摘要:最近我們遇到奇葩的需求,不得不利用編寫的�,來滿足需求。所以找到官方的代碼倉(cāng)庫(kù)��,下來�����,稍作更改。新的如下注意增加了�。使用姿勢(shì)使用比較簡(jiǎn)單的。遇到問題和使用一些不明白的地方���,解決起來費(fèi)力�。官方文檔寫的也不夠詳細(xì)��,只是描述了個(gè)大概�����。
前言
之前我們介紹過fluent bit這個(gè)日志收集神器����。最近我們遇到奇葩的需求,不得不利用lua編寫fluent bit的filter��,來滿足需求�。
首先介紹一下需求:
非容器的日志團(tuán)隊(duì)使用filebeat, 其配置文件部分如下:
processors:
- dissect:
tokenizer: "/data/logs/%{appname}/%{filename}.log"
field: "source"
target_prefix: ""
即需要從日志record的source filed 提取appname和filename兩個(gè)filed。
fluent bit 并沒有如此的插件���,所以不得不自己實(shí)現(xiàn)����。
實(shí)現(xiàn)
lua編寫filter規(guī)范
官方給出的示例如下:
function cb_print(tag, timestamp, record)
return code, timestamp, record
end
Function 輸入?yún)?shù)
Function Arguments
| name |
description |
| tag |
Name of the tag associated with the incoming record. |
| timestamp |
Unix timestamp with nanoseconds associated with the incoming record. The original format is a double (seconds.nanoseconds) |
| record |
Lua table with the record content |
Return Values
Each callback must return three values:
| name |
data type |
description |
| code |
integer |
The code return value represents the result and further action that may follows. If code equals -1, means that filter_lua must drop the record. If _code_ equals 0 the record will not be modified, otherwise if code equals 1, means the original timestamp or record have been modified so it must be replaced by the returned values from timestamp (second return value) and record (third return value). |
| timestamp |
double |
If code equals 1, the original record timestamp will be replaced with this new value. |
| record |
table |
if code equals 1, the original record information will be replaced with this new value. Note that the format of this value must be a valid Lua table. |
理解上面的規(guī)范可以結(jié)合下面的寫法。注意返回值的code���。
代碼實(shí)現(xiàn)
編寫實(shí)現(xiàn)類似功能的lua文件��,如下:
function dissect(tag, timestamp, record)
source = record["source"]
if (source == nil)
then
return 0, 0, 0
else
new_record = record
local result = { }
local from = 1
local delim_from, delim_to = string.find( source, "/", from )
while delim_from do
table.insert( result, string.sub( source, from , delim_from-1 ) )
from = delim_to + 1
delim_from, delim_to = string.find( source, "/", from )
end
table.insert( result, string.sub( source, from ) )
new_record["appname"] = result[7]
new_record["filename"] = string.sub( result[8], 1, -5 )
return 1, timestamp, new_record
end
end
備注:
在我們k8s環(huán)境下,業(yè)務(wù)日志掛盤路徑類似于下面的格式:source = /data/logs/default/tomcat/742473c7-17dc-11e9-afc5-0a07a5c4fbe2/appname/filename.log
result[7]之所以出現(xiàn)這種及其容易出現(xiàn)bug的寫法���,一是由于我們這邊有嚴(yán)格的日志規(guī)范����,另外���,只是給大家提供一種lua寫filter的思路��。
制作鏡像
我們是基于fluent bit 1.0.2 �����。所以找到官方的代碼倉(cāng)庫(kù)�,git clone 下來�����,稍作更改。
新的dockerfile如下:
FROM debian:stretch as builder
# Fluent Bit version
ENV FLB_MAJOR 1
ENV FLB_MINOR 0
ENV FLB_PATCH 2
ENV FLB_VERSION 1.0.2
ENV DEBIAN_FRONTEND noninteractive
ENV FLB_TARBALL http://github.com/fluent/fluent-bit/archive/v$FLB_VERSION.zip
RUN mkdir -p /fluent-bit/bin /fluent-bit/etc /fluent-bit/log /tmp/fluent-bit-master/
RUN apt-get update &&
apt-get install -y --no-install-recommends
build-essential
cmake
make
wget
unzip
libssl1.0-dev
libasl-dev
libsasl2-dev
pkg-config
libsystemd-dev
zlib1g-dev
ca-certificates
&& wget -O "/tmp/fluent-bit-${FLB_VERSION}.zip" ${FLB_TARBALL}
&& cd /tmp && unzip "fluent-bit-$FLB_VERSION.zip"
&& cd "fluent-bit-$FLB_VERSION"/build/
&& rm -rf /tmp/fluent-bit-$FLB_VERSION/build/*
WORKDIR /tmp/fluent-bit-$FLB_VERSION/build/
RUN cmake -DFLB_DEBUG=On
-DFLB_TRACE=Off
-DFLB_JEMALLOC=On
-DFLB_TLS=On
-DFLB_SHARED_LIB=Off
-DFLB_EXAMPLES=Off
-DFLB_HTTP_SERVER=On
-DFLB_IN_SYSTEMD=On
-DFLB_OUT_KAFKA=On ..
