Triển khai bộ log tập trung (Centralized logging) với Docker và Kubernettes cho server sử dụng ELK stack.

Thứ Hai, 16/12/2019

Tram Ho

ELK stack bao gồm Elasticsearch, Logstash và Kibana, trong đó Logstash thu thập logs trong các ứng dụng của bạn đưa về lưu trữ trong Elasticsearch và Kibana sẽ trình diễn chúng trên một giao diện thân thiện với bạn hơn. Ngoài ra để thu thập logs cho Kuberbernettes thì mình sử dụng thêm Fluentd.

I. Thu thập logs từ Docker

Điều kiện cần

Để thuận tiện cho Logstash có thể thu thập logs từ các Docker Container, đầu tiên hãy sửa logging driver của Docker nằm ở /etc/docker/daemon.json về sử dụng syslog:

<span class="token punctuation">{</span>
  <span class="token property">"log-driver"</span><span class="token operator">:</span> <span class="token string">"syslog"</span><span class="token punctuation">,</span>
  <span class="token property">"log-opts"</span><span class="token operator">:</span> <span class="token punctuation">{</span>
    <span class="token property">"syslog-address"</span><span class="token operator">:</span> <span class="token string">"tcp://127.0.0.1:9600"</span>
  <span class="token punctuation">}</span>
<span class="token punctuation">}</span>

{

"log-driver": "syslog",

"log-opts": {

"syslog-address": "tcp://127.0.0.1:9600"

}

Trong đó tcp://127.0.0.1:9600 tương ứng là giao thức TCP để truyền tin đến Logstash được đặt ở IP 127.0.0.1 và port là 9600.
Tìm hiểu thêm ở: Configure logging drivers

Triển khai ELK stack bằng Docker Stack

Docker Stack file và config của ELK mình sử dụng như bên dưới:

Github repository

<span class="token key atrule">version</span><span class="token punctuation">:</span> <span class="token string">'3.3'</span>

<span class="token key atrule">services</span><span class="token punctuation">:</span>

  <span class="token key atrule">elasticsearch</span><span class="token punctuation">:</span>
    image<span class="token punctuation">:</span> docker.elastic.co/elasticsearch/elasticsearch<span class="token punctuation">:</span>7.4.1
    ports<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token string">"9200:9200"</span>
      <span class="token punctuation">-</span> <span class="token string">"9300:9300"</span>
    configs<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token key atrule">source</span><span class="token punctuation">:</span> elastic_config
        target<span class="token punctuation">:</span> /usr/share/elasticsearch/config/elasticsearch.yml
    volumes<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> /u01/elasticsearch/data<span class="token punctuation">:</span>/usr/share/elasticsearch/data
    environment<span class="token punctuation">:</span>
      ES_JAVA_OPTS<span class="token punctuation">:</span> <span class="token string">"-Xms512m -Xmx512m"</span>
      ELASTIC_PASSWORD<span class="token punctuation">:</span> changeme
      ES_HEAP_SIZE<span class="token punctuation">:</span> 1g
      MAY_LOCKED_MEMORY<span class="token punctuation">:</span> unlimited
      node.max_local_storage_nodes<span class="token punctuation">:</span> <span class="token number">20</span>
    networks<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> elk
    deploy<span class="token punctuation">:</span>
      mode<span class="token punctuation">:</span> replicated
      replicas<span class="token punctuation">:</span> <span class="token number">1</span>

  <span class="token key atrule">logstash</span><span class="token punctuation">:</span>
    <span class="token key atrule">image</span><span class="token punctuation">:</span> docker.elastic.co/logstash/logstash<span class="token punctuation">:</span>7.4.1
    <span class="token key atrule">ports</span><span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token string">"5000:5000"</span>
      <span class="token punctuation">-</span> <span class="token string">"9600:9600"</span>
    <span class="token key atrule">configs</span><span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token key atrule">source</span><span class="token punctuation">:</span> logstash_config
        <span class="token key atrule">target</span><span class="token punctuation">:</span> /usr/share/logstash/config/logstash.yml
      <span class="token punctuation">-</span> <span class="token key atrule">source</span><span class="token punctuation">:</span> logstash_pipeline
        <span class="token key atrule">target</span><span class="token punctuation">:</span> /usr/share/logstash/pipeline/logstash.conf
    <span class="token key atrule">environment</span><span class="token punctuation">:</span>
      <span class="token key atrule">LS_JAVA_OPTS</span><span class="token punctuation">:</span> <span class="token string">"-Xmx256m -Xms256m"</span>
    <span class="token key atrule">networks</span><span class="token punctuation">:</span>
      <span class="token punctuation">-</span> elk
    <span class="token key atrule">deploy</span><span class="token punctuation">:</span>
      <span class="token key atrule">mode</span><span class="token punctuation">:</span> replicated
      <span class="token key atrule">replicas</span><span class="token punctuation">:</span> <span class="token number">1</span>
    <span class="token key atrule">depends_on</span><span class="token punctuation">:</span>
      <span class="token punctuation">-</span> elasticsearch

