一、使用Filebeat收集指定空间的日志¶
有时候可能只需要收集部分空间的日志,而并不是收集所有的日志,此时通过修改 Filebeat的配置,实现只收集部分空间的日志。
假如只收集 krm 和 kube-system 空间下的日志:
1、修改filebeat配置文件
[root@k8s-master01 eck]# cp filebeat.yaml filebeat-ns.yaml
# 修改如下配置信息
[root@k8s-master01 eck]# vim filebeat-ns.yaml
...
...
- config:
- paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
tail_files: true
type: container
fields:
log_topic: k8spodlogs
processors:
- add_cloud_metadata: {}
- add_host_metadata: {}
condition.equals.kubernetes.namespace: krm
- config:
- paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
tail_files: true
type: container
fields:
log_topic: k8spodlogs
processors:
- add_cloud_metadata: {}
- add_host_metadata: {}
condition.equals.kubernetes.namespace: kube-system
...
...
# 完整配置文件
[root@k8s-master01 eck]# vim filebeat-ns.yaml
apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
name: filebeat
spec:
type: filebeat
version: 8.17.0
image: registry.cn-hangzhou.aliyuncs.com/github_images1024/filebeat:8.17.0
config:
output.kafka:
hosts: ["kafka:9092"]
topic: '%{[fields.log_topic]}'
#topic: 'k8spodlogs'
filebeat.autodiscover.providers:
- node: ${NODE_NAME}
type: kubernetes
templates:
- config:
- paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
tail_files: true
type: container
fields:
log_topic: k8spodlogs
processors:
- add_cloud_metadata: {}
- add_host_metadata: {}
condition.equals.kubernetes.namespace: krm
- config:
- paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
tail_files: true
type: container
fields:
log_topic: k8spodlogs
processors:
- add_cloud_metadata: {}
- add_host_metadata: {}
condition.equals.kubernetes.namespace: kube-system
processors:
- add_cloud_metadata: {}
- add_host_metadata: {}
- drop_event:
when:
or:
- equals:
kubernetes.container.name: "filebeat"
daemonSet:
podTemplate:
spec:
serviceAccountName: filebeat
automountServiceAccountToken: true
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true # Allows to provide richer host metadata
containers:
- name: filebeat
securityContext:
runAsUser: 0
# If using Red Hat OpenShift uncomment this:
#privileged: true
volumeMounts:
- name: varlogcontainers
mountPath: /var/log/containers
- name: varlogpods
mountPath: /var/log/pods
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
- name: messages
mountPath: /var/log/messages
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumes:
- name: varlogcontainers
hostPath:
path: /var/log/containers
- name: varlogpods
hostPath:
path: /var/log/pods
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: messages
hostPath:
path: /var/log/messages
2、重新应用filebeat配置文件
[root@k8s-master01 eck]# k replace -f filebeat-ns.yaml -n logging
# 验证查看
[root@k8s-master01 eck]# kgp -n logging | grep filebea
filebeat-beat-filebeat-7wslr 1/1 Running 0 3m11s
filebeat-beat-filebeat-g8fff 1/1 Running 0 3m9s
filebeat-beat-filebeat-s656d 1/1 Running 0 3m8s
3、模拟访问
[root@k8s-master01 eck]# kgp -A -owide | grep krm
krm krm-backend-6ff5c5f58c-wf5r9 1/1 Running 7 (65m ago) 40d 192.168.85.231 k8s-node01 <none> <none>
krm krm-frontend-588ffd677b-clxdx 1/1 Running 8 (65m ago) 40d 192.168.85.235 k8s-node01 <none> <none>
# 模拟访问
[root@k8s-master01 eck]# while true;do curl 192.168.85.235;done
4、在搜索框中搜索namespace,选择kubernetes.namespace后,点击后面的【+】,即可查看到krm和kube-system命名空间下的日志信息
说明:因为上面测试访问的是krm命名空间,所以,暂时只展示krm命名空间的日志信息。正常会展示krm和kube-system命名空间的日志信息。
