摘要:是一個(gè)開(kāi)源和多平臺(tái)的����,它允許您從不同的來(lái)源收集數(shù)據(jù)日志����,統(tǒng)一并將它們發(fā)送到多個(gè)目的地。例如日志收集日志分析主要講部署的集群�����。日志主要有和的日志�����,一般采用部署����,自然而然就是要支持格式日志的采集����。業(yè)務(wù)落盤(pán)的日志��。部署方案采取部署���。
前言
收集日志的組件多不勝數(shù)���,有ELK久負(fù)盛名組合中的logstash, 也有EFK組合中的filebeat,更有cncf新貴fluentd,另外還有大數(shù)據(jù)領(lǐng)域使用比較多的flume���。本次主要說(shuō)另外一種�,和fluentd一脈相承的fluent bit���。
Fluent Bit是一個(gè)開(kāi)源和多平臺(tái)的Log Processor and Forwarder���,它允許您從不同的來(lái)源收集數(shù)據(jù)/日志,統(tǒng)一并將它們發(fā)送到多個(gè)目的地���。它與Docker和Kubernetes環(huán)境完全兼容�。Fluent Bit用C語(yǔ)言編寫(xiě)����,具有可插拔的架構(gòu)����,支持大約30個(gè)擴(kuò)展���。它快速輕便��,通過(guò)TLS為網(wǎng)絡(luò)運(yùn)營(yíng)提供所需的安全性��。
之所以選擇fluent bit����,看重了它的高性能����。下面是官方貼出的一張與fluentd對(duì)比圖:
| |
Fluentd |
Fluent Bit |
| Scope |
Containers / Servers |
Containers / Servers |
| Language |
C & Ruby |
C |
| Memory |
~40MB |
~450KB |
| Performance |
High Performance |
High Performance |
| Dependencies |
Built as a Ruby Gem, it requires a certain number of gems. |
Zero dependencies, unless some special plugin requires them. |
| Plugins |
More than 650 plugins available |
Around 35 plugins available |
| License |
Apache License v2.0 |
Apache License v2.0 |
在已經(jīng)擁有的插件滿足需求和場(chǎng)景的前提下,fluent bit無(wú)疑是一個(gè)很好的選擇�。
fluent bit 簡(jiǎn)介
在使用的這段時(shí)間之后,總結(jié)以下幾點(diǎn)優(yōu)點(diǎn):
支持routing,適合多output的場(chǎng)景��。比如有些業(yè)務(wù)日志����,或?qū)懭氲絜s中�����,供查詢�?����;?qū)懭氲絟dfs中����,供大數(shù)據(jù)進(jìn)行分析。
fliter支持lua����。對(duì)于那些對(duì)c語(yǔ)言hold不住的團(tuán)隊(duì)��,可以用lua寫(xiě)自己的filter����。
output 除了官方已經(jīng)支持的十幾種,還支持用golang寫(xiě)output����。例如:fluent-bit-kafka-output-plugin
k8s日志收集
k8s日志分析
主要講kubeadm部署的k8s集群����。日志主要有:
kubelet和etcd的日志����,一般采用systemd部署,自然而然就是要支持systemd格式日志的采集�����。filebeat并不支持該類型����。
kube-apiserver等組件stderr和stdout日志,這個(gè)一般輸出的格式取決于docker的日志驅(qū)動(dòng)�����,一般為json-file�����。
業(yè)務(wù)落盤(pán)的日志���。支持tail文件的采集組件都滿足��。這點(diǎn)不在今天的討論范圍之內(nèi)�。
部署方案
fluent bit 采取DaemonSet部署。 如下圖:
部署yaml
---
apiVersion: v1
kind: Service
metadata:
name: elasticsearch-logging
namespace: kube-system
labels:
k8s-app: elasticsearch-logging
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "Elasticsearch"
spec:
ports:
- port: 9200
protocol: TCP
targetPort: db
selector:
k8s-app: elasticsearch-logging
---
# RBAC authn and authz
apiVersion: v1
kind: ServiceAccount
metadata:
name: elasticsearch-logging
namespace: kube-system
labels:
k8s-app: elasticsearch-logging
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: elasticsearch-logging
labels:
k8s-app: elasticsearch-logging
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
- ""
resources:
- "services"
- "namespaces"
- "endpoints"
verbs:
- "get"
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kube-system
name: elasticsearch-logging
labels:
k8s-app: elasticsearch-logging
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
subjects:
- kind: ServiceAccount
name: elasticsearch-logging
namespace: kube-system
apiGroup: ""
roleRef:
kind: ClusterRole
name: elasticsearch-logging
apiGroup: ""
---
# Elasticsearch deployment itself
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: elasticsearch-logging
namespace: kube-system
labels:
k8s-app: elasticsearch-logging
version: v6.3.0
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
serviceName: elasticsearch-logging
replicas: 2
selector:
matchLabels:
k8s-app: elasticsearch-logging
version: v6.3.0
template:
metadata:
labels:
k8s-app: elasticsearch-logging
version: v6.3.0
kubernetes.io/cluster-service: "true"
spec:
serviceAccountName: elasticsearch-logging
containers:
- image: k8s.gcr.io/elasticsearch:v6.3.0
name: elasticsearch-logging
resources:
# need more cpu upon initialization, therefore burstable class
limits:
cpu: 1000m
requests:
cpu: 100m
ports:
- containerPort: 9200
name: db
protocol: TCP
- containerPort: 9300
name: transport
protocol: TCP
volumeMounts:
- name: elasticsearch-logging
mountPath: /data
env:
- name: "NAMESPACE"
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# Elasticsearch requires vm.max_map_count to be at least 262144.