  <span class="token key atrule">kibana</span><span class="token punctuation">:</span>
    <span class="token key atrule">image</span><span class="token punctuation">:</span> docker.elastic.co/kibana/kibana<span class="token punctuation">:</span>7.4.1
    <span class="token key atrule">ports</span><span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token string">"8601:5601"</span>
    <span class="token key atrule">configs</span><span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token key atrule">source</span><span class="token punctuation">:</span> kibana_config
        <span class="token key atrule">target</span><span class="token punctuation">:</span> /usr/share/kibana/config/kibana.yml
    <span class="token key atrule">networks</span><span class="token punctuation">:</span>
      <span class="token punctuation">-</span> elk
    <span class="token key atrule">deploy</span><span class="token punctuation">:</span>
      <span class="token key atrule">mode</span><span class="token punctuation">:</span> replicated
      <span class="token key atrule">replicas</span><span class="token punctuation">:</span> <span class="token number">1</span>
    <span class="token key atrule">depends_on</span><span class="token punctuation">:</span>
      <span class="token punctuation">-</span> elasticsearch

<span class="token key atrule">configs</span><span class="token punctuation">:</span>
  <span class="token key atrule">elastic_config</span><span class="token punctuation">:</span>
    <span class="token key atrule">file</span><span class="token punctuation">:</span> ./elasticsearch/config/elasticsearch.yml
  <span class="token key atrule">logstash_config</span><span class="token punctuation">:</span>
    <span class="token key atrule">file</span><span class="token punctuation">:</span> ./logstash/config/logstash.yml
  <span class="token key atrule">logstash_pipeline</span><span class="token punctuation">:</span>
    <span class="token key atrule">file</span><span class="token punctuation">:</span> ./logstash/pipeline/logstash.conf
  <span class="token key atrule">kibana_config</span><span class="token punctuation">:</span>
    <span class="token key atrule">file</span><span class="token punctuation">:</span> ./kibana/config/kibana.yml

<span class="token key atrule">networks</span><span class="token punctuation">:</span>
  <span class="token key atrule">elk</span><span class="token punctuation">:</span>
    <span class="token key atrule">driver</span><span class="token punctuation">:</span> overlay

version: '3.3'

services:

elasticsearch:

image: docker.elastic.co/elasticsearch/elasticsearch:7.4.1

ports:

- "9200:9200"

- "9300:9300"

configs:

- source: elastic_config

target: /usr/share/elasticsearch/config/elasticsearch.yml

volumes:

- /u01/elasticsearch/data:/usr/share/elasticsearch/data

environment:

ES_JAVA_OPTS: "-Xms512m -Xmx512m"

ELASTIC_PASSWORD: changeme

ES_HEAP_SIZE: 1g

MAY_LOCKED_MEMORY: unlimited

node.max_local_storage_nodes: 20

networks:

- elk

deploy:

mode: replicated

replicas: 1

logstash:

image: docker.elastic.co/logstash/logstash:7.4.1

ports:

- "5000:5000"

- "9600:9600"

configs:

- source: logstash_config

target: /usr/share/logstash/config/logstash.yml

- source: logstash_pipeline

target: /usr/share/logstash/pipeline/logstash.conf

environment:

LS_JAVA_OPTS: "-Xmx256m -Xms256m"

networks:

- elk

deploy:

mode: replicated

replicas: 1

depends_on:

- elasticsearch

kibana:

image: docker.elastic.co/kibana/kibana:7.4.1

ports:

