- elasticsearch/
elasticsearch EFK JSON键作为字段
elasticsearch EFK JSON键作为字段
我正在kubernetes集群中使用EFK(elasticsearch、fluentd、kibana)堆栈进行日志记录。 一切正常,但包含最有用信息的
loglogfluentd.conf <filter kubernetes.var.log.containers.dealing-**.log>
@type parser
key_name log
<parse>
@type regexp
expression {{tried different regexes without luck}}
</parse>
</filter>
@类型分析器
密钥名称日志
@类型regexp
表达式{{不走运地尝试了不同的正则表达式}
<source>
@type prometheus
bind "0.0.0.0"
port 24231
metrics_path "/metrics"
</source>
<source>
@type prometheus_output_monitor
</source>
<match fluent.**>
@type null
</match>
<source>
@type tail
@id in_tail_container_logs
path "/var/log/containers/*.log"
pos_file "/var/log/fluentd-containers.log.pos"
tag "kubernetes.*"
read_from_head true
<parse>
@type "json"
time_format "%Y-%m-%dT%H:%M:%S.%NZ"
time_type string
</parse>
</source>
<source>
@type tail
@id in_tail_minion
path "/var/log/salt/minion"
pos_file "/var/log/fluentd-salt.pos"
tag "salt"
<parse>
@type "regexp"
expression /^(?<time>[^ ]* [^ ,]*)[^\[]*\[[^\]]*\]\[(?<severity>[^ \]]*) *\] (?<message>.*)$/
time_format "%Y-%m-%d %H:%M:%S"
</parse>
</source>
<source>
@type tail
@id in_tail_startupscript
path "/var/log/startupscript.log"
pos_file "/var/log/fluentd-startupscript.log.pos"
tag "startupscript"
<parse>
@type "syslog"
</parse>
</source>
<source>
@type tail
@id in_tail_docker
path "/var/log/docker.log"
pos_file "/var/log/fluentd-docker.log.pos"
tag "docker"
<parse>
@type "regexp"
expression /^time="(?<time>[^)]*)" level=(?<severity>[^ ]*) msg="(?<message>[^"]*)"( err="(?<error>[^"]*)")?( statusCode=($<status_code>\d+))?/
</parse>
</source>
<source>
@type tail
@id in_tail_etcd
path "/var/log/etcd.log"
pos_file "/var/log/fluentd-etcd.log.pos"
tag "etcd"
<parse>
@type "none"
</parse>
</source>
<source>
@type tail
@id in_tail_kubelet
multiline_flush_interval 5s
path "/var/log/kubelet.log"
pos_file "/var/log/fluentd-kubelet.log.pos"
tag "kubelet"
<parse>
@type "kubernetes"
expression /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/m
time_format "%m%d %H:%M:%S.%N"
</parse>
</source>
<source>
@type tail
@id in_tail_kube_proxy
multiline_flush_interval 5s
path "/var/log/kube-proxy.log"
pos_file "/var/log/fluentd-kube-proxy.log.pos"
tag "kube-proxy"
<parse>
@type "kubernetes"
expression /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/m
time_format "%m%d %H:%M:%S.%N"
</parse>
</source>
<source>
@type tail
@id in_tail_kube_apiserver
multiline_flush_interval 5s
path "/var/log/kube-apiserver.log"
pos_file "/var/log/fluentd-kube-apiserver.log.pos"
tag "kube-apiserver"
<parse>
@type "kubernetes"
expression /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/m
time_format "%m%d %H:%M:%S.%N"
</parse>
</source>
<source>
@type tail
@id in_tail_kube_controller_manager
multiline_flush_interval 5s
path "/var/log/kube-controller-manager.log"
pos_file "/var/log/fluentd-kube-controller-manager.log.pos"
tag "kube-controller-manager"
<parse>
@type "kubernetes"
expression /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/m
time_format "%m%d %H:%M:%S.%N"
</parse>
</source>
<source>
@type tail
@id in_tail_kube_scheduler
multiline_flush_interval 5s
path "/var/log/kube-scheduler.log"
