[TOC] Filebeat 是一个用于转发和集中日志数据的轻量级传送器。作为代理安装在您的服务器上，Filebeat 监控您指定的日志文件或位置，收集日志事件，并将它们转发到Elasticsearch或 Logstash以进行索引。 以下是 Filebeat 的工作原理：当您启动 Filebeat 时，它会启动一个或多个输入，这些输入会在您为日志数据指定的位置中查找。对于 Filebeat 定位的每个日志，Filebeat 都会启动一个收割机。每个harvester 读取单个日志以获取新内容并将新日志数据发送到libbeat，libbeat 聚合事件并将聚合数据发送到您为Filebeat 配置的输出。  # 本地运行 ## 下载安装包 ```shell curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.2-linux-x86_64.tar.gz tar xf filebeat-7.17.2-linux-x86_64.tar.gz -C /opt/ ``` ## 配置项 ### 输出到elasticsearch ```shell [elk@elk01 ~]$ sudo cat /opt/filebeat-7.17.2-linux-x86_64/filebeat.yml # --------------- input ------------------------------ filebeat.inputs: - type: log enabled: true paths: - /var/log/messages fields: name: messages - type: log enabled: true paths: - /data/k8s/logs/kubernetes.audit json.keys_under_root: true json.add_error_key: true json.message_key: log fields: name: k8sAudit # --------------- processors ------------------------------ processors: - add_tags: target: "environment" tags: ["kubernetes", "production"] # --------------- output ------------------------------ output.elasticsearch: hosts: ["192.168.31.29:9200", "192.168.31.193:9200", "192.168.31.120:9200"] indices: - index: "messages-%{+yyyy.MM}" when.equals: fields.name: "messages" - index: "k8s-audit-%{+yyyy.MM}" when.equals: fields.name: "k8sAudit" # --------------- setup ------------------------------ setup.ilm.enabled: false setup.dashboards.enabled: false ``` ### 数据到logstash ```shell [kafka@elk02 ~]$ sudo egrep -v '^ {,5}#|^$' /opt/filebeat-7.17.2-linux-x86_64/filebeat.yml filebeat.inputs: - type: log enabled: true paths: - /var/log/messages output.logstash: hosts: ["10.0.0.129:5044"] ``` ### 数据到kafka ```shell [kafka@elk02 ~]$ sudo egrep -v "^$|^ {,5}#" /opt/filebeat-7.17.2-linux-x86_64/filebeat.yml fields: {log_topic: "elk"} filebeat.inputs: - type: log enabled: true paths: - /var/log/messages output.kafka: hosts: ["10.0.0.127:9092", "10.0.0.128:9092", "10.0.0.129:9092"] topic: '%{[fields.log_topic]}' partition.round_robin: reachable_only: true required_acks: 1 compression: gzip max_message_bytes: 1000000 ``` ### 热加载配置 ```shell # 热加载input数据源和自带模块 # 修改主配置源需要重启才生效 [kafka@elk02 filebeat-7.17.2-linux-x86_64]$ sudo egrep -v "^$|^ {,5}#" /opt/filebeat-7.17.2-linux-x86_64/filebeat.yml filebeat.config.inputs: enabled: true path: configs/*.yml reload.enabled: true reload.period: 10s filebeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: true output.kafka: enabled: true hosts: ["10.0.0.127:9092", "10.0.0.128:9092", "10.0.0.129:9092"] topic: 'logstash' partition.round_robin: reachable_only: true required_acks: 1 compression: gzip max_message_bytes: 1000000 [kafka@elk02 filebeat-7.17.2-linux-x86_64]$ cat configs/nginx.yml filebeat.inputs: - type: log enabled: true paths: - /var/log/nginx/access.log [kafka@elk02 filebeat-7.17.2-linux-x86_64]$ chmod 644 configs/nginx.yml [kafka@elk02 filebeat-7.17.2-linux-x86_64]$ sudo chown root configs/nginx.yml ``` ## 修改权限 ```shell sudo chown -R elk.elk /opt/filebeat-7.17.2-linux-x86_64 sudo chown root /opt/filebeat-7.17.2-linux-x86_64/filebeat.yml ``` ## 创建目录 ```shell mkdir /opt/filebeat-7.17.2-linux-x86_64/{logs,pid} ``` ## 启动服务 ```shell cd /opt/filebeat-7.17.2-linux-x86_64/ nohup sudo ./filebeat -e &>> logs/filebeat-server-`date "+%Y%m%d"`.log & echo $! > pid/filebeat.pid ``` ## 停止服务 ```shell cat /opt/filebeat-7.17.2-linux-x86_64/pid/filebeat.pid | xargs -I {} sudo kill {} ``` # 容器运行 运行 `filebeat` 收集日志权限，保存为 `rbac.yml` 文件 ```yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: filebeat subjects: - kind: ServiceAccount name: filebeat namespace: kube-system roleRef: kind: ClusterRole name: filebeat apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: filebeat namespace: kube-system subjects: - kind: ServiceAccount