- "8601:5601"

configs:

- source: kibana_config

target: /usr/share/kibana/config/kibana.yml

networks:

- elk

deploy:

mode: replicated

replicas: 1

depends_on:

- elasticsearch

configs:

elastic_config:

file: ./elasticsearch/config/elasticsearch.yml

logstash_config:

file: ./logstash/config/logstash.yml

logstash_pipeline:

file: ./logstash/pipeline/logstash.conf

kibana_config:

file: ./kibana/config/kibana.yml

networks:

elk:

driver: overlay

Chúng ta sẽ deploy thông qua Docker Stack bằng command.

$ docker stack deploy --compose-file<span class="token operator">=</span>docker-stack.yaml elk
// --compose-file chính là đường dẫn đến stack <span class="token function">file</span>
// elk là  tên của serivce.

$ docker stack deploy --compose-file=docker-stack.yaml elk

// --compose-file chính là đường dẫn đến stack file

// elk là tên của serivce.

Lưu ý đối với containter Elasticsearch

<span class="token key atrule">version</span><span class="token punctuation">:</span> <span class="token string">'3.3'</span>

<span class="token key atrule">services</span><span class="token punctuation">:</span>

  elasticsearch<span class="token punctuation">:</span>
    image<span class="token punctuation">:</span> docker.elastic.co/elasticsearch/elasticsearch<span class="token punctuation">:</span>7.4.1
    ports<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token string">"9200:9200"</span>
      <span class="token punctuation">-</span> <span class="token string">"9300:9300"</span>
    configs<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token key atrule">source</span><span class="token punctuation">:</span> elastic_config
        target<span class="token punctuation">:</span> /usr/share/elasticsearch/config/elasticsearch.yml
    volumes<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> /u01/elasticsearch/data<span class="token punctuation">:</span>/usr/share/elasticsearch/data
    environment<span class="token punctuation">:</span>
      ES_JAVA_OPTS<span class="token punctuation">:</span> <span class="token string">"-Xms512m -Xmx512m"</span>
      ELASTIC_PASSWORD<span class="token punctuation">:</span> changeme
      ES_HEAP_SIZE<span class="token punctuation">:</span> 1g
      MAY_LOCKED_MEMORY<span class="token punctuation">:</span> unlimited
      node.max_local_storage_nodes<span class="token punctuation">:</span> <span class="token number">20</span>
    networks<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> elk
    deploy<span class="token punctuation">:</span>
      mode<span class="token punctuation">:</span> replicated
      replicas<span class="token punctuation">:</span> <span class="token number">1</span>

version: '3.3'

services:

elasticsearch:

image: docker.elastic.co/elasticsearch/elasticsearch:7.4.1

ports:

- "9200:9200"

- "9300:9300"

configs:

- source: elastic_config

target: /usr/share/elasticsearch/config/elasticsearch.yml

volumes:

- /u01/elasticsearch/data:/usr/share/elasticsearch/data

environment:

ES_JAVA_OPTS: "-Xms512m -Xmx512m"

ELASTIC_PASSWORD: changeme

ES_HEAP_SIZE: 1g

MAY_LOCKED_MEMORY: unlimited

node.max_local_storage_nodes: 20

networks:

- elk

deploy:

mode: replicated

replicas: 1

Container của Elasticsearch sẽ mount thư mục /u01/elasticsearch/data từ ngoài máy host vào trong container, thư mục này cần được cấp quyền cho elasticsearch sử dụng được nên cần phải sửa chown cho nó

$ <span class="token function">sudo</span> <span class="token function">chown</span> -R 1000:1000 /u01/elasticsearch/data

1 2	$ <span class="token function">sudo</span> <span class="token function">chown</span> -R 1000:1000 /u01/elasticsearch/data

Elasticsearch expose ra 2 cổng 9200, 9300 và sẽ join vào Docker network elk để có thể giao tiếp với các container khác trong cùng network

