一、使用Filebeat收集指定文件日志

如果想要收集某个文件的日志,可以直接添加 log 类型日志配置即可:

1、备份配置文件

[root@k8s-master01 eck]# cp filebeat-label.yaml filebeat-label-file.yaml

2、修改filebeat配置文件

添加内容

      - config:
        - paths:
          - /var/log/messages
          tail_files: true
          type: log
          fields:
            log_topic: k8spodlogs
            log_type: system

完整配置文件

[root@k8s-master01 eck]# vim filebeat-label-file.yaml 
apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
  name: filebeat
spec:
  type: filebeat
  version: 8.17.0
  image: registry.cn-hangzhou.aliyuncs.com/github_images1024/filebeat:8.17.0
  config:
    output.kafka:
      hosts: ["kafka:9092"]
      topic: '%{[fields.log_topic]}'
      #topic: 'k8spodlogs'
    filebeat.autodiscover.providers:
    - node: ${NODE_NAME}
      type: kubernetes
      templates:
      - config:
        - paths:
          - /var/log/messages
          tail_files: true
          type: log
          fields:
            log_topic: k8spodlogs
            log_type: system
      - config:
        - paths:
          - /var/log/containers/*${data.kubernetes.container.id}.log
          tail_files: true
          type: container
          fields:
            log_topic: k8spodlogs
          processors:
          - add_cloud_metadata: {}
          - add_host_metadata: {}
          - drop_event:
              when:
                or: 
                 - not:
                    equals:
                      kubernetes.namespace_labels.filebeat: "true"
    processors:
    - add_cloud_metadata: {}
    - add_host_metadata: {}
    - drop_event:
            when:
              or:
                - equals:
                     kubernetes.container.name: "filebeat"
  daemonSet:
    podTemplate:
      spec:
        serviceAccountName: filebeat
        automountServiceAccountToken: true
        terminationGracePeriodSeconds: 30
        dnsPolicy: ClusterFirstWithHostNet
        hostNetwork: true # Allows to provide richer host metadata
        containers:
        - name: filebeat
          securityContext:
            runAsUser: 0
            # If using Red Hat OpenShift uncomment this:
            #privileged: true
          volumeMounts:
          - name: varlogcontainers
            mountPath: /var/log/containers
          - name: varlogpods
            mountPath: /var/log/pods
          - name: varlibdockercontainers
            mountPath: /var/lib/docker/containers
          - name: messages
            mountPath: /var/log/messages
          env:
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
        volumes:
        - name: varlogcontainers
          hostPath:
            path: /var/log/containers
        - name: varlogpods
          hostPath:
            path: /var/log/pods
        - name: varlibdockercontainers
          hostPath:
            path: /var/lib/docker/containers
        - name: messages
          hostPath:
            path: /var/log/messages

3、重新应用filebeat配置文件

[root@k8s-master01 eck]# k replace -f  filebeat-label-file.yaml  -n logging

# 验证查看
[root@k8s-master01 eck]# kgp -n logging | grep filebea
filebeat-beat-filebeat-68qkd   1/1     Running   0              4s
filebeat-beat-filebeat-l9prx   1/1     Running   0              9s
filebeat-beat-filebeat-w92p8   1/1     Running   0              6s

4、模拟访问

# 模拟写入日志信息
[root@k8s-master01 eck]# while true;do echo "test" >> /var/log/messages;done

5、查看/var/log/messages日志文件信息

在搜索框中搜索log,选择fields.log_type后,点击后面的【+】

image-20250424092836091

点击最新日志,搜索message,观察到message对应的值为test

image-20250424093409568