系统架构图:
1) 多个Filebeat在各个Node进行日志采集,然后上传至Logstash
2) 多个Logstash节点并行(负载均衡,不作为集群),对日志记录进行过滤处理,然后上传至Elasticsearch集群
3) 多个Elasticsearch构成集群服务,提供日志的索引和存储能力
4) Kibana负责对Elasticsearch中的日志数据进行检索、分析一、Elasticsearch部署
官方chart地址:https://github.com/elastic/helm-charts/tree/master/elasticsearch
创建logs命名空间
代码语言:javascript复制kubectl create ns logs添加elastic helm charts 仓库
代码语言:javascript复制helm repo add elastic https://helm.elastic.co安装
代码语言:javascript复制helm install -name elasticsearch elastic/elasticsearch --namespace logs参数说明
代码语言:javascript复制image: "docker.elastic.co/elasticsearch/elasticsearch"
imageTag: "7.2.0"
imagePullPolicy: "IfNotPresent"
podAnnotations: {}
esJavaOpts: "-Xmx1g -Xms1g"
resources:
requests:
cpu: "100m"
memory: "2Gi"
limits:
cpu: "1000m"
memory: "2Gi"
volumeClaimTemplate:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "nfs-client"
resources:
requests:
storage: 50Gi二、Filebeat部署
官方chart地址:https://github.com/elastic/helm-charts/tree/master/filebeat
添加elastic helm charts 仓库
代码语言:javascript复制helm repo add elastic https://helm.elastic.co安装
代码语言:javascript复制helm install -name filebeat elastic/filebeat --namespace logs参数说明:
代码语言:javascript复制image: "docker.elastic.co/beats/filebeat"
imageTag: "7.2.0"
imagePullPolicy: "IfNotPresent"
resources:
requests:
cpu: "100m"
memory: "100Mi"
limits:
cpu: "1000m"
memory: "200Mi"那么问题来了,filebeat默认收集宿主机上docker的日志路径:/var/lib/docker/containers。如果我们修改了docker的安装路径要怎么收集呢,很简单修改chart里的DaemonSet文件里边的hostPath参数:
代码语言:javascript复制- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers #改为docker安装路径对java程序的报错异常log实现多行合并,用multiline定义正则来匹配。
代码语言:javascript复制filebeatConfig:
filebeat.yml: |
filebeat.inputs:
- type: docker
containers.ids:
- '*'
multiline.pattern: '^[0-9]'
multiline.negate: true
multiline.match: after
processors:
- add_kubernetes_metadata:
in_cluster: true
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}'三. Kibana部署
官方chart地址:https://github.com/elastic/helm-charts/tree/master/kibana
添加elastic helm charts 仓库
代码语言:javascript复制helm repo add elastic https://helm.elastic.co安装
代码语言:javascript复制helm install -name kibana elastic/kibana --namespace logs参数说明:
代码语言:javascript复制elasticsearchHosts: "http://elasticsearch-master:9200"
replicas: 1
image: "docker.elastic.co/kibana/kibana"
imageTag: "7.2.0"
imagePullPolicy: "IfNotPresent"
resources:
requests:
cpu: "100m"
memory: "500m"
limits:
cpu: "1000m"
memory: "1Gi"四. Logstash部署
官方chart地址:https://github.com/helm/charts/tree/master/stable/logstash
安装
代码语言:javascript复制$ helm install -name logstash stable/logstash --namespace logs参数说明:
代码语言:javascript复制image:
repository: docker.elastic.co/logstash/logstash-oss
tag: 7.2.0
pullPolicy: IfNotPresent
persistence:
enabled: true
storageClass: "nfs-client"
accessMode: ReadWriteOnce
size: 2Gi匹配label:json的pod日志,没有的话正常收集。
代码语言:javascript复制filebeatConfig:
filebeat.yml: |
filebeat.autodiscover:
providers:
- type: kubernetes
templates:
- condition:
equals:
kubernetes.labels.logFormat: "json"
config:
- type: docker
containers.ids:
- "${data.kubernetes.container.id}"
json.keys_under_root: true
json.overwrite_keys: true
json.add_error_key: true
- config:
- type: docker
containers.ids:
- "${data.kubernetes.container.id}"
processors:
- add_kubernetes_metadata:
in_cluster: true
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}'五. Elastalert部署
官方chart地址:https://github.com/helm/charts/tree/master/stable/elastalert
安装
代码语言:javascript复制helm install -n elastalert ./elastalert --namespace logs效果图:
