如何让 fluentd/elasticsearch 将“日志”key_name 解析为来自 kubernetes pod 的 json?
[英]How do I get fluentd / elasticsearch to parse the "log" key_name as json from a kubernetes pod?
问题描述
I am having issues trying to get logs into elasticsearch from fluentd in a k8s cluster.
我在尝试从 k8s 集群中的 fluentd 获取日志到 elasticsearch 时遇到问题。
I have several web applications which output their logs as json.我有几个将日志输出为 json 的 Web 应用程序。 Using a simple setup locally with docker containers I can get elastic to read and parse the logs correctly.在本地使用带有 docker 容器的简单设置,我可以获得弹性来正确读取和解析日志。 Here is a sample of the local json shown in kibana:以下是 kibana 中显示的本地 json 示例:
{
"_index": "logstash-2020.01.17",
"_type": "fluentd",
"_id": "S620sm8B2LEvFR841ylg",
"_version": 1,
"_score": null,
"_source": {
"log": {
"@timestamp": "2020-01-17T08:53:03.066290",
"caller": "StaticFileHelper.py::get",
"data": {
"python.thread": "Thread-1[{record.thread}]",
"python.lineno": 45,
"python.filename": "StaticFileHelper.py",
"python.logger_name": "root",
"python.module": "StaticFileHelper",
"python.funcName": "get",
"python.pid": 11239
},
"message": "application/javascript",
"level": "INFO"
},
"@timestamp": "2020-01-17T08:53:03.000000000+00:00"
},
"fields": {
"@timestamp": [
"2020-01-17T08:53:03.000Z"
],
"log.@timestamp": [
"2020-01-17T08:53:03.066Z"
]
},
"sort": [
1579251183000
]
}
Under the index patterns I can see the correct mappings.在索引模式下,我可以看到正确的映射。 The mappings update when I introduce new fields into the logging output.当我将新字段引入日志输出时,映射会更新。 Sample of output here:这里的输出示例:
log.@timestamp: date
log.caller: string
log.caller.keyword: string
log.data.python.filename: string
log.data.python.filename.keyword: string
log.data.python.funcName :string
In the cluster the "log" field is not being parsed correctly:在集群中,“日志”字段没有被正确解析:
{
"_index": "logstash-2020.01.17",
"_type": "fluentd",
"_id": "atUDs28BFgXM_nqQvYUY",
"_version": 1,
"_score": null,
"_source": {
"log": "{'@timestamp': '2020-01-17T10:19:21.775339', 'caller': 'RequestLoggingManager.py::print_request_id', 'data': {'python.thread': 'MainThread[{record.thread}]', 'python.lineno': 28, 'python.filename': 'RequestLoggingManager.py', 'python.logger_name': 'root', 'python.module': 'RequestLoggingManager', 'python.funcName': 'print_request_id', 'request_id': '1579256361-1494-XYyVj', 'python.pid': 8}, 'message': 'request: \"1579256361-1497-JUeYF\" is about to enter \"get_settings\"', 'level': 'INFO'}\n",
"stream": "stderr",
"docker": {
"container_id": "fc5b0d5b0aa4008961b18dfe93c4e04b2cfbde0f7ff072dc702c55823baba3a4"
},
"kubernetes": {
"container_name": "cms",
"namespace_name": "default",
"pod_name": "cms-68c4b49657-b88hs",
"container_image": "HIDDEN",
"container_image_id": "HIDDEN",
"pod_id": "ffc6a681-390b-11ea-bcac-42010a8000be",
"labels": {
"app": "cms",
"pod-template-hash": "68c4b49657",
"version": "1.0.0"
},
"host": "HIDDEN",
"master_url": "https://10.0.0.1:443/api",
"namespace_id": "1ede7315-14fa-11ea-95c1-42010a80010f"
},
"@timestamp": "2020-01-17T10:19:21.776876369+00:00",
"tag": "kubernetes.var.log.containers.cms-68c4b49657-b88hs_default_cms-fc5b0d5b0aa4008961b18dfe93c4e04b2cfbde0f7ff072dc702c55823baba3a4.log"
},
"fields": {
"@timestamp": [
"2020-01-17T10:19:21.776Z"
]
},
"highlight": {
"kubernetes.labels.app": [
"@kibana-highlighted-field@cms@/kibana-highlighted-field@"
]
},
"sort": [
1579256361776
]
}
The mapping are being shown as:映射显示为:
log: string
log.keyword: string
None of the custom json mappings are recognised.无法识别任何自定义 json 映射。
Is there a way of customising this "log" field and if so where do I need to make the changes?有没有办法自定义这个“日志”字段,如果是这样,我需要在哪里进行更改? I am quite new to fluentd and elastic so any help would be appreciated!我对流利和弹性很陌生,所以任何帮助将不胜感激!
I am using the fluent/fluentd-kubernetes-daemonset on kubernetes.我在 kubernetes 上使用 fluent/fluentd-kubernetes-daemonset。
1 个解决方案
解决方案1
4 已采纳 2020-01-20 09:15:24
To get around this I pulled and ran the fluent/fluentd-kubernetes-daemonset:v1.4.2-debian-elasticsearch-1.1 image locally in docker.为了解决这个问题,我在 docker 本地拉取并运行了 fluent/fluentd-kubernetes-daemonset:v1.4.2-debian-elasticsearch-1.1 镜像。 Had to make sure I specified FLUENT_ELASTICSEARCH_USER and FLUENT_ELASTICSEARCH_PASSWORD as env variables on the initial run as the entrypoint.sh tries to substitute information in the containers fluent.conf file.必须确保在初始运行时将 FLUENT_ELASTICSEARCH_USER 和 FLUENT_ELASTICSEARCH_PASSWORD 指定为环境变量,因为 entrypoint.sh 尝试替换容器 fluent.conf 文件中的信息。 If you don't specify a password it wipes out the information in the file.如果您不指定密码,它会清除文件中的信息。
Then it was a case of exec'ing into the running container and adding the following information into fluent.conf:然后是exec'ing进入正在运行的容器并将以下信息添加到fluent.conf中的情况:
filter **>
@type record_transformer
<record>
log_json ${record["log"]}
</record>
</filter>
<filter **>
@type parser
@log_level debug
key_name log_json
reserve_data true
remove_key_name_field true
emit_invalid_record_to_error false
<parse>
@type json
</parse>
</filter>
After this I exited and stopped the container, committed the container to a brand new image in my own repo on Docker Hub and referenced the new image in the DaeomnSet yaml file which we were using to deploy up to k8s.在此之后,我退出并停止了容器,将容器提交到我自己在 Docker Hub 上的存储库中的一个全新镜像,并在我们用来部署到 k8s 的 DaeomnSet yaml 文件中引用了新镜像。
This may not be the slickest or the most efficient method but in the absence of any docs on how to customise the fluentd.conf, this did the trick for now.这可能不是最巧妙或最有效的方法,但在没有关于如何自定义 fluentd.conf 的任何文档的情况下,这暂时解决了问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.