注意事项

1. 需要将namespace修改为自己项目中的命名空间

2. es换成对应的地址

3. filebeat-inputs中的两个配置（根据需要用任意一个就可以）

3.1 第一个配置是监听docker日志，由于系统日志太多所以这里只监听项目部署命名空间下的内容

- type: dockercontainers.ids:- "*"exclude_files: ['.*/syslog.*']  # 排除系统日志文件（示例）  multiline.pattern: '^\d{4}-\d{2}-\d{2}'multiline.negate: truemultiline.match: afterprocessors:- drop_fields:fields: ["input_type", "offset", "stream", "beat"]- add_kubernetes_metadata:in_cluster: true- drop_event:when:or:# 丢弃不属于 gateway 和 api 容器的日志- not:or:- equals:kubernetes.container.name: "gateway"  # 只记录 gateway 容器- equals:kubernetes.container.name: "api"  # 只记录 api 容器# 丢弃健康检查相关的日志- contains:message: "/health/status"

3.2 第二个是配置监听指定文件夹下的所有日志信息，日志有变更就会发送到es中（如果修改路径地址，需要把挂载logger-path路径一并改掉）

	- type: logenabled: truepaths:- /home/k8s/logger/*/*.txt    # 指定文件夹下的日志multiline.pattern: '^\d{4}-\d{2}-\d{2}' # 长文本合并multiline.negate: truemultiline.match: afterfields_under_root: trueexclude_lines: ['^DEBUG']  # 可选，排除 DEBUG 日志exclude_files: ['.gz$'] # 排除压缩文件

完整配置

---
apiVersion: v1
kind: ConfigMap
metadata:name: filebeat-confignamespace: giteelabels:k8s-app: filebeat
data:filebeat.yml: |-filebeat.config:inputs:# Mounted `filebeat-inputs` configmap:path: ${path.config}/inputs.d/*.yml# Reload inputs configs as they change:reload.enabled: truemodules:path: ${path.config}/modules.d/*.yml# Reload module configs as they change:reload.enabled: falseoutput.elasticsearch:hosts: ['elasticsearch.gitee:9200']
---
apiVersion: v1
kind: ConfigMap
metadata:name: filebeat-inputsnamespace: giteelabels:k8s-app: filebeat
data:kubernetes.yml: |-- type: dockercontainers.ids:- "*"exclude_files: ['.*/syslog.*']multiline.pattern: '^\d{4}-\d{2}-\d{2}'multiline.negate: truemultiline.match: afterprocessors:- drop_fields:fields: ["input_type", "offset", "stream", "beat"]- add_kubernetes_metadata:in_cluster: true- drop_event:when:and:- not:or:- equals:kubernetes.container.name: "gateway"- equals:kubernetes.container.name: "api"- contains:message: "/health/status"file-logs.yml: |-- type: logenabled: truepaths:- /home/k8s/logger/*/*.txtmultiline.pattern: '^\d{4}-\d{2}-\d{2}'multiline.negate: truemultiline.match: afterfields_under_root: trueexclude_lines: ['^DEBUG']exclude_files: ['.gz$']
---
apiVersion: apps/v1
kind: DaemonSet
metadata:name: filebeatnamespace: giteelabels:k8s-app: filebeat
spec:selector:matchLabels:k8s-app: filebeattemplate:metadata:labels:k8s-app: filebeatspec:serviceAccountName: filebeatterminationGracePeriodSeconds: 30containers:- name: filebeatimage: elastic/filebeat:7.9.2args: ["-c", "/etc/filebeat.yml","-e",]securityContext:runAsUser: 0resources:limits:memory: 200Mirequests:cpu: 100mmemory: 100MivolumeMounts:- name: configmountPath: /etc/filebeat.ymlreadOnly: truesubPath: filebeat.yml- name: inputsmountPath: /usr/share/filebeat/inputs.dreadOnly: true- name: datamountPath: /usr/share/filebeat/data- name: varlibdockercontainersmountPath: /var/lib/docker/containersreadOnly: true- name: logger-path # 持久化地址mountPath: /home/k8s/logger/volumes:- name: configconfigMap:defaultMode: 0600name: filebeat-config- name: varlibdockercontainershostPath:path: /var/lib/docker/containers- name: inputsconfigMap:defaultMode: 0600name: filebeat-inputs- name: datahostPath:path: /var/lib/filebeat-datatype: DirectoryOrCreate- name: logger-pathhostPath:path: /home/k8s/logger/type: Directory
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: filebeat
subjects:
- kind: ServiceAccountname: filebeatnamespace: gitee
roleRef:kind: ClusterRolename: filebeatapiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: filebeatlabels:k8s-app: filebeat
rules:
- apiGroups: [""] # "" indicates the core API groupresources:- namespaces- podsverbs:- get- watch- list
---
apiVersion: v1
kind: ServiceAccount
metadata:name: filebeatnamespace: giteelabels:k8s-app: filebeat