Lưu ý với container Logstash

<span class="token punctuation">...</span>

  logstash<span class="token punctuation">:</span>
    image<span class="token punctuation">:</span> docker.elastic.co/logstash/logstash<span class="token punctuation">:</span>7.4.1
    ports<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token string">"5000:5000"</span>
      <span class="token punctuation">-</span> <span class="token string">"9600:9600"</span>
    configs<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token key atrule">source</span><span class="token punctuation">:</span> logstash_config
        target<span class="token punctuation">:</span> /usr/share/logstash/config/logstash.yml
      <span class="token punctuation">-</span> <span class="token key atrule">source</span><span class="token punctuation">:</span> logstash_pipeline
        target<span class="token punctuation">:</span> /usr/share/logstash/pipeline/logstash.conf
    environment<span class="token punctuation">:</span>
      LS_JAVA_OPTS<span class="token punctuation">:</span> <span class="token string">"-Xmx256m -Xms256m"</span>
    networks<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> elk
    deploy<span class="token punctuation">:</span>
      mode<span class="token punctuation">:</span> replicated
      replicas<span class="token punctuation">:</span> <span class="token number">1</span>
    depends_on<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> elasticsearch

...

logstash:

image: docker.elastic.co/logstash/logstash:7.4.1

ports:

- "5000:5000"

- "9600:9600"

configs:

- source: logstash_config

target: /usr/share/logstash/config/logstash.yml

- source: logstash_pipeline

target: /usr/share/logstash/pipeline/logstash.conf

environment:

LS_JAVA_OPTS: "-Xmx256m -Xms256m"

networks:

- elk

deploy:

mode: replicated

replicas: 1

depends_on:

- elasticsearch

File config cho Logstash nằm trong thư mục logstash/ gồm config để giao tiếp với Elasticsearch và pipeline để cấu hình luồng logs input và output của Logstash.

input <span class="token punctuation">{</span>
    syslog <span class="token punctuation">{</span>
        type =<span class="token punctuation">&gt;</span> syslog
        port =<span class="token punctuation">&gt;</span> 9600
    <span class="token punctuation">}</span>
<span class="token punctuation">}</span>

 Add your filters / logstash plugins configuration here
filter <span class="token punctuation">{</span>
    grok <span class="token punctuation">{</span>
        match =<span class="token punctuation">&gt;</span> <span class="token punctuation">{</span>
            "message" =<span class="token punctuation">&gt;</span> "<span class="token punctuation">...</span>" // Thêm regex pattern match với log của bạn vào đây
        <span class="token punctuation">}</span>
        add_field =<span class="token punctuation">&gt;</span> <span class="token punctuation">{</span>
            "type" =<span class="token punctuation">&gt;</span> "message_full"
        <span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
    if "_grokparsefailure_sysloginput" in <span class="token punctuation">[</span>tags<span class="token punctuation">]</span> <span class="token punctuation">{</span>
      drop <span class="token punctuation">{</span><span class="token punctuation">}</span>
    <span class="token punctuation">}</span>
<span class="token punctuation">}</span>

output <span class="token punctuation">{</span>
    elasticsearch <span class="token punctuation">{</span>
        hosts =<span class="token punctuation">&gt;</span> "elasticsearch<span class="token punctuation">:</span>9200"
        user =<span class="token punctuation">&gt;</span> "elastic"
        password =<span class="token punctuation">&gt;</span> "changeme"
    <span class="token punctuation">}</span>
<span class="token punctuation">}</span>

input {

syslog {

type => syslog

port => 9600

}

Add your filters / logstash plugins configuration here

filter {

grok {

match => {

"message" => "..." // Thêm regex pattern match với log của bạn vào đây

}

add_field => {

"type" => "message_full"

}

if "_grokparsefailure_sysloginput" in [tags] {

drop {}

}

output {

elasticsearch {

hosts => "elasticsearch:9200"

user => "elastic"

password => "changeme"

}

Trong phần config pipeline có phần filter sử dụng grok để lọc log gửi về từ Docker container. Grok sẽ tìm field tên là message và thực hiện extract thông tin trong message đó thành 1 object có giá trị, dễ hiểu để sử dụng ở trên Kibana. Trong ví dụ, nếu bạn sử dụng Grok pattern này

