2024-07-12
한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina
Filebeat+ELK construction and interpretation reference
Link:k8s learning – detailed process of ELK log collection based on k8s
This chapter will not repeat the description
virtual machine
| Ip | CPU name | cpu | Memory | harddisk |
|---|---|---|---|---|
| 192.168.10.11 | master01 | 2cpu dual core | 4G | 100G |
| 192.168.10.12 | worker01 | 2cpu dual core | 4G | 100G |
| 192.168.10.13 | worker02 | 2cpu dual core | 4G | 100G |
| 192.168.10.17 | ELK | 1cpu dual core | 4G | 100G |
Version centos7.9
k8s-1.27 has been deployed
The ELK server has deployed Filebeat+ELK
This is achieved by running filebeat (sidecar) in the application Pod. This article will take Tomcat as an example.
By default, there is no website homepage file in the tomcat container. If it is not added, the container in the pod will not run normally.
work01 host operation
mkdir /opt/tomcatwebroot
echo "tomcat is running" > /opt/tomcatwebroot/index.html
Master host operation
vim tomcat-logs.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-demo
namespace: default
spec:
replicas: 2
selector:
matchLabels:
project: www
app: tomcat-demo
template:
metadata:
labels:
project: www
app: tomcat-demo
spec:
nodeName: worker01
containers:
- name: tomcat
image: tomcat:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
name: web
protocol: TCP
resources:
requests:
cpu: 0.5
memory: 500Mi
limits:
cpu: 1
memory: 1Gi
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 20
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 20
volumeMounts:
- name: tomcat-logs
mountPath: /usr/local/tomcat/logs
- name: tomcatwebroot
mountPath: /usr/local/tomcat/webapps/ROOT
- name: filebeat
image: docker.io/elastic/filebeat:7.17.2
imagePullPolicy: IfNotPresent
args: [
"-c", "/etc/filebeat.yml",
"-e",
]
resources:
limits:
memory: 500Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
runAsUser: 0
volumeMounts:
- name: filebeat-config
mountPath: /etc/filebeat.yml
subPath: filebeat.yml
- name: tomcat-logs
mountPath: /usr/local/tomcat/logs
volumes:
- name: tomcat-logs
emptyDir: {}
- name: tomcatwebroot
hostPath:
path: /opt/tomcatwebroot
type: Directory
- name: filebeat-config
configMap:
name: filebeat-config
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
namespace: default
data:
filebeat.yml: |-
filebeat.inputs:
- type: log
paths:
- /usr/local/tomcat/logs/catalina.*
fields:
app: www
type: tomcat-catalina
fields_under_root: true
multiline:
pattern: '^['
negate: true
match: after
setup.ilm.enabled: false
setup.template.name: "tomcat-catalina"
setup.template.pattern: "tomcat-catalina-*"
output.logstash:
hosts: ['192.168.10.17:5056']
This yaml defines a Tomcat and Filebeat Deployment and Filebeat configuration file. Let's explain them one by one.
Deployment section
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-demo
namespace: default
spec:
replicas: 2
selector:
matchLabels:
project: www
app: tomcat-demo
template:
metadata:
labels:
project: www
app: tomcat-demo
spec:
nodeName: worker01
containers:
- name: tomcat
image: tomcat:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
name: web
protocol: TCP
resources:
requests:
cpu: 0.5
memory: 500Mi
limits:
cpu: 1
memory: 1Gi
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 20
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 20
volumeMounts:
- name: tomcat-logs
mountPath: /usr/local/tomcat/logs
- name: tomcatwebroot
mountPath: /usr/local/tomcat/webapps/ROOT
- name: filebeat
image: docker.io/elastic/filebeat:7.17.2
imagePullPolicy: IfNotPresent
args: [
"-c", "/etc/filebeat.yml",
"-e",
]
resources:
limits:
memory: 500Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
runAsUser: 0
volumeMounts:
- name: filebeat-config
mountPath: /etc/filebeat.yml
subPath: filebeat.yml
- name: tomcat-logs
mountPath: /usr/local/tomcat/logs
volumes:
- name: tomcat-logs
emptyDir: {}
- name: tomcatwebroot
hostPath:
path: /opt/tomcatwebroot
type: Directory
- name: filebeat-config
configMap:
name: filebeat-config
metadata: defines the name and namespace of the Deployment.
spec: Contains the detailed specification of the Deployment.
replicas: specifies the number of replicas, that is, running two Tomcat instances.
selector: defines the selector used to match Pod labels.
template: describes the Pod template, including metadata and spec.
nodeName: specifies the name of the node where the Pod runs (worker01).
containers: Two containers are defined: Tomcat and Filebeat.
Tomcat container:
image: Use the tomcat:latest image.
ports: expose port 8080.
resources: defines resource requests and limits.
livenessProbe and readinessProbe: used for health checking.
volumeMounts: Two volumes are mounted.
Filebeat container:
Image: Use the filebeat:7.17.2 image.
args: specifies the startup parameters.
resources: defines resource requests and limits.
securityContext: Run as root user.
volumeMounts: Two volumes are mounted.
volumes:
tomcat-logs: Use emptyDir volume.
tomcatwebroot: Use the hostPath volume.
filebeat-config: Use ConfigMap volumes.
Configuration file (ConfigMap) section
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
explain
metadata: defines the name of the ConfigMap.
data: should contain the configuration content of Filebeat (omitted here).
elk host configuration
Write the logstash configuration file without affecting the previous configuration file
vim /etc/logstash/conf.d/tomcat-logstash-to-elastic.conf
input {
beats {
host => "0.0.0.0"
port => "5056"
}
}
filter {
}
output {
elasticsearch {
hosts => "192.168.10.17:9200"
index => "tomcat-catalina-%{+yyyy.MM.dd}"
}
}
run
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tomcat-logstash-to-elastic.conf --path.data /usr/share/logstash/data3 &
Verify that the port is enabled
ss -anput | grep ":5056"
Master host operation
kubectl apply -f tomcat-logs.yaml
Wait a moment because you need to download the image
Then check the pod
Note: VPN is required
kubectl get deployment.apps
kubectl get pods
View the logs generated by tomcat (-c: container)
View filebeat collection logs
kubectl logs tomcat-demo-664584f857-k8whd -c filebeat
Host browser access
192.168.10.17:5601
You can see that the log has been seen.
Finish
If it helps you, please follow us.
I have devoted myself to the research of technology for more than 30 years. I am proficient in various languages such as Java, Linux, JavaScript, PHP, CSS, etc. I have made many contributions in the field of open source. I have established a developer documentation site to share some problems in technology development for everyone to read.
