From e16d53537e70f3bf1d5c00cdf001d180435cc805 Mon Sep 17 00:00:00 2001 From: Ekambaram Pasham Date: Fri, 13 Oct 2017 16:28:35 +0530 Subject: [PATCH 1/8] Create k8s-logging-cfg.yml --- k8s-logging-cfg.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 k8s-logging-cfg.yml diff --git a/k8s-logging-cfg.yml b/k8s-logging-cfg.yml new file mode 100644 index 0000000..0a6bd5d --- /dev/null +++ b/k8s-logging-cfg.yml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: logging-cfg + namespace: default +data: + filebeat.yml: | + filebeat.registry_file: /var/log/containers/filebeat_registry + + filebeat.prospectors: + - input_type: log + paths: + - "/var/lib/docker/containers/*/*.log" + symlinks: true + json.keys_under_root: true + json.add_error_key: true + json.message_key: log + multiline.pattern: '^\s' + multiline.match: after + document_type: kube-logs + + output.logstash: + hosts: ${LOGSTASH_HOSTS:?No logstash host configured. Use env var LOGSTASH_HOSTS to set hosts.} + timeout: 15 + # Available log levels are: critical, error, warning, info, debug + logging.level: info From 520d2ef7a538c75e09f00affbb84b40081f9dd77 Mon Sep 17 00:00:00 2001 From: Ekambaram Pasham Date: Fri, 13 Oct 2017 17:02:42 +0530 Subject: [PATCH 2/8] Create k8s-logging-filebeat.yml --- k8s-logging-filebeat.yml | 60 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 k8s-logging-filebeat.yml diff --git a/k8s-logging-filebeat.yml b/k8s-logging-filebeat.yml new file mode 100644 index 0000000..a181be7 --- /dev/null +++ b/k8s-logging-filebeat.yml @@ -0,0 +1,60 @@ +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: logging-filebeat + namespace: default + labels: + name: logging-filebeat +spec: + template: + metadata: + labels: + name: logging-filebeat + name: logging-filebeat + spec: + containers: + - name: filebeat + image: filebeat:latest + env: + - name: LOGSTASH_HOSTS + value: logstash.default.svc.cluster.local:5044 + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + cpu: 50m + memory: 100Mi + securityContext: + privileged: true + runAsUser: 0 + volumeMounts: + - name: config-volume + mountPath: /etc/filebeat + - name: varlogcontainers + mountPath: /var/log/containers + - name: varlogpods + mountPath: /var/log/pods + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + terminationGracePeriodSeconds: 30 + volumes: + # mount /var/log/containers to get friendly named symlinks to actual logs + - name: varlogcontainers + hostPath: + path: /var/log/containers + # mount /var/log/pods as its where pod logs are collected + - name: varlogpods + hostPath: + path: /var/log/pods + # mount /var/lib/docker/containers which is where the logs _actually_ are + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + # mount the configmap with the filebeat config file + - name: config-volume + configMap: + name: logging-cfg + items: + - key: filebeat.yml + path: filebeat.yml From 916488739d797cb9fe01514024bba13149c4fc1c Mon Sep 17 00:00:00 2001 From: Ekambaram Pasham Date: Fri, 13 Oct 2017 17:03:49 +0530 Subject: [PATCH 3/8] Update k8s-logging-filebeat.yml --- k8s-logging-filebeat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-logging-filebeat.yml b/k8s-logging-filebeat.yml index a181be7..373d06e 100644 --- a/k8s-logging-filebeat.yml +++ b/k8s-logging-filebeat.yml @@ -14,7 +14,7 @@ spec: spec: containers: - name: filebeat - image: filebeat:latest + image: docker.elastic.co/beats/filebeat:5.3.2 env: - name: LOGSTASH_HOSTS value: logstash.default.svc.cluster.local:5044 From a1d542fab7abd6b292ebfaad0aa0b03a301546a5 Mon Sep 17 00:00:00 2001 From: Ekambaram Pasham Date: Fri, 13 Oct 2017 17:06:17 +0530 Subject: [PATCH 4/8] Update k8s-logging-filebeat.yml --- k8s-logging-filebeat.