<span class="token operator">/</span><span class="token operator">/</span> <span class="token variable">Pattern</span>
<span class="token punctuation">(</span>?<span class="token operator">&lt;</span><span class="token atom">time</span><span class="token operator">&gt;</span><span class="token punctuation">(</span><span class="token operator">&lt;</span><span class="token comment">%{WORD}&gt;%{MONTH} %{MONTHDAY} %{TIME} %{WORD}[%{WORD}])): %{TIMESTAMP_ISO8601:timestamp} | %{LOGLEVEL:log_level}.*| (?&lt;detail&gt;(%{WORD} | %{WORD} | %{WORD})) | (?&lt;container&gt;(.+?)) | (?&lt;project_name&gt;(@%{WORD}.%{WORD}@)) |(?&lt;correlation_id&gt;(.+?))|(?&lt;client_ip&gt;(.+?))| (?&lt;msg&gt;([.*].*))</span>

// Pattern

(?<time>(<%{WORD}>%{MONTH} %{MONTHDAY} %{TIME} %{WORD}[%{WORD}])): %{TIMESTAMP_ISO8601:timestamp} | %{LOGLEVEL:log_level}.*| (?<detail>(%{WORD} | %{WORD} | %{WORD})) | (?<container>(.+?)) | (?<project_name>(@%{WORD}.%{WORD}@)) |(?<correlation_id>(.+?))|(?<client_ip>(.+?))| (?<msg>([.*].*))

// Message log chạy qua Logstash
&lt;30&gt;Nov 19 11:35:32 c3e4e76fc8bb[31175]: 2019-11-19T04:35:32.224Z | INFO  | VDS | AppLog | Java | 3324.container-0-C-1 | @<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="90e0e2fffaf5f3e4befef1fdf5d0">[email protected]</a> | 111112vwsdf  | 129.0.0.1 | [Consumer clientId=consumer-2, groupId=anonymous.2ff2fs2d-965a-4b1e-a873-ea27d6ce9fc9] Group coordinator 10.0.244.255:9000 (id: 1111111 rack: null) is unavailable or invalid, will attempt rediscovery

// Message log chạy qua Logstash

<30>Nov 19 11:35:32 c3e4e76fc8bb[31175]: 2019-11-19T04:35:32.224Z | INFO | VDS | AppLog | Java | 3324.container-0-C-1 | @<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="90e0e2fffaf5f3e4befef1fdf5d0">[email protected]</a> | 111112vwsdf | 129.0.0.1 | [Consumer clientId=consumer-2, groupId=anonymous.2ff2fs2d-965a-4b1e-a873-ea27d6ce9fc9] Group coordinator 10.0.244.255:9000 (id: 1111111 rack: null) is unavailable or invalid, will attempt rediscovery

// Output nhận được sẽ là
<span class="token punctuation">{</span>
  <span class="token property">"time"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
    <span class="token string">"&lt;30&gt;Nov 19 11:35:32 c3e4e76fc8bb[31175]"</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token property">"timestamp"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
    <span class="token string">"2019-11-19T04:35:32.224Z"</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token property">"log_level"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
    <span class="token string">"INFO"</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token property">"detail"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
    <span class="token string">"VDS | AppLog | Java"</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token property">"container"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
    <span class="token string">"3324.container-0-C-1"</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token property">"project_name"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
    <span class="token string">"@<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2e5e5c41444b4d5a00404f434b6e">[email protected]</a>"</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token property">"correlation_id"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
    <span class="token string">" 111112vwsdf  "</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token property">"client_ip"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
    <span class="token string">" 129.0.0.1 "</span>
  <span class="token punctuation">]</span><span class="token punctuation">,</span>
  <span class="token property">"msg"</span><span class="token operator">:</span> <span class="token punctuation">[</span>
    <span class="token string">"[Consumer clientId=consumer-2, groupId=anonymous.c75c47ea-965a-4b1e-a873-ea27d6ce9fc9] Group coordinator  10.0.244.255:9000 (id: 1111111 rack: null) is unavailable or invalid, will attempt rediscovery "</span>
  <span class="token punctuation">]</span>
<span class="token punctuation">}</span>

// Output nhận được sẽ là

{

"time": [

"<30>Nov 19 11:35:32 c3e4e76fc8bb[31175]"

],

"timestamp": [

"2019-11-19T04:35:32.224Z"

],

"log_level": [

"INFO"

],

"detail": [

"VDS | AppLog | Java"

],

"container": [

"3324.container-0-C-1"

],

"project_name": [

"@<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2e5e5c41444b4d5a00404f434b6e">[email protected]</a>"

],

"correlation_id": [

" 111112vwsdf "

],

"client_ip": [

" 129.0.0.1 "

],

"msg": [

"[Consumer clientId=consumer-2, groupId=anonymous.c75c47ea-965a-4b1e-a873-ea27d6ce9fc9] Group coordinator 10.0.244.255:9000 (id: 1111111 rack: null) is unavailable or invalid, will attempt rediscovery "

]

}

Tham khảo thêm Grok pattern debugger tại đây .

