一、使用Filebeat根据标签收集日志¶
除了逐个配置 Namespace,也可以根据 Namespace 的标签进行过滤,更加方便。
比如只收集 Namespace 具有 filebeat=true 标签的空间日志:
1、备份配置文件
[root@k8s-master01 eck]# cp filebeat.yaml filebeat-label.yaml
2、修改filebeat配置文件
添加内容
- drop_event:
when:
or:
- not:
equals:
kubernetes.namespace_labels.filebeat: "true"
完整配置文件
[root@k8s-master01 eck]# vim filebeat-label.yaml
apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
name: filebeat
spec:
type: filebeat
version: 8.17.0
image: registry.cn-hangzhou.aliyuncs.com/github_images1024/filebeat:8.17.0
config:
output.kafka:
hosts: ["kafka:9092"]
topic: '%{[fields.log_topic]}'
#topic: 'k8spodlogs'
filebeat.autodiscover.providers:
- node: ${NODE_NAME}
type: kubernetes
templates:
- config:
- paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
tail_files: true
type: container
fields:
log_topic: k8spodlogs
processors:
- add_cloud_metadata: {}
- add_host_metadata: {}
- drop_event:
when:
or:
- not:
equals:
kubernetes.namespace_labels.filebeat: "true"
processors:
- add_cloud_metadata: {}
- add_host_metadata: {}
- drop_event:
when:
or:
- equals:
kubernetes.container.name: "filebeat"
daemonSet:
podTemplate:
spec:
serviceAccountName: filebeat
automountServiceAccountToken: true
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true # Allows to provide richer host metadata
containers:
- name: filebeat
securityContext:
runAsUser: 0
# If using Red Hat OpenShift uncomment this:
#privileged: true
volumeMounts:
- name: varlogcontainers
mountPath: /var/log/containers
- name: varlogpods
mountPath: /var/log/pods
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
- name: messages
mountPath: /var/log/messages
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumes:
- name: varlogcontainers
hostPath:
path: /var/log/containers
- name: varlogpods
hostPath:
path: /var/log/pods
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: messages
hostPath:
path: /var/log/messages
3、重新应用filebeat配置文件
[root@k8s-master01 eck]# k replace -f filebeat-label.yaml -n logging
# 验证查看
[root@k8s-master01 eck]# kgp -n logging | grep filebea
filebeat-beat-filebeat-57j8v 1/1 Running 0 7s
filebeat-beat-filebeat-hjspd 1/1 Running 0 3s
filebeat-beat-filebeat-vdjkx 1/1 Running 0 5s
4、模拟访问
[root@k8s-master01 eck]# kgp -A -owide | grep krm
krm krm-backend-6ff5c5f58c-wf5r9 1/1 Running 7 (65m ago) 40d 192.168.85.231 k8s-node01 <none> <none>
krm krm-frontend-588ffd677b-clxdx 1/1 Running 8 (65m ago) 40d 192.168.85.235 k8s-node01 <none> <none>
# 模拟访问
[root@k8s-master01 eck]# while true;do curl 192.168.85.235;done
5、在搜索框中搜索namespace,选择kubernetes.namespace后,点击后面的【+】,查看krm命名空间下的日志信息,观察到没有任何日志信息
6、给krm命名空间添加filebeat="true"的标签
# 验证之前没有添加
[root@k8s-master01 eck]# kg ns krm --show-labels | grep filebeat
# 新增标签
[root@k8s-master01 eck]# k label ns krm filebeat="true"
# 验证,已添加
[root@k8s-master01 eck]# kg ns krm --show-labels | grep filebeat
krm Active 40d filebeat=true,kubernetes.io/metadata.name=krm
7、重新测试访问
[root@k8s-master01 eck]# kgp -A -owide | grep krm
krm krm-backend-6ff5c5f58c-wf5r9 1/1 Running 7 (65m ago) 40d 192.168.85.231 k8s-node01 <none> <none>
krm krm-frontend-588ffd677b-clxdx 1/1 Running 8 (65m ago) 40d 192.168.85.235 k8s-node01 <none> <none>
# 模拟访问
[root@k8s-master01 eck]# while true;do curl 192.168.85.235;done
8、在搜索框中搜索namespace,选择kubernetes.namespace后,点击后面的【+】,查看krm命名空间下的日志信息,现在可以观察到日志信息
