在kubernetes集群中部署logstash步骤如下:

1:logstash安装文件(目前最新版本2.3.4);

2:编写Dockerfile及执行点脚本文件run.sh,并且修改logstash conf文件,配置为消费指定rabbitmq queue,并持久化消息至目标elasticsearch集群,制作logstash镜像;

3:推送镜像至某个Docker源,可以是公网的源,也可以是公司内部源;

4:在kubernetes主节点编写logstash镜像对应的RC文件;

5:在kubernetes集群中创建logstash pods;

6:测试验证

 

================================================================================================

1:logstash安装文件(目前最新版本2.3.4)

logstash目前最新版本安装包:logstash-2.3.4.tar.gz,可事先下载COPY进Docker镜像,也可以通过wget的方式在Dockerfile中配置下载;

 

================================================================================================

2:编写Dockerfile及执行点脚本文件run.sh,并且修改logstash conf文件,配置为消费指定rabbitmq queue,并持久化消息至目标elasticsearch集群,制作logstash镜像

由于logstash运行依赖于其配置文件,需要根据实际使用场景对配置文件的in,filter,out三个模块进行配置,因此需要先建立好conf文件;

我的使用场景是logstash作为rabbitmq中日志信息队列的消费者,获得rabbitmq推送的消息后,推送至out模块配置的elasticsearch集群,以供kibana使用(ELK框架)。

这是一个比较典型的应用场景,也可以根据实际需求配置logstash为redis或其它数据源的消费者;

如下是我的场景中的logstash配置文件(log-pipeline.conf):

logstash output es集群 logstash集群高可用_Docker

logstash output es集群 logstash集群高可用_推送_02

1 input {
 2   http {
 3   }
 4   rabbitmq {
 5         host => "localhost"
 6         port => 5672
 7         queue => "example.queue"
 8         key => ""
 9         user => "guest"
10         password => "guest"
11         durable => true
12   }
13 }
14 filter {
15   date {
16         match => [ "timestamp","yyyy-MM-dd HH:mm:ss" ]
17   }
18 }
19 output {
20    elasticsearch {
21         hosts => ["localhost:9200"]
22         index => "logstash-*"
23    }
24 }

View Code

配置文件中的所有配置项都是默认值,实际参数是配置在kubernetes集群的RC文件中的;

同时,我们这里打开了http这个in模块,接受http直接推送消息,默认端口是8080;

现在我们可以建立Dockerfile:

logstash output es集群 logstash集群高可用_Docker

logstash output es集群 logstash集群高可用_推送_02

1 FROM centos:7.2.1511
 2 MAINTAINER JiaKai "jiakai@gridsum.com"
 3 COPY CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo
 4 RUN yum update -y -q && yum install -y -q java-headless which && rm -rf /var/cache/yum
 5 ENV LOGSTASH_VERSION 2.3.4
 6 COPY ./logstash-${LOGSTASH_VERSION}.tar.gz /opt/logstash-${LOGSTASH_VERSION}.tar.gz
 7 RUN tar -xzf /opt/logstash-${LOGSTASH_VERSION}.tar.gz && \
 8     mv -f /logstash-${LOGSTASH_VERSION} /opt/logstash && \
 9     rm -f /opt/logstash-${LOGSTASH_VERSION}.tar.gz
10 ENV CONF_FILE /log-pipeline.conf
11 COPY ./log-pipeline.conf ${CONF_FILE}
12 COPY ./run.sh /run.sh
13 RUN chmod a+wx ${CONF_FILE} && chmod a+x /run.sh
14 # logstash-input-http plugin default port 8080
15 EXPOSE 8080
16 CMD ["/run.sh"]

View Code

Dockerfile中需要注意的是,logstash的运行依赖于java环境及which组件,需要在基础镜像的基础上安装,同时要注意清除yum缓存,打开8080端口为为了支持logstash的http模块(在我的应用场景中也可以不打开);

Dockerfile的入口点run.sh文件如下:

logstash output es集群 logstash集群高可用_Docker

logstash output es集群 logstash集群高可用_推送_02

1 #!/bin/sh
 2 set -e
 3 RABBIT_HOST=${RABBIT_HOST:-localhost}
 4 RABBIT_PORT=${RABBIT_PORT:-5672}
 5 RABBIT_QUEUE=${RABBIT_QUEUE:-example.queue}
 6 RABBIT_USER=${RABBIT_USER:-guest}
 7 RABBIT_PWD=${RABBIT_PWD:-guest}
 8 ES_URLS=${ES_URLS:-localhost:9200}
 9 ES_INDEX=${ES_INDEX:-logstash-*}
10 
11 sed -i "s;^.*host => .*;        host => \"${RABBIT_HOST}\";" ${CONF_FILE}
12 sed -i "s;^.*port => .*;        port => ${RABBIT_PORT};" ${CONF_FILE}
13 sed -i "s;^.*queue => .*;        queue => \"${RABBIT_QUEUE}\";" ${CONF_FILE}
14 sed -i "s;^.*user => .*;        user => \"${RABBIT_USER}\";" ${CONF_FILE}
15 sed -i "s;^.*password => .*;        password => \"${RABBIT_PWD}\";" ${CONF_FILE}
16 sed -i "s;^.*hosts => .*;        hosts => [\"${ES_URLS}\"];" ${CONF_FILE}
17 sed -i "s;^.*index => .*;        index => \"${ES_INDEX}\";" ${CONF_FILE}
18 
19 exec /opt/logstash/bin/logstash -f ${CONF_FILE}

View Code

需要注意的是在配置文件的修改中,字符串参数需要双引号,因此sh中以\"包含起来;

完成以上3个文件的创建,即可通过

sudo docker build -t="jiakai/logstash:2.3.4" .

来创建logstash的Docker镜像;

无误的话将得到名为jiakai/logstash,Tag为2.3.4的logstash镜像,可以通过

sudo docker run -e RABBIT_HOST=10.XXX.XXX.XXX -e RABBIT_PORT=5672 -e RABBIT_QUEUE=Gridsum.LawDissector.NLog.Targets.LogMessage:Gridsum.LawDissector.NLog.Targets -e RABBIT_USER=XXX -e RABBIT_PWD=XXX -e ES_URLS=10.XXX.XXX.XXX:XXXX -e ES_INDEX=ld.log-%{+YYYY.MM} -i -t 913defa45d4c

来启动该镜像,其中913defa45d4c是我的Docker镜像ID,根据实际更改即可,无误的话,这时候我们查看Rabbitmq中指定的队列的consumer,会多出一个我们执行Docker镜像的宿主机的消费者,且这个IP是docker0的IP;

 

===============================================================================================

3:推送镜像至某个Docker源,可以是公网的源,也可以是公司内部源

推送镜像之前需要为镜像重新标记(TAG),这里以公司的内部源为例,将制作好的镜像推送至目标源:

sudo docker Tag jiakai/logstash:2.3.4 10.200.XXX.XXX:5000/gridsum/logstash:2.3.4

 

===============================================================================================

4:在kubernetes主节点编写logstash镜像对应的RC文件

5:在kubernetes集群中创建logstash pods;

6:测试验证。

由于我们场景中的logstash无需对外提供服务,仅仅作为rabbitmq的消费者存在,因此无需在kubernetes中提供logstash service,至需要利用RC保持logstash的高可用服务即可,因此我们建立logstash的RC文件:

logstash output es集群 logstash集群高可用_Docker

logstash output es集群 logstash集群高可用_推送_02

1 apiVersion: v1
 2 kind: ReplicationController
 3 metadata:
 4   name: logstash
 5   namespace: default
 6   labels:
 7     component: elk
 8     name: logstash
 9 spec:
10   replicas: 1
11   selector:
12     component: elk
13     name: logstash
14   template:
15     metadata:
16       labels:
17         component: elk
18         name: logstash
19     spec:
20       containers:
21       - name: logstash
22         image: 10.XXX.XXX.XXX:5000/gridsum/logstash:2.3.4
23         env:
24         - name: RABBIT_HOST
25           value: 10.XXX.XXX.XXX
26         - name: RABBIT_PORT
27           value: "5672"
28         - name: RABBIT_QUEUE
29           value: Gridsum.LawDissector.NLog.Targets.LogMessage:Gridsum.LawDissector.NLog.Targets
30         - name: RABBIT_USER
31           value: XXX
32         - name: RABBIT_PWD
33           value: XXX
34         - name: ES_URLS
35           value: 10.XXX.XXX.XXX:XXXX
36         - name: ES_INDEX
37           value: ld.log-%{+YYYY.MM}
38         ports:
39           - containerPort: 8080
40             name: http
41             protocol: TCP

View Code

文件保存为logstash-controller.yaml,之后在kubernetes集群主节点上执行

kubectl create -f logstash-controller.yaml

启动该RC;通过

kubectl get pods

检查logstash pod是否正常运行(running),同时检查rabbitmq对应的queue是否正确由这个logstash pod消费,再从elasticsearch集群确认消费的日志消息时候已经正确推送ELK。

 

 

经过以上步骤,即可通过kubernetes集群提供高可用的logstash服务,为ELK框架提供支持。