Kibana

<span class="token punctuation">...</span>
<span class="token key atrule">kibana</span><span class="token punctuation">:</span>
    image<span class="token punctuation">:</span> docker.elastic.co/kibana/kibana<span class="token punctuation">:</span>7.4.1
    ports<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token string">"8601:5601"</span>
    configs<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token key atrule">source</span><span class="token punctuation">:</span> kibana_config
        target<span class="token punctuation">:</span> /usr/share/kibana/config/kibana.yml
    networks<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> elk
    deploy<span class="token punctuation">:</span>
      mode<span class="token punctuation">:</span> replicated
      replicas<span class="token punctuation">:</span> <span class="token number">1</span>
    depends_on<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> elasticsearch

...

kibana:

image: docker.elastic.co/kibana/kibana:7.4.1

ports:

- "8601:5601"

configs:

- source: kibana_config

target: /usr/share/kibana/config/kibana.yml

networks:

- elk

deploy:

mode: replicated

replicas: 1

depends_on:

- elasticsearch

Kibana sẽ expose cổng 5601 ra cổng 8601 trên máy host để có thể truy cập tới được.

Sử dụng Kibana

B1: User đăng nhập mặc định là elastic, mật khẩu là changeme . tại địa chỉ http://127.0.0.1:8601/
B2: Tạoindex pattern để hiển thị log từ Logstash
Điền logstash-* vào ô Index pattern -> Next step
B3: Chọn @timestamp -> Create index pattern
B4: Xem logs được đổ về ở http://127.0.0.1:8601/app/kibana#/discover?_g=()
Ở đây bạn chọn vào nút +Add filter sau đó điền các giá trị như trong hình bên dưới để lọc logs theo tên project. Giá trị Value này là 1 Regex pattern match với các message có chứa thông tin @project.name@.

II. Thu thập logs từ trong Kubernetes.

Sử dụng Fluentd.

Fluentd là một ứng dụng hoàn toàn miễn phí và open-source giúp bạn có thể lấy được log ở web server và xử lý log data đó. Dữ liệu log lấy đươc rất có thể từ nginx, apache hoặc đơn giản là từ các gói tin tcp hay các message của http. Để thu thập logs từ Kubernettes mình sẽ triển khai Fluentd bằng object là DaemonSet.
DaemonSet thường được sử dụng để triển khai 1 service trên tất cả các Pod

Tạo namespace kube-logging

<span class="token key atrule">kind</span><span class="token punctuation">:</span> Namespace
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
  name<span class="token punctuation">:</span> kube<span class="token punctuation">-</span>logging

kind: Namespace

apiVersion: v1

metadata:

