openshift3.11部署eck1.6+es7.14.1
部署eck-operator
wget https://download.elastic.co/downloads/eck/1.6.0/all-in-one.yaml
oc apply -f all-in-one.yaml部署elasticsaerch
创建 es-elasticsearch.yaml
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: es
namespace: elastic-system
spec:
version: 7.14.1
http:
tls:
selfSignedCertificate:
disabled: true
nodeSets:
- name: master
count: 1
config:
node.roles: ["master", "data", "ingest", "ml", "transform"]
volumeClaimTemplates:
- metadata:
name: elasticsearch-data # pvc 名称不支持修改
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 99Gi
storageClassName: fast-disks
podTemplate:
spec:
nodeSelector:
node-role.kubernetes.io/logging: 'true'
initContainers:
- name: sysctl
securityContext:
privileged: true
command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144']
containers:
- name: elasticsearch
securityContext:
privileged: true
env:
- name: ES_JAVA_OPTS
value: "-Xms11g -Xmx11g"
resources:
limits:
memory: 12Gi
requests:
memory: 12Gioc apply -f es-elasticsearch.yaml部署 Kibana
创建 es-kibana.yaml
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: es
namespace: elastic-system
spec:
version: 7.14.1
count: 1
elasticsearchRef:
name: esoc apply -f es-kibana.yaml查看kibana登录密码 账号 elastic
kubectl get secret es-es-elastic-user -o=jsonpath='{.data.elastic}' -n elastic-system | base64 --decode; echo创建elasticsaerch 过滤pipeline
在 https://grokdebug.herokuapp.com/ 在线调试 Grok 正则表达式
通过 kibana dev-tools console 设置 grok 正则 pipeline
通过 kibana dev tools grokdebugger https://eck-kb.xxx.xxx/app/dev_tools#/grokdebugger 测试正则
打开 kibana 自带的 dev-tools console https://eck-kb.xx.xxx/app/dev_tools#/console 创建pipeline
PUT /_ingest/pipeline/access_pipeline
{
"description":"access pipeline",
"processors":[
{
"grok":{
"field":"message",
"patterns":[
"""^\[(?<app_name>[^ ]*)\] \[(?<hostname>[^ ]*)\] (?<ip>[^ ]*) - \[(?<logtime>.*)\] (?<method>[^ ]*) (?<uri>[^ ]*) (?<http_version>[^ ]*) (?<http_code>[^ ]*) (?<response_time>[^ ]*) (?<body_size>[^ ]*) (?<x_request_id>[^ ]*) "(?<other>[^"]*)"""
]
}
}
]
}PUT /_ingest/pipeline/business_pipeline
{
"description":"business pipeline",
"processors":[
{
"grok":{
"field":"message",
"patterns":[
"""^\[(?<level>.*)\] (?<logtime>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})) (?<message>.*)"""
]
}
}
]
}部署 filebeat
创建 filebeat.yaml
apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
name: filebeat
namespace: elastic-system
spec:
type: filebeat
version: 7.14.1
elasticsearchRef:
name: es
config:
filebeat.inputs:
- type: log
paths:
- /aos/pn-api/logs/access_*.log
fields:
app: pn-api
type: access
pipeline: access_pipeline
- type: log
multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
paths:
- /aos/pn-api/logs/pn_*.log
fields:
app: pn-api
type: business
pipeline: business_pipeline
- type: log
paths:
- /data/bfs-gateway/runtime/logs/access.*.log
fields:
app: gw
type: access
pipeline: access_pipeline
- type: log
multiline.type: pattern
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
paths:
- /data/bfs-gateway/runtime/logs/gw.*.log
fields:
app: gw
type: business
pipeline: business_pipeline
daemonSet:
podTemplate:
spec:
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
securityContext:
runAsUser: 0
containers:
- name: filebeat
securityContext:
runAsUser: 0
# If using Red Hat OpenShift uncomment this:
privileged: true
volumeMounts:
- name: aos
mountPath: /aos
readOnly: true
- name: data
mountPath: /data
readOnly: true
- mountPath: /etc/localtime
name: localtime
readOnly: true
volumes:
- name: aos
hostPath:
path: /aos
- name: data
hostPath:
path: /data
- name: localtime
hostPath:
path: /etc/localtime部署 journalbeat
创建 journalbeat.yaml
apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
name: journald
namespace: elastic-system
spec:
type: journalbeat
version: 7.14.1
elasticsearchRef:
name: es # 关联的 es 名称
config:
journalbeat.inputs:
- paths: []
seek: cursor
cursor_seek_fallback: tail
processors:
- add_cloud_metadata: {}
- add_host_metadata: {}
daemonSet:
podTemplate:
spec:
automountServiceAccountToken: true # some older Beat versions are depending on this settings presence in k8s context
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: journalbeat
volumeMounts:
- mountPath: /var/log/journal
name: var-journal
- mountPath: /run/log/journal
name: run-journal
- mountPath: /etc/machine-id
name: machine-id
securityContext:
runAsUser: 0
# If using Red Hat OpenShift uncomment this:
privileged: true
hostNetwork: true # Allows to provide richer host metadata
securityContext:
runAsUser: 0
terminationGracePeriodSeconds: 30
volumes:
- hostPath:
path: /var/log/journal
name: var-journal
- hostPath:
path: /run/log/journal
name: run-journal
- hostPath:
path: /etc/machine-id
name: machine-idoc apply -f journalbeat.yamlLast updated