name: filebeat namespace: kube-system roleRef: kind: Role name: filebeat apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: filebeat-kubeadm-config namespace: kube-system subjects: - kind: ServiceAccount name: filebeat namespace: kube-system roleRef: kind: Role name: filebeat-kubeadm-config apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: filebeat labels: k8s-app: filebeat rules: - apiGroups: [""] # "" indicates the core API group resources: - namespaces - pods - nodes verbs: - get - watch - list - apiGroups: ["apps"] resources: - replicasets verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: filebeat # should be the namespace where filebeat is running namespace: kube-system labels: k8s-app: filebeat rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: ["get", "create", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: filebeat-kubeadm-config namespace: kube-system labels: k8s-app: filebeat rules: - apiGroups: [""] resources: - configmaps resourceNames: - kubeadm-config verbs: ["get"] --- apiVersion: v1 kind: ServiceAccount metadata: name: filebeat namespace: kube-system labels: k8s-app: filebeat ``` 每台主机都需要 `filebeat` 容器来日志，保存为 `daemonset.yml` 文件 ```yaml --- apiVersion: apps/v1 kind: DaemonSet metadata: name: filebeat namespace: kube-system labels: k8s-app: filebeat spec: selector: matchLabels: k8s-app: filebeat template: metadata: labels: k8s-app: filebeat spec: serviceAccountName: filebeat terminationGracePeriodSeconds: 30 hostNetwork: true dnsPolicy: ClusterFirstWithHostNet containers: - name: filebeat image: docker.elastic.co/beats/filebeat:7.17.2 args: [ "-c", "/etc/filebeat.yml", "-e", ] env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName securityContext: runAsUser: 0 # If using Red Hat OpenShift uncomment this: #privileged: true resources: limits: memory: 200Mi requests: cpu: 100m memory: 100Mi volumeMounts: - name: mainconfig mountPath: /usr/share/filebeat/configs - name: config mountPath: /usr/share/filebeat/configs - name: data mountPath: /usr/share/filebeat/data - name: varlog mountPath: /var/log readOnly: true volumes: - name: mainconfig configMap: defaultMode: 0640 name: filebeat-main-config - name: config configMap: defaultMode: 0640 name: filebeat-config - name: varlog hostPath: path: /var/log # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart - name: data hostPath: # When filebeat runs as non-root user, this directory needs to be writable by group (g+w). path: /var/lib/filebeat-data type: DirectoryOrCreate ``` 运行 `filebeat` 的配置文件，该文件作为主配置文件，后续修改非主配置的输入源无需重启filebeat。保存为 `config-kafka-main.yml` 文件 ```yaml --- apiVersion: v1 kind: ConfigMap metadata: name: filebeat-main-config namespace: kube-system labels: k8s-app: filebeat data: filebeat.yml: |- filebeat.config.inputs: enabled: true path: configs/*.yml reload.enabled: true reload.period: 10s output.kafka: hosts: ["192.168.31.235:9092", "192.168.31.202:9092", "192.168.31.140:9092"] topics: - topic: 'messages' when.equals: fields.type: messages - topic: 'k8s-audit' when.equals: fields.type: k8s-audit partition.round_robin: reachable_only: true required_acks: 1 compression: gzip max_message_bytes: 1000000 ``` 实际定义收集日志的路径，保存为 `config-kafka.yml` 文件 ```yaml --- apiVersion: v1 kind: ConfigMap metadata: name: filebeat-config namespace: kube-system labels: k8s-app: filebeat data: log.yml: |- - type: log enabled: true fields: type: messages paths: - /var/log/messages - type: log enabled: true fields: type: k8s-audit paths: - /data/k8s/logs/kube-apiserver/kubernetes.audit ``` 启动filebeat服务 ```shell kubectl apply -f rbac.yml kubectl apply -f config-kafka-main.yml kubectl apply -f config-kafka.yml kubectl apply -f daemonset.yml ``` ## 参考文章 filebeat官方文档：https://www.elastic.co/guide/en/beats/filebeat/7.17/index.html