From 6f7b24926d7448443a8d2576a0d32d966d7454e3 Mon Sep 17 00:00:00 2001 From: dxin Date: Thu, 11 Dec 2025 15:17:03 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=94=B9filebast=E9=85=8D=E7=BD=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- filebast/us-prod-01/filebeat.yml | 2 +- filebast/us-prod-01/flymoon-admin.yml | 2 +- filebast/us-prod-02/filebeat.yml | 2 +- filebast/us-prod-02/flymoon-agent.yml | 2 +- filebast/us-prod-03/filebeat.yml | 4 ++-- filebast/us-prod-03/flymoon-agent.yml | 2 +- filebast/us-prod-03/flymoon-payment.yml | 2 +- 问IA.md | 27 +++++++++++++++++++++++++ 8 files changed, 35 insertions(+), 8 deletions(-) diff --git a/filebast/us-prod-01/filebeat.yml b/filebast/us-prod-01/filebeat.yml index 4567db1..adbb640 100644 --- a/filebast/us-prod-01/filebeat.yml +++ b/filebast/us-prod-01/filebeat.yml @@ -18,7 +18,7 @@ processors: when: equals: log_type: admin.log - tokenizer: '%{timestamp} %{level} %{pid} --- \\[%{thread}\\] %{class} : %{message}' + tokenizer: '%{timestamp} %{level} %{pid} --- [%{thread}] %{class} : [%{app_name->}] %{message}' field: "message" target_prefix: "mylog" ignore_missing: true diff --git a/filebast/us-prod-01/flymoon-admin.yml b/filebast/us-prod-01/flymoon-admin.yml index e386dae..d8266c0 100644 --- a/filebast/us-prod-01/flymoon-admin.yml +++ b/filebast/us-prod-01/flymoon-admin.yml @@ -9,7 +9,7 @@ environment: us-pord # 自定义字段,标识机器环境名称 instance: us-prod-01 # 自定义字段,标识机器名称 fields_under_root: true - multiline.pattern: '^\d{4}-\d{2}-\d{2}\ \d{2}:\d{2}:\d{2}\.\d{3}' + multiline.pattern: '^\d{4}-\d{2}-\d{2}-\d{2}:\d{2}:\d{2}\.\d{3}' multiline.negate: true multiline.match: after ignore_older: 24h # 忽略旧日志文件(避免处理已归档的日志) diff --git a/filebast/us-prod-02/filebeat.yml b/filebast/us-prod-02/filebeat.yml index 79549b2..324b784 100644 --- a/filebast/us-prod-02/filebeat.yml +++ b/filebast/us-prod-02/filebeat.yml @@ -37,7 +37,7 @@ processors: when: equals: log_type: agent.log - tokenizer: '%{date} %{time} %{level} %{pid} --- [%{thread}] %{class->} : [%{app}] %{message}' + tokenizer: '%{timestamp} %{level} %{pid} --- [%{thread}] %{class} : [%{app_name->}] %{message}' field: "message" target_prefix: "mylog" ignore_missing: true diff --git a/filebast/us-prod-02/flymoon-agent.yml b/filebast/us-prod-02/flymoon-agent.yml index e046f28..c88940a 100644 --- a/filebast/us-prod-02/flymoon-agent.yml +++ b/filebast/us-prod-02/flymoon-agent.yml @@ -9,7 +9,7 @@ environment: us-pord # 自定义字段,标识机器环境名称 instance: us-prod-02 # 自定义字段,标识机器名称 fields_under_root: true - multiline.pattern: '^\d{4}-\d{2}-\d{2}\ \d{2}:\d{2}:\d{2}\.\d{3}' + multiline.pattern: '^\d{4}-\d{2}-\d{2}-\d{2}:\d{2}:\d{2}\.