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/k8s-logging-filebeat.yml b/k8s-logging-filebeat.yml index 373d06e..dbdd37e 100644 --- a/k8s-logging-filebeat.yml +++ b/k8s-logging-filebeat.yml @@ -14,10 +14,10 @@ spec: spec: containers: - name: filebeat - image: docker.elastic.co/beats/filebeat:5.3.2 + image: apsops/filebeat-kubernetes env: - - name: LOGSTASH_HOSTS - value: logstash.default.svc.cluster.local:5044 + - name: LOGSTASH_HOSTS + value: logstash.default.svc.cluster.local:5044 resources: requests: cpu: 50m From 3d888beb9cfa55f20bcc4bd4fc1de9dba8212fb0 Mon Sep 17 00:00:00 2001 From: Ekambaram Pasham Date: Thu, 19 Oct 2017 13:37:28 +0530 Subject: [PATCH 5/8] Update k8s-logging-cfg.yml --- k8s-logging-cfg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-logging-cfg.yml b/k8s-logging-cfg.yml index 0a6bd5d..019ae73 100644 --- a/k8s-logging-cfg.yml +++ b/k8s-logging-cfg.yml @@ -10,7 +10,7 @@ data: filebeat.prospectors: - input_type: log paths: - - "/var/lib/docker/containers/*/*.log" + - "/var/log/containers/*.log" symlinks: true json.keys_under_root: true json.add_error_key: true From 8e62088a761acc5065da2ade55e3e85f29ff0fe0 Mon Sep 17 00:00:00 2001 From: Ekambaram Pasham Date: Thu, 19 Oct 2017 13:44:23 +0530 Subject: [PATCH 6/8] Update k8s-logging-cfg.yml --- k8s-logging-cfg.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/k8s-logging-cfg.yml b/k8s-logging-cfg.yml index 019ae73..44b4369 100644 --- a/k8s-logging-cfg.yml +++ b/k8s-logging-cfg.yml @@ -17,10 +17,13 @@ data: json.message_key: log multiline.pattern: '^\s' multiline.match: after - document_type: kube-logs + document_type: kube-logs + fields: + host: ${FILEBEAT_HOST:${HOSTNAME}} + fields_under_root: true output.logstash: hosts: ${LOGSTASH_HOSTS:?No logstash host configured. Use env var LOGSTASH_HOSTS to set hosts.} timeout: 15 # Available log levels are: critical, error, warning, info, debug - logging.level: info + logging.level: ${LOG_LEVEL:error} From 0485044967efb398627d0a29dd87ec81886b2b59 Mon Sep 17 00:00:00 2001 From: Ekambaram Pasham Date: Thu, 19 Oct 2017 13:49:00 +0530 Subject: [PATCH 7/8] Update k8s-logging-filebeat.yml --- k8s-logging-filebeat.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/k8s-logging-filebeat.yml b/k8s-logging-filebeat.yml index dbdd37e..24abf29 100644 --- a/k8s-logging-filebeat.yml +++ b/k8s-logging-filebeat.yml @@ -18,6 +18,12 @@ spec: env: - name: LOGSTASH_HOSTS value: logstash.default.svc.cluster.local:5044 + - name: LOG_LEVEL + value: info + - name: FILEBEAT_HOST + valueFrom: + fieldRef: + fieldPath: spec.nodeName resources: requests: cpu: 50m From 9375037a9b52f7f71b5f3396e568e8aedbfdef7b Mon Sep 17 00:00:00 2001 From: Ekambaram Pasham Date: Thu, 19 Oct 2017 13:57:26 +0530 Subject: [PATCH 8/8] Update README.md --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 38c7cc5..fda949f 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,8 @@ spec: fieldRef: fieldPath: spec.nodeName volumeMounts: + - name: config-volume + mountPath: /etc/filebeat - name: varlog mountPath: /var/log/containers - name: varlogpods @@ -62,6 +64,12 @@ spec: - key: node-role.kubernetes.io/master effect: NoSchedule volumes: + - name: config-volume + configMap: + name: logging-cfg + items: + - key: filebeat.yml + path: filebeat.yml - name: varlog hostPath: path: /var/log/containers