K8S部署ELK(四):部署logstash - 教程
目录
1. Logstash 简介
Logstash 是一个开源的数据收集引擎,具有实时管道处理能力,属于 Elastic Stack(原 ELK Stack)的一部分,常与 Elasticsearch 和 Kibana 配合使用。
1.1 主要功能
数据收集:从各种来源(日志文件、数据库、消息队列等)采集数据
数据处理:过滤、解析和转换数据
数据输出:将处理后的数据发送到目标存储或分析系统
1.2 核心组件
Logstash 处理管道包含三个主要部分:
Input(输入插件):负责接收数据
常见输入源:文件、syslog、Redis、Beats、Kafka、JDBC 等
Filter(过滤插件):负责处理数据
常用过滤器:Grok(模式匹配)、Mutate(字段操作)、Date(日期处理)、GeoIP(地理位置)等
Output(输出插件):负责发送数据
常见输出目标:Elasticsearch、文件、Email、TCP、HTTP 等
1.3 主要特点
插件化架构:丰富的插件生态系统
可扩展性:能够处理高吞吐量的数据
灵活性:支持多种数据格式和协议
实时处理:数据采集和处理几乎实时完成
1.4 典型应用场景
日志收集与分析
事件监控和告警
数据转换和规范化
作为数据管道连接不同系统
2. 部署logstash
2.1 创建Namespace
kubectl create namespace elk2.2 创建ConfigMap
vim logstash-configmap.yaml---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: elk
name: logstash-config
labels:
app: logstash
data:
logstash.conf: |-
input {
kafka {
bootstrap_servers => "kafka-0.kafka-headless.elk.svc.cluster.local:9092"
topics => ["k8s-outlog"]
group_id => "logstash-consumer-group"
codec => "json"
consumer_threads => 1
decorate_events => true
security_protocol => "PLAINTEXT"
}
}
filter {
if [fields][logformat] == "json" {
json {
source => "message"
target => "message"
}
}
}
output {
if [fields][logtype] =~ "k8s-outlog.*" {
elasticsearch {
hosts => ["http://elasticsearch-0.elasticsearch-cluster.elk.svc.cluster.local:9200"]
index => "k8s-outlog-%{+YYYY.MM.dd}"
}
}
if [fields][logtype] =~ "k8s-messagelog.*" {
elasticsearch {
hosts => ["http://elasticsearch-0.elasticsearch-cluster.elk.svc.cluster.local:9200"]
index => "k8s-messagelog-%{+YYYY.MM.dd}"
}
}
}2.3 创建Service
vim logstash-service.yamlapiVersion: v1
kind: Service
metadata:
name: logstash
namespace: elk
labels:
app: logstash
spec:
selector:
app: logstash
ports:
- protocol: TCP
port: 5044
targetPort: 5044
type: ClusterIP2.4 创建Deployment
vim logstash-deployment.yamlapiVersion: apps/v1
kind: Deployment
metadata:
name: logstash
namespace: elk
spec:
replicas: 1
selector:
matchLabels:
app: logstash
template:
metadata:
labels:
app: logstash
spec:
containers:
- name: logstash
image: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.elastic.co/logstash/logstash:7.17.3
env:
- name: "PIPELINE_WORKERS"
value: "2"
- name: "PIPELINE_BATCH_SIZE"
value: "5000"
- name: "PIPELINE_BATCH_DELAY"
value: "2"
- name: "LS_JAVA_OPTS"
value: "-Xms512m -Xmx1g"
- name: "path.config"
value: "/usr/share/logstash/pipeline"
- name: "xpack.monitoring.elasticsearch.hosts"
value: "http://elasticsearch-0.elasticsearch-cluster.elk.svc.cluster.local:9200"
volumeMounts:
- name: config
mountPath: /usr/share/logstash/pipeline/logstash.conf
readOnly: true
subPath: logstash.conf
- mountPath: /etc/localtime
readOnly: true
name: tz-config
volumes:
- name: config
configMap:
name: logstash-config
- name: tz-config
hostPath:
path: /etc/localtime2.5 部署所有资源
[root@master1 Logstash]# ls
logstash-configmap.yaml logstash-deployment.yaml logstash-service.yaml
[root@master1 Logstash]# kubectl apply -f ./
configmap/logstash-config created
deployment.apps/logstash created
service/logstash created2.6 检查Logstash Pod状态
[root@master1 Logstash]# kubectl get pod -n elk
NAME READY STATUS RESTARTS AGE
elasticsearch-0 1/1 Running 1 (29m ago) 21h
filebeat-6db9l 1/1 Running 1 (29m ago) 22h
filebeat-qllxg 1/1 Running 1 (29m ago) 22h
filebeat-r5hw7 1/1 Running 1 (29m ago) 22h
kafka-0 1/1 Running 1 (30m ago) 21h
logstash-6d88fd886d-2cg9p 1/1 Running 0 65s
浙公网安备 33010602011771号