\d{3}' multiline.negate: true multiline.match: after ignore_older: 24h # 忽略旧日志文件(避免处理已归档的日志) diff --git a/filebast/us-prod-03/filebeat.yml b/filebast/us-prod-03/filebeat.yml index 7502646..b22d797 100644 --- a/filebast/us-prod-03/filebeat.yml +++ b/filebast/us-prod-03/filebeat.yml @@ -26,7 +26,7 @@ processors: when: equals: log_type: agent.log - tokenizer: '%{date} %{time} %{level} %{pid} --- [%{thread}] %{class->} : [%{app}] %{message}' + tokenizer: '%{timestamp} %{level} %{pid} --- [%{thread}] %{class} : [%{app_name->}] %{message}' field: "message" target_prefix: "mylog" ignore_missing: true @@ -38,7 +38,7 @@ processors: when: equals: log_type: payment.log - tokenizer: '%{date} %{time} %{level} %{pid} --- [%{thread}] %{class->} : [%{app}] %{message}' + tokenizer: '%{timestamp} %{level} %{pid} --- [%{thread}] %{class} : [%{app_name->}] %{message}' field: "message" target_prefix: "mylog" ignore_missing: true diff --git a/filebast/us-prod-03/flymoon-agent.yml b/filebast/us-prod-03/flymoon-agent.yml index 36d1a96..15fa56a 100644 --- a/filebast/us-prod-03/flymoon-agent.yml +++ b/filebast/us-prod-03/flymoon-agent.yml @@ -9,7 +9,7 @@ environment: us-pord # 自定义字段,标识机器环境名称 instance: us-prod-03 # 自定义字段,标识机器名称 fields_under_root: true - multiline.pattern: '^\d{4}-\d{2}-\d{2}\ \d{2}:\d{2}:\d{2}\.\d{3}' + multiline.pattern: '^\d{4}-\d{2}-\d{2}-\d{2}:\d{2}:\d{2}\.\d{3}' multiline.negate: true multiline.match: after ignore_older: 24h # 忽略旧日志文件(避免处理已归档的日志) diff --git a/filebast/us-prod-03/flymoon-payment.yml b/filebast/us-prod-03/flymoon-payment.yml index 833682f..ed4782e 100644 --- a/filebast/us-prod-03/flymoon-payment.yml +++ b/filebast/us-prod-03/flymoon-payment.yml @@ -9,7 +9,7 @@ environment: us-pord instance: us-prod-03 fields_under_root: true - multiline.pattern: '^\d{4}-\d{2}-\d{2}\ \d{2}:\d{2}:\d{2}\.\d{3}' + multiline.pattern: '^\d{4}-\d{2}-\d{2}-\d{2}:\d{2}:\d{2}\.\d{3}' multiline.negate: true multiline.match: after ignore_older: 24h # 忽略旧日志文件(避免处理已归档的日志) diff --git a/问IA.md b/问IA.md index b1f7338..ef69aaf 100644 --- a/问IA.md +++ b/问IA.md @@ -341,3 +341,30 @@ Swap: 8.0Gi 3.9Gi 4.1Gi 从工作进程上分析,从内 3、相比上次查询,哪个子进程没了,哪个子进程出现了 ====2025-10-01 10:01:00 ==== + + +k8s 日志采集 +背景:一个项目,有完整的前后端pod,但是有部署多套测试环境。 +比如s1环境、s2环境、s3环境、s4环境、s5环境、s6环境... +以s1环境为例:总共有如下pod,使用deployment部署。 +s1-flymoon-admin-7cf5fcf447-t7p7n +s1-flymoon-admin-web-756b79567d-whllw +s1-flymoon-agent-66485d7b4-mrnqq +s1-flymoon-email-868c885b79-dvsjc +s1-flymoon-payment-84f7fdbfcb-94bhl +s1-lessie-agents-59797c5464-4vwfr +s1-lessie-ai-web-5c86b8d944-vmv72 +s1-lessie-go-api-774ddc644c-m4cqc + +然后s2环境,其中其他flymoon基础付服务使用s1环境的pod,通过svc访问过去 +s2-lessie-agents-69798c5414-1hvfr +s2-lessie-ai-web-9c8988d914-mrv72 +s2-lessie-go-api-47498c641c-4cpqc + +s3~s6环境与s2环境类似,只有各自的:lessie-agents、lessie-ai-web、lessie-go-api + +现在我需要采集日志到es中,这个es是k8s外部部署的,怎么采集日志呢? +daemonSet方式每个node运行一个采集器采集该节点的pod的日志?使用什么采集器?怎么配置?能自动发现pod日志?能处理日志,比如分词?json分词? +那每个节点上的采集器的pod怎么准确采集呢?比如s1环境的s1-lessie-agents pod,它有多个副本,被调度在不同node上,那么采集器怎么采集到A node的s1-lessie-agents 和 B node的s1-lessie-agents pod的日志到同一个es索引中的呢? +另外es的索引名称应该如何命名呢?设置生命周期、索引模板、按天or周or月分割索引? +