apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: kube-system
data:
  filebeat.yml: |
    setup.ilm.enabled: false
    setup.template.enabled: false

    filebeat.autodiscover:
      providers:
        - type: kubernetes
          node: ${NODE_NAME}
          hints.enabled: false

          templates:
            # ---------- Template 1: java语言的admin、agent、payment Pod, java21项目多行堆栈文本日志 ----------
            - condition:
                equals:
                  kubernetes.namespace: "sit" # 假设你的业务 pod 在 sit 命名空间
                # or:
                #   - equals:
                #       kubernetes.labels.app: "flymoon-admin"
                #   - equals:
                #       kubernetes.labels.app: "flymoon-agent"
                #   - equals:
                #       kubernetes.labels.app: "flymoon-payment"
              config:
                - type: filestream
                  id: "k8s-log-${data.kubernetes.container.id}"
                  prospector.scanner.symlinks: true
                  parsers:
                    - container: ~
                  paths:
                    - /var/log/containers/*-${data.kubernetes.container.id}.log
                  # multiline:
                  #   pattern: '^\d{4}-\d{2}-\d{2}-\d{2}:\d{2}:\d{2}\.\d{3}'
                  #   negate: true
                  #   match: after
                  # ignore_older: 24h
                  # scan_frequency: 10s
                  # clean_inactive: 25h
                  # close_inactive: 5m
                  # close_renamed: true
                  # start_position: beginning
                  fields:
                    application: ${data.kubernetes.labels.app}
                    log_type: ${data.kubernetes.labels.log_type}
                    environment: ${data.kubernetes.labels.environment}
                    instance: ${data.kubernetes.host}

                  processors:
                    - add_kubernetes_metadata:
                          host: ${NODE_NAME}
                    - add_fields:
                        fields:
                          log_source: k8s
                        target: 'mylog'
                    - dissect:
                        tokenizer: "%{timestamp} [%{thread}] %{level} %{class} - [%{method},%{line}] - %{message}"
                        field: "message"
                        target_prefix: "mylog"
                        ignore_missing: true
                        overwrite_keys: true

            # ---------- java语言的email服务的Pod, java1.8项目自由文本格式日志, java21项目格式不太一样, 但也有堆栈信息----------


            # ---------- go语言的中转服务的Pod, go项目json格式日志 ----------


            # ---------- python语言的lessie-agent的Pod, python项目只有文本格式日志, 需排除掉一些不采集的日志 ----------


            # ---------- python语言的apex的Pod, python项目json格式日志 ----------


            # ---------- 前端存储静态资源的nginx pod, nginx 格式日志 ----------


    # ---- 输出到 Elasticsearch ----
    output.elasticsearch:
      hosts: ["http://10.0.0.38:9200"]
      username: "admin"
      password: "G7ZSKFM4AQwHQpwA"

      # 动态索引命名：k8s-环境-应用-日期
      index: "k8s-%{[kubernetes.labels.environment]}-%{[kubernetes.labels.app]}-%{+yyyy.MM.dd}"


    logging.level: debug
    logging.selectors: ["*"]