我正在设置管道以将 kubernetes pod 日志发送到弹性集群。我已在集群中将 filebeat 安装为 deamonset(流:stdout),并将输出连接到logstash。Beats 与 Logstash 连接没有问题,现在我想要来自应用程序命名空间的日志,而不是来自集群中所有命名空间的日志。有人可以指导我如何在beat adn中过滤它以及如何在es中查看来自json的源消息吗?
这是我的配置:
data:
kubernetes.yml: |-
- type: docker
containers:
path: "/var/lib/docker/containers"
stream: "stdout"
ids: "*"
multiline.pattern: '^\s'
multiline.match: after
fields:
logtype: container
multiline:
pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
negate: true
match: after
ignore_older: 1h
processors:
- add_kubernetes_metadata:
in_cluster: true
- decode_json_fields:
fields: ["log"]
overwrite_keys: true
target: ""
kibana 中的输出:
{
"_index": "filebeat-6.8.4-2020.03.06",
"_type": "doc",
"_id": "vHkzsHABJ57Tsdxxxxx",
"_version": 1,
"_score": null,
"_source": {
"log": {
"file": {
"path": "/var/lib/docker/containers/aa54562be9448183d69d8d2e1953e74560309176f044aed23484ac9e3260982c/sdnksdsdlsdnfsdlfslfnsdslfnsnlnflksdnflkdsfnsdflsdfndslffndslf-json.log"
}
},
"tags": [
"beats_input_codec_plain_applied", …