无法将 FileBeat post 获取到 Elastic Search
Cannot get FileBeat to post to Elastic Search
我有一个 kuberenetes 集群,我正在尝试从集群中的容器收集日志。我正在使用 Filebeat 收集日志并将其发送到 elasctic search,然后将其显示在 Kibana 中。我部署了 Kibana 和弹性搜索,它运行良好。我正在使用 DaemonSet 来部署 FileBeat。
这是我在部署 Filebeat 时引用的 YAML 文件。
我使用这里的清单文件来部署它并对其进行了一些修改。
https://www.elastic.co/guide/en/beats/filebeat/master/running-on-kubernetes.html
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
namespace: kube-system
labels:
k8s-app: filebeat
data:
filebeat.yml: |-
filebeat.config:
inputs:
- type: log
# Mounted `filebeat-inputs` configmap:
paths: /var/lib/docker/containers/*/*.log
# Reload inputs configs as they change:
reload.enabled: false
json.message_key: log
json.keys_under_root: true
output.elasticsearch:
hosts: ['x.x.x.x:9200']
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-inputs
namespace: kube-system
labels:
k8s-app: filebeat
data:
kubernetes.yml: |-
- type: docker
containers.ids:
- "*"
processors:
- add_kubernetes_metadata:
in_cluster: true
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: filebeat
namespace: kube-system
labels:
k8s-app: filebeat
spec:
template:
metadata:
labels:
k8s-app: filebeat
spec:
serviceAccountName: filebeat
terminationGracePeriodSeconds: 30
containers:
- name: filebeat
image: docker.elastic.co/beats/filebeat:6.3.1
args: [
"-c", "/etc/filebeat.yml",
"-e",
]
env:
- name: ELASTICSEARCH_HOST
value: X.x.x.x
- name: ELASTICSEARCH_PORT
value: "9200"
value:
securityContext:
runAsUser: 0
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- name: config
mountPath: /etc/filebeat.yml
readOnly: true
subPath: filebeat.yml
- name: inputs
mountPath: /usr/share/filebeat/inputs.d
readOnly: true
- name: data
mountPath: /usr/share/filebeat/data
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
volumes:
- name: config
configMap:
defaultMode: 0600
name: filebeat-config
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: inputs
configMap:
defaultMode: 0600
name: filebeat-inputs
# data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
- name: data
hostPath:
path: /var/lib/filebeat-data
type: DirectoryOrCreate
---
我检查了 pods 运行 Filebeat,它存储了日志。但不知何故它不会 post 它到弹性搜索。我的确切配置应该是 post 到 elasticsearch。我现在坚持了几天,我别无选择。任何帮助将不胜感激。
您的 filebeat 配置没有选择任何输入类型。
filebeat.yaml 文件输入路径必须指向您的 filebeats-inputs.yaml 而不是日志位置。这又委托给 docker 输入类型。默认 containers.path 为 /var/lib/docker/containers.
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-docker.html
我有一个 kuberenetes 集群,我正在尝试从集群中的容器收集日志。我正在使用 Filebeat 收集日志并将其发送到 elasctic search,然后将其显示在 Kibana 中。我部署了 Kibana 和弹性搜索,它运行良好。我正在使用 DaemonSet 来部署 FileBeat。 这是我在部署 Filebeat 时引用的 YAML 文件。 我使用这里的清单文件来部署它并对其进行了一些修改。
https://www.elastic.co/guide/en/beats/filebeat/master/running-on-kubernetes.html
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
namespace: kube-system
labels:
k8s-app: filebeat
data:
filebeat.yml: |-
filebeat.config:
inputs:
- type: log
# Mounted `filebeat-inputs` configmap:
paths: /var/lib/docker/containers/*/*.log
# Reload inputs configs as they change:
reload.enabled: false
json.message_key: log
json.keys_under_root: true
output.elasticsearch:
hosts: ['x.x.x.x:9200']
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-inputs
namespace: kube-system
labels:
k8s-app: filebeat
data:
kubernetes.yml: |-
- type: docker
containers.ids:
- "*"
processors:
- add_kubernetes_metadata:
in_cluster: true
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: filebeat
namespace: kube-system
labels:
k8s-app: filebeat
spec:
template:
metadata:
labels:
k8s-app: filebeat
spec:
serviceAccountName: filebeat
terminationGracePeriodSeconds: 30
containers:
- name: filebeat
image: docker.elastic.co/beats/filebeat:6.3.1
args: [
"-c", "/etc/filebeat.yml",
"-e",
]
env:
- name: ELASTICSEARCH_HOST
value: X.x.x.x
- name: ELASTICSEARCH_PORT
value: "9200"
value:
securityContext:
runAsUser: 0
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- name: config
mountPath: /etc/filebeat.yml
readOnly: true
subPath: filebeat.yml
- name: inputs
mountPath: /usr/share/filebeat/inputs.d
readOnly: true
- name: data
mountPath: /usr/share/filebeat/data
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
volumes:
- name: config
configMap:
defaultMode: 0600
name: filebeat-config
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: inputs
configMap:
defaultMode: 0600
name: filebeat-inputs
# data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
- name: data
hostPath:
path: /var/lib/filebeat-data
type: DirectoryOrCreate
---
我检查了 pods 运行 Filebeat,它存储了日志。但不知何故它不会 post 它到弹性搜索。我的确切配置应该是 post 到 elasticsearch。我现在坚持了几天,我别无选择。任何帮助将不胜感激。
您的 filebeat 配置没有选择任何输入类型。
filebeat.yaml 文件输入路径必须指向您的 filebeats-inputs.yaml 而不是日志位置。这又委托给 docker 输入类型。默认 containers.path 为 /var/lib/docker/containers.
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-docker.html