# If your OS already sets up this number to a higher value, feel free
# to remove this init container.
initContainers:
- image: alpine:3.6
command: ["/sbin/sysctl", "-w", "vm.max_map_count=262144"]
name: elasticsearch-logging-init
securityContext:
privileged: true
volumeClaimTemplates:
- metadata:
name: elasticsearch-logging
annotations:
volume.beta.kubernetes.io/storage-class: gp2
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-config
namespace: kube-system
labels:
k8s-app: fluent-bit
data:
# Configuration files: server, input, filters and output
# ======================================================
fluent-bit.conf: |
[SERVICE]
Flush 1
Log_Level info
Daemon off
Parsers_File parsers.conf
HTTP_Server On
HTTP_Listen 0.0.0.0
HTTP_Port 2020
@INCLUDE input-kubernetes.conf
@INCLUDE filter-kubernetes.conf
@INCLUDE output-elasticsearch.conf
input-kubernetes.conf: |
[INPUT]
Name tail
Tag kube.*
Path /var/log/containers/*.log
Parser docker
DB /var/log/flb_kube.db
Mem_Buf_Limit 5MB
Skip_Long_Lines On
Refresh_Interval 10
[INPUT]
Name systemd
Tag host.*
Systemd_Filter _SYSTEMD_UNIT=kubelet.service
Path /var/log/journal
DB /var/log/flb_host.db
filter-kubernetes.conf: |
[FILTER]
Name kubernetes
Match kube.*
Kube_URL https://kubernetes.default.svc.cluster.local:443
Merge_Log On
K8S-Logging.Parser On
K8S-Logging.Exclude On
[FILTER]
Name kubernetes
Match host.*
Kube_URL https://kubernetes.default.svc.cluster.local:443
Merge_Log On
Use_Journal On
output-elasticsearch.conf: |
[OUTPUT]
Name es
Match *
Host ${FLUENT_ELASTICSEARCH_HOST}
Port ${FLUENT_ELASTICSEARCH_PORT}
Logstash_Format On
Retry_Limit False
parsers.conf: |
[PARSER]
Name apache
Format regex
Regex ^(?[^ ]*) [^ ]* (?[^ ]*) [(?
總結(jié)
真實(shí)場(chǎng)景的日志收集比較復(fù)雜��,在日志量大的情況下���,一般要引入kafka�����。
此外關(guān)于注意日志的lograte���。一般來(lái)說(shuō),docker是支持該功能的��??梢酝ㄟ^(guò)下面的配置解決:
cat > /etc/docker/daemon.json <
在k8s中運(yùn)行的業(yè)務(wù)日志����,不僅要考慮清除過(guò)時(shí)的日志,還要考慮新增pod的日志的收集�。這個(gè)時(shí)候,往往需要在fluent bit上面再包一層邏輯,獲取需要收集的日志路徑。比如log-pilot����。
文章版權(quán)歸作者所有,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載,若此文章存在違規(guī)行為�,您可以聯(lián)系管理員刪除。
轉(zhuǎn)載請(qǐng)注明本文地址:http://systransis.cn/yun/32820.html