RUN make -j $(getconf _NPROCESSORS_ONLN)
RUN install bin/fluent-bit /fluent-bit/bin/
# Configuration files
COPY fluent-bit.conf
parsers.conf
parsers_java.conf
parsers_extra.conf
parsers_openstack.conf
parsers_cinder.conf
plugins.conf
/fluent-bit/etc/
COPY dissect.lua /fluent-bit/bin/
FROM gcr.io/distroless/cc
MAINTAINER Eduardo Silva
LABEL Description="Fluent Bit docker image" Vendor="Fluent Organization" Version="1.1"
COPY --from=builder /usr/lib/x86_64-linux-gnu/*sasl* /usr/lib/x86_64-linux-gnu/
COPY --from=builder /usr/lib/x86_64-linux-gnu/libz* /usr/lib/x86_64-linux-gnu/
COPY --from=builder /lib/x86_64-linux-gnu/libz* /lib/x86_64-linux-gnu/
COPY --from=builder /usr/lib/x86_64-linux-gnu/libssl.so* /usr/lib/x86_64-linux-gnu/
COPY --from=builder /usr/lib/x86_64-linux-gnu/libcrypto.so* /usr/lib/x86_64-linux-gnu/
# These below are all needed for systemd
COPY --from=builder /lib/x86_64-linux-gnu/libsystemd* /lib/x86_64-linux-gnu/
COPY --from=builder /lib/x86_64-linux-gnu/libselinux.so* /lib/x86_64-linux-gnu/
COPY --from=builder /lib/x86_64-linux-gnu/liblzma.so* /lib/x86_64-linux-gnu/
COPY --from=builder /usr/lib/x86_64-linux-gnu/liblz4.so* /usr/lib/x86_64-linux-gnu/
COPY --from=builder /lib/x86_64-linux-gnu/libgcrypt.so* /lib/x86_64-linux-gnu/
COPY --from=builder /lib/x86_64-linux-gnu/libpcre.so* /lib/x86_64-linux-gnu/
COPY --from=builder /lib/x86_64-linux-gnu/libgpg-error.so* /lib/x86_64-linux-gnu/
COPY --from=builder /fluent-bit /fluent-bit
#
EXPOSE 2020
# Entry point
CMD ["/fluent-bit/bin/fluent-bit", "-c", "/fluent-bit/etc/fluent-bit.conf"]
注意增加了 COPY dissect.lua /fluent-bit/bin/ ����。
然后就build鏡像即可。
使用姿勢(shì)
使用比較簡(jiǎn)單的�����。demo如下:
[FILTER]
Name lua
Match app.*
script /fluent-bit/bin/dissect.lua
call dissect
script lua腳本的存放路徑����。
call 即為lua函數(shù)名。
總結(jié)
通過寫這個(gè)filter�����,有一下幾個(gè)感悟吧��。
官方的鏡像基于谷歌的distroless鏡像�����,沒有shell�,沒有包管理,調(diào)試起來很費(fèi)力。平時(shí)的業(yè)務(wù)容器化場(chǎng)景中����,明顯的不合適,與阿里的富容器思維南轅北轍���。當(dāng)然除非你公司的業(yè)務(wù)開發(fā)能力足夠強(qiáng)����。
fluent bit 相關(guān)的資料還是有點(diǎn)少�。遇到問題和使用一些不明白的地方�,解決起來費(fèi)力。除非你是c專家���。官方文檔寫的也不夠詳細(xì)����,只是描述了個(gè)大概�����。
文章版權(quán)歸作者所有�,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載,若此文章存在違規(guī)行為,您可以聯(lián)系管理員刪除。
轉(zhuǎn)載請(qǐng)注明本文地址:http://systransis.cn/yun/32847.html