pos_file "/var/log/fluentd-kube-scheduler.log.pos"
tag "kube-scheduler"
<parse>
@type "kubernetes"
expression /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/m
time_format "%m%d %H:%M:%S.%N"
</parse>
</source>
<source>
@type tail
@id in_tail_rescheduler
multiline_flush_interval 5s
path "/var/log/rescheduler.log"
pos_file "/var/log/fluentd-rescheduler.log.pos"
tag "rescheduler"
<parse>
@type "kubernetes"
expression /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/m
time_format "%m%d %H:%M:%S.%N"
</parse>
</source>
<source>
@type tail
@id in_tail_glbc
multiline_flush_interval 5s
path "/var/log/glbc.log"
pos_file "/var/log/fluentd-glbc.log.pos"
tag "glbc"
<parse>
@type "kubernetes"
expression /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/m
time_format "%m%d %H:%M:%S.%N"
</parse>
</source>
<source>
@type tail
@id in_tail_cluster_autoscaler
multiline_flush_interval 5s
path "/var/log/cluster-autoscaler.log"
pos_file "/var/log/fluentd-cluster-autoscaler.log.pos"
tag "cluster-autoscaler"
<parse>
@type "kubernetes"
expression /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/m
time_format "%m%d %H:%M:%S.%N"
</parse>
</source>
<source>
@type tail
@id in_tail_kube_apiserver_audit
multiline_flush_interval 5s
path "/var/log/kubernetes/kube-apiserver-audit.log"
pos_file "/var/log/kube-apiserver-audit.log.pos"
tag "kube-apiserver-audit"
<parse>
@type "multiline"
format_firstline "/^\\S+\\s+AUDIT:/"
format1 /^(?<time>\S+) AUDIT:(?: (?:id="(?<id>(?:[^"\\]|\\.)*)"|ip="(?<ip>(?:[^"\\]|\\.)*)"|method="(?<method>(?:[^"\\]|\\.)*)"|user="(?<user>(?:[^"\\]|\\.)*)"|groups="(?<groups>(?:[^"\\]|\\.)*)"|as="(?<as>(?:[^"\\]|\\.)*)"|asgroups="(?<asgroups>(?:[^"\\]|\\.)*)"|namespace="(?<namespace>(?:[^"\\]|\\.)*)"|uri="(?<uri>(?:[^"\\]|\\.)*)"|response="(?<response>(?:[^"\\]|\\.)*)"|\w+="(?:[^"\\]|\\.)*"))*/
time_format "%Y-%m-%dT%T.%L%Z"
</parse>
</source>
<filter kubernetes.**>
@type kubernetes_metadata
@id filter_kube_metadata
kubernetes_url "https://172.20.0.1:443/api"
verify_ssl true
ca_file ""
</filter>
<match **>
@type elasticsearch
@id out_es
@log_level "info"
include_tag_key true
host "elasticsearch.logging.svc.cluster.local"
port 9200
path ""
scheme http
ssl_verify true
ssl_version TLSv1
user ""
password xxxxxx
reload_connections false
reconnect_on_error true
reload_on_failure true
log_es_400_reason false
logstash_prefix "logstash"
logstash_format true
index_name "logstash"
type_name "fluentd"
template_name
template_file
template_overwrite false
<buffer>
flush_thread_count 8
flush_interval 5s
chunk_limit_size 2M
queue_limit_length 32
retry_max_interval 30
retry_forever true
</buffer>
</match>
@普罗米修斯型
绑定“0.0.0.0”
端口24231
度量\路径“/度量”
@普罗米修斯型输出监视器
@类型null
@型尾
@尾部容器日志中的id
路径“/var/log/containers/*.log”
pos_文件“/var/log/fluentd containers.log.pos”
标签“kubernetes.*”
从你的头上读出来是真的
@键入“json”
时间格式“%Y-%m-%dT%H:%m:%S.%NZ”
时间类型字符串
@型尾
@尾随身份证
路径“/var/log/salt/minion”
pos_文件“/var/log/fluentd salt.pos”
标记“盐”
@输入“regexp”
表达式/^(?[^]*[^,]*)[^\[]*\[^\]*\]\[(?[^\]]*)*\](?.*))$/
时间格式“%Y-%m-%d%H:%m:%S”
@型尾
@_tail_startupscript中的id
路径“/var/log/startupscript.log”
pos_文件“/var/log/fluentd startupscript.log.pos”
