ["batch"]
  194.   resources:
  195.     - jobs
  196.   verbs: ["get", "list", "watch"]
  197. ---
  198. apiVersion: rbac.authorization.k8s.io/v1
  199. kind: Role
  200. metadata:
  201.   name: filebeat
  202.   # should be the namespace where filebeat is running
  203.   namespace: kube-system
  204.   labels:
  205.     k8s-app: filebeat
  206. rules:
  207.   - apiGroups:
  208.       - coordination.k8s.io
  209.     resources:
  210.       - leases
  211.     verbs: ["get", "create", "update"]
  212. ---
  213. apiVersion: rbac.authorization.k8s.io/v1
  214. kind: Role
  215. metadata:
  216.   name: filebeat-kubeadm-config
  217.   namespace: kube-system
  218.   labels:
  219.     k8s-app: filebeat
  220. rules:
  221.   - apiGroups: [""]
  222.     resources:
  223.       - configmaps
  224.     resourceNames:
  225.       - kubeadm-config
  226.     verbs: ["get"]
  227. ---
  228. apiVersion: v1
  229. kind: ServiceAccount
  230. metadata:
  231.   name: filebeat
  232.   namespace: kube-system
  233.   labels:
  234.     k8s-app: filebeat
  235. ---

部署命令

  1. kubectl apply -f filebeat-kubernetes.yaml

部署 Elastic

官网:https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-quickstart.html

安装 eck

官网:https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-deploy-eck.html

安装 crds 和 operator

  1. kubectl create -f https://download.elastic.co/downloads/eck/2.5.0/crds.yaml
  2. kubectl apply -f https://download.elastic.co/downloads/eck/2.5.0/operator.yaml

查看 operator 运行日志

  1. kubectl -n elastic-system logs -f statefulset.apps/elastic-operator

在这里插入图片描述

安装 elastic

部署命令

  1. kubectl apply -f deployment.yaml

deployment.yaml 文件

namespace:配置命名空间
tls:关闭 tls 协议,配置文章:https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-transport-settings.html
storageClassName:配置存储卷,可以参考文章 nfs-client
storage:配置存储空间,预设 10Gi,配置文章:https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-volume-claim-templates.html
resources:配置最大最小内存,配置文章:https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-managing-compute-resources.html
ES_JAVA_OPTS:配置最大最小 java 内存,配置文章:https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-jvm-heap-dumps.html

  1. apiVersion: elasticsearch.k8s.elastic.co/v1
  2. kind: Elasticsearch # 需要安装es operator
  3. metadata:
  4.   name: es
  5.   namespace: els-test
  6. spec:
  7.   version: 7.11.2
  8.   http:
  9.     tls:
  10.       selfSignedCertificate:
  11.         disabled: true
  12.   nodeSets:
  13.     - name: es
  14.       count: 3
  15.       volumeClaimTemplates:
  16.         - metadata:
  17.             name: elasticsearch-data
  18.           spec:
  19.             accessModes:
  20.               - ReadWriteOnce
  21.             resources:
  22.               requests:
  23.                 storage: 10Gi
  24.             storageClassName: nfs-client
  25.       podTemplate:
  26.         spec:           
  27.           containers:
  28.             - name: elasticsearch
  29.               env:
  30.                 - name: ES_JAVA_OPTS
  31.                   value: "-Xms2g -Xmx2g"
  32.               resources:
  33.                 requests:
  34.                   memory: 3Gi
  35.                 limits:
  36.                   memory: 3Gi

部署结果
在这里插入图片描述

解决报错

报错信息:

ERROR: [1] bootstrap checks failed
[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

解决报错

  1. 修改配置: vi /etc/sysctl.conf
  2. 添加配置: vm.max_map_count=655360
  3. 并=执行命令: sysctl -p
  4. 检查:sysctl -a | grep vm.max_map_count

登录
账号:elastic
密码:

  1. kubectl  get secret es-es-elastic-user -n els-test -o=jsonpath='{.data.elastic}' | base64 --decode

在这里插入图片描述

配置 ingress 或 nodeport ,参考文章:ingress 部署
在这里插入图片描述

结果如下即 elastic 部署成功,cluster_name 是 es

在这里插入图片描述

查看elastic集群索引信息:/_cat/indices?v
在这里插入图片描述

部署 Kibana

部署命令

  1. kubectl apply -f kibana.yaml

kibana.yaml

namespace:和 elastic 一样
tls:关闭 tls 协议
elasticsearchRef:和 elastic 的 cluster_name 一样
编写 deployment.yaml 文件

  1. apiVersion: kibana.k8s.elastic.co/v1
  2. kind: Kibana
  3. metadata:
  4.   name: kibana
  5.   namespace: els-test
  6. spec:
  7.   version: 7.11.2
  8.   count: 1
  9.   elasticsearchRef:
  10.     name: es
  11.   http:
  12.     tls:
  13.       selfSignedCertificate:
  14.         disabled: true

部署结果
在这里插入图片描述

配置 ingress 或 nodeport ,参考文章:ingress 部署
在这里插入图片描述

配置索引正则: [manage space] -> [index patterns]
在这里插入图片描述
创建索引正则匹配
在这里插入图片描述

在 discover 可以选择配置好的正则
在这里插入图片描述

选择 message,只看日志消息
在这里插入图片描述

发表评论

表情:
评论列表 (有 0 条评论,185人围观)

还没有评论,来说两句吧...

相关阅读