Filebeat 7.2 - 将日志从 Docker 容器保存到 Logstash

问题描述 投票:0回答:2

我的 ec2 实例上运行着一些 Docker 容器。

我想将这些容器中的日志直接保存到Logstash(弹性云)。

当我尝试手动安装 Filebeat 时,一切正常。 我已经使用

下载了它 
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.2.0-linux-x86_64.tar.gz

我已经解压它,将 filebeat.yml 配置更改为

filebeat.inputs:

- type: log

  enabled: true

  fields:
    application: "myapp"

  fields_under_root: true

  paths:
    - /var/lib/docker/containers/*/*.log

cloud.id: "iamnotshowingyoumycloudidthisisjustfake"
cloud.auth: "elastic:mypassword"

这工作得很好,在 Kibana 中搜索 application: "myapp" 后我可以找到我的日志。

但是,当我尝试从 Docker 运行 Filebeat 时,没有成功。

这是我的 docker-compose.yml 的 filebeat 部分

filebeat:
    image: docker.elastic.co/beats/filebeat:7.2.0
    container_name: filebeat
    volumes:
      - ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
      - /var/lib/docker/containers:/var/lib/docker/containers:ro
      - /var/run/docker.sock:/var/run/docker.sock #needed for autodiscover

我之前手动执行的 filebeat.yml 不起作用,所以我尝试了很多示例,但没有任何效果。这是一个我认为应该可行的例子,但事实并非如此。 Docker 容器启动没有问题,但不知何故无法从日志文件中读取。

filebeat.autodiscover:
  providers:
    - type: docker

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/lib/docker/containers/*/*.log
  json.keys_under_root: true
  json.add_error_key: true
  fields_under_root: true
  fields:
    application: "myapp"

cloud.id: "iamnotshowingyoumycloudidthisisjustfake"
cloud.auth: "elastic:mypassword"

我也尝试过类似的事情

filebeat.autodiscover:
  providers:
    - type: docker
      templates:
        config:
          - type: docker
            containers.ids:
              - "*"

filebeat.inputs:
  - type: docker
    containers.ids:
      - "*"
    processors:
      - add_docker_metadata:
    fields:
      application: "myapp"
    fields_under_root: true

cloud.id: "iamnotshowingyoumycloudidthisisjustfake"
cloud.auth: "elastic:mypassword"

我不知道还能尝试什么,filebeat 日志仍然显示

 "harvester":{"open_files":0,"running":0}}

我 100% 确定来自容器的日志位于 /var/lib/docker/containers/*/*.log 下...正如我所说,Filebeat 在手动安装时有效,而不是作为 docker 映像。

有什么建议吗?

Filebeat 输出日志

2019-07-23T05:35:58.128Z        INFO    instance/beat.go:292    Setup Beat: filebeat; Version: 7.2.0
2019-07-23T05:35:58.128Z        INFO    [index-management]      idxmgmt/std.go:178      Set output.elasticsearch.index to 'filebeat-7.2.0' as ILM is enabled.
2019-07-23T05:35:58.129Z        INFO    elasticsearch/client.go:166     Elasticsearch url: https://123456789.us-east-1.aws.found.io:443
2019-07-23T05:35:58.129Z        INFO    [publisher]     pipeline/module.go:97   Beat name: e3e5163f622d
2019-07-23T05:35:58.136Z        INFO    [monitoring]    log/log.go:118  Starting metrics logging every 30s
2019-07-23T05:35:58.142Z        INFO    instance/beat.go:421    filebeat start running.
2019-07-23T05:35:58.142Z        INFO    registrar/migrate.go:104        No registry home found. Create: /usr/share/filebeat/data/registry/filebeat
2019-07-23T05:35:58.142Z        INFO    registrar/migrate.go:112        Initialize registry meta file
2019-07-23T05:35:58.144Z        INFO    registrar/registrar.go:108      No registry file found under: /usr/share/filebeat/data/registry/filebeat/data.json. Creating a new registry file.
2019-07-23T05:35:58.146Z        INFO    registrar/registrar.go:145      Loading registrar data from /usr/share/filebeat/data/registry/filebeat/data.json
2019-07-23T05:35:58.146Z        INFO    registrar/registrar.go:152      States Loaded from registrar: 0
2019-07-23T05:35:58.146Z        INFO    crawler/crawler.go:72   Loading Inputs: 1
2019-07-23T05:35:58.146Z        WARN    [cfgwarn]       docker/input.go:49      DEPRECATED: 'docker' input deprecated. Use 'container' input instead. Will be removed in version: 8.0.0
2019-07-23T05:35:58.150Z        INFO    log/input.go:148        Configured paths: [/var/lib/docker/containers/*/*.log]
2019-07-23T05:35:58.150Z        INFO    input/input.go:114      Starting input of type: docker; ID: 11882227825887812171
2019-07-23T05:35:58.150Z        INFO    crawler/crawler.go:106  Loading and starting Inputs completed. Enabled inputs: 1
2019-07-23T05:35:58.150Z        WARN    [cfgwarn]       docker/docker.go:57     BETA: The docker autodiscover is beta
2019-07-23T05:35:58.153Z        INFO    [autodiscover]  autodiscover/autodiscover.go:105        Starting autodiscover manager
2019-07-23T05:36:28.144Z        INFO    [monitoring]    log/log.go:145  Non-zero metrics in the last 30s        
{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":10,"time":{"ms":17}},"total":{"ticks":40,"time":{"ms":52},"value":40},"user":{"ticks":30,"time":{"ms":35}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":9},"info":{"ephemeral_id":"4427db93-2943-4a8d-8c55-6a2e64f19555","uptime":{"ms":30111}},"memstats":{"gc_next":4194304,"memory_alloc":2118672,"memory_total":6463872,"rss":28352512},"runtime":{"goroutines":34}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"type":"elasticsearch"},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0},"writes":{"success":1,"total":1}},"system":{"cpu":{"cores":1},"load":{"1":0.31,"15":0.03,"5":0.09,"norm":{"1":0.31,"15":0.03,"5":0.09}}}}}}
docker logstash kibana filebeat
2个回答
0
投票

嗯,我在 Filebeat 配置中没有看到任何明显的原因说明它不起作用,我有一个为 6.x Filebeat 运行的非常相似的配置。

我建议在容器上执行 

docker inspect
并确认安装是否存在,也许检查权限,但错误可能会显示在日志中。

您也可以尝试使用 

container input
吗?我相信这是 7.2+ 中容器日志的推荐方法:https://www.elastic.co/guide/en/beats/filebeat/7.2/filebeat-input-container.html

0
投票

我建议使用容器输入来使用 docker 输入,您必须安装 docker 套接字,这在大多数用例中是不可行的。配置可以在这里找到https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html。我建议使用容器输入,因为它使其更通用,也许稍后您会想要转移到 k8 集群,它也会在那里运行:)

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.