标记“startupscript”
@键入“syslog”
@型尾
@码头工人身份证
路径“/var/log/docker.log”
pos_文件“/var/log/fluentd docker.log.pos”
标记“docker”
@输入“regexp”
expression/^time=“(?[^]*)”level=(?[^]*)msg=“(?[^”]*)”(err=“(?[^”]*)”(statusCode=($\d+))/
@型尾
@id在\u tail\u etcd中
路径“/var/log/etcd.log”
pos_文件“/var/log/fluentd etcd.log.pos”
标签“etcd”
@键入“无”
@型尾
@身份证在你的尾巴上
多行刷新间隔5s
路径“/var/log/kubelet.log”
pos_文件“/var/log/fluentd kubelet.log.pos”
标签“kubelet”
@类型“kubernetes”
表达式/^(?\w)(?\d{4}[^\s]*)\s+(?\d+)\s+(?[^\]]+)\](?*)/m
时间格式“%m%d%H:%m:%S.%N”
@型尾
@id在\u tail\u kube\u代理中
多行刷新间隔5s
路径“/var/log/kube proxy.log”
pos_文件“/var/log/fluentd kube proxy.log.pos”
标记“kube代理”
@类型“kubernetes”
表达式/^(?\w)(?\d{4}[^\s]*)\s+(?\d+)\s+(?[^\]]+)\](?*)/m
时间格式“%m%d%H:%m:%S.%N”
@型尾
@id在\u tail\u kube\u apiserver中
多行刷新间隔5s
路径“/var/log/kube-apiserver.log”
pos_文件“/var/log/fluentd kube apiserver.log.pos”
标记“kube apiserver”
@类型“kubernetes”
表达式/^(?\w)(?\d{4}[^\s]*)\s+(?\d+)\s+(?[^\]]+)\](?*)/m
时间格式“%m%d%H:%m:%S.%N”
@型尾
@id在\u tail\u kube\u控制器\u管理器中
多行刷新间隔5s
路径“/var/log/kube controller manager.log”
pos_文件“/var/log/fluentd kube controller manager.log.pos”
标签“kube控制器管理器”
@类型“kubernetes”
表达式/^(?\w)(?\d{4}[^\s]*)\s+(?\d+)\s+(?[^\]]+)\](?*)/m
时间格式“%m%d%H:%m:%S.%N”
@型尾
@_tail_kube_调度程序中的id
多行刷新间隔5s
路径“/var/log/kube scheduler.log”
pos_文件“/var/log/fluentd kube scheduler.log.pos”
标记“kube调度程序”
@类型“kubernetes”
表达式/^(?\w)(?\d{4}[^\s]*)\s+(?\d+)\s+(?[^\]]+)\](?*)/m
时间格式“%m%d%H:%m:%S.%N”
@型尾
@重新调度程序中的id
多行刷新间隔5s
路径“/var/log/rescheduler.log”
pos_文件“/var/log/fluentd rescheduler.log.pos”
标签“重新安排”
@类型“kubernetes”
表达式/^(?\w)(?\d{4}[^\s]*)\s+(?\d+)\s+(?[^\]]+)\](?*)/m
时间格式“%m%d%H:%m:%S.%N”
@型尾
@标识在\u tail\u glbc中
多行刷新间隔5s
路径“/var/log/glbc.log”
pos_文件“/var/log/fluentd glbc.log.pos”
标签“glbc”
@类型“kubernetes”
表达式/^(?\w)(?\d{4}[^\s]*)\s+(?\d+)\s+(?[^\]]+)\](?*)/m
时间格式“%m%d%H:%m:%S.%N”
@型尾
@尾部集群自动缩放器中的id
多行刷新间隔5s
路径“/var/log/cluster autoscaler.log”
pos_文件“/var/log/fluentd cluster autoscaler.log.pos”
标记“群集自动缩放器”
@类型“kubernetes”
表达式/^(?\w)(?\d{4}[^\s]*)\s+(?\d+)\s+(?[^\]]+)\](?*)/m
时间格式“%m%d%H:%m:%S.%N”
@型尾
@在\u tail\u kube\u apiserver\u审计中的id
多行刷新间隔5s
路径“/var/log/kubernetes/kube-apiserver-audit.log”
pos_文件“/var/log/kube-apiserver-audit.log.pos”
标记“kube apiserver audit”
@键入“多行”
格式\u第一行“/^\\S+\\S+审核:/”
10.1%以下以下以下两种形式的:(1)以下两种形式的:(1)以下两种形式的:(1)以下以下两种形式的:(1)以下两种形式的:(1)以下两种形式的:(1)以下以下两种形式的:(:(1)以下两种形式的)审计:(:(:(:(:(:(:(:(:(1)以下以下以下以下以下:(:(:(:(:(:(:(:(:(:(:(:(:(:(:(:(:(:(:(::::::)鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于鉴于上述上述上述上述上述上述上述上述上述上述上述上述上述上述上述上述124; namespace=“(?(?:[^”\]\124\\)*)“\ 124; uri=“(?(?(?:[^”\]\124\\)*)”\ 124; response=“(?(?:[^”\]\124\]\ 124\*)”(?:[^”\]\ 124\\)*)*/
时间格式“%Y-%m-%dT%T.%L%Z”
@类型
<filter kubernetes.**>
@type parser
key_name log
reserve_data true
<parse>
@type json
</parse>
</filter>
<filter kubernetes.**>
@type parser
key_name log
<parse>
@type json
json_parser json
</parse>
replace_invalid_sequence true
reserve_data true # this preserves unparsable log lines
emit_invalid_record_to_error false # In case of unparsable log lines keep the error log clean
reserve_time # the time was already parsed in the source, we don't want to overwrite it with current time.
</filter>