tạo namespace bằng lệnh

$ kubectl apply -f kube-logging.yaml

1 2	$ kubectl apply -f kube-logging.yaml

Tạo Daemonset Fluentd

<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> v1
<span class="token key atrule">kind</span><span class="token punctuation">:</span> ServiceAccount
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
  name<span class="token punctuation">:</span> fluentd
  namespace<span class="token punctuation">:</span> kube<span class="token punctuation">-</span>logging
  labels<span class="token punctuation">:</span>
    app<span class="token punctuation">:</span> fluentd
<span class="token punctuation">---</span>
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1
<span class="token key atrule">kind</span><span class="token punctuation">:</span> ClusterRole
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
  name<span class="token punctuation">:</span> fluentd
  labels<span class="token punctuation">:</span>
    app<span class="token punctuation">:</span> fluentd
<span class="token key atrule">rules</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">apiGroups</span><span class="token punctuation">:</span>
  <span class="token punctuation">-</span> <span class="token string">""</span>
  resources<span class="token punctuation">:</span>
  <span class="token punctuation">-</span> pods
  <span class="token punctuation">-</span> namespaces
  verbs<span class="token punctuation">:</span>
  <span class="token punctuation">-</span> get
  <span class="token punctuation">-</span> list
  <span class="token punctuation">-</span> watch
<span class="token punctuation">---</span>
<span class="token key atrule">kind</span><span class="token punctuation">:</span> ClusterRoleBinding
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> rbac.authorization.k8s.io/v1
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
  name<span class="token punctuation">:</span> fluentd
<span class="token key atrule">roleRef</span><span class="token punctuation">:</span>
  kind<span class="token punctuation">:</span> ClusterRole
  name<span class="token punctuation">:</span> fluentd
  apiGroup<span class="token punctuation">:</span> rbac.authorization.k8s.io
<span class="token key atrule">subjects</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">kind</span><span class="token punctuation">:</span> ServiceAccount
  name<span class="token punctuation">:</span> fluentd
  namespace<span class="token punctuation">:</span> kube<span class="token punctuation">-</span>logging
<span class="token punctuation">---</span>
<span class="token key atrule">apiVersion</span><span class="token punctuation">:</span> apps/v1
<span class="token key atrule">kind</span><span class="token punctuation">:</span> DaemonSet
<span class="token key atrule">metadata</span><span class="token punctuation">:</span>
  name<span class="token punctuation">:</span> fluentd
  namespace<span class="token punctuation">:</span> kube<span class="token punctuation">-</span>logging
  labels<span class="token punctuation">:</span>
    app<span class="token punctuation">:</span> fluentd
<span class="token key atrule">spec</span><span class="token punctuation">:</span>
  selector<span class="token punctuation">:</span>
    matchLabels<span class="token punctuation">:</span>
      app<span class="token punctuation">:</span> fluentd
  template<span class="token punctuation">:</span>
    metadata<span class="token punctuation">:</span>
      labels<span class="token punctuation">:</span>
        app<span class="token punctuation">:</span> fluentd
    spec<span class="token punctuation">:</span>
      serviceAccount<span class="token punctuation">:</span> fluentd
      serviceAccountName<span class="token punctuation">:</span> fluentd
      tolerations<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token key atrule">key</span><span class="token punctuation">:</span> node<span class="token punctuation">-</span>role.kubernetes.io/master
        effect<span class="token punctuation">:</span> NoSchedule
      containers<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> fluentd
        image<span class="token punctuation">:</span> fluent/fluentd<span class="token punctuation">-</span>kubernetes<span class="token punctuation">-</span>daemonset<span class="token punctuation">:</span>v1.4.2<span class="token punctuation">-</span>debian<span class="token punctuation">-</span>elasticsearch<span class="token punctuation">-</span><span class="token number">1.1</span>
        env<span class="token punctuation">:</span>
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span>  FLUENT_ELASTICSEARCH_HOST
            value<span class="token punctuation">:</span> "IP<span class="token punctuation">...</span>" //Public IP của Elasticsearch đã cài ở trên
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span>  FLUENT_ELASTICSEARCH_PORT
            value<span class="token punctuation">:</span> <span class="token string">"9200"</span>
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span>  FLUENT_ELASTICSEARCH_USER
            value<span class="token punctuation">:</span> <span class="token string">"elastic"</span>
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span>  FLUENT_ELASTICSEARCH_PASSWORD
            value<span class="token punctuation">:</span> <span class="token string">"changeme"</span>
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> FLUENT_ELASTICSEARCH_SCHEME
            value<span class="token punctuation">:</span> <span class="token string">"http"</span>
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> FLUENTD_SYSTEMD_CONF
            value<span class="token punctuation">:</span> disable
        resources<span class="token punctuation">:</span>
          limits<span class="token punctuation">:</span>
            memory<span class="token punctuation">:</span> 512Mi
          requests<span class="token punctuation">:</span>
            cpu<span class="token punctuation">:</span> 100m
            memory<span class="token punctuation">:</span> 200Mi
        volumeMounts<span class="token punctuation">:</span>
        <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> varlog
          mountPath<span class="token punctuation">:</span> /var/log
        <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> varlibdockercontainers
          mountPath<span class="token punctuation">:</span> /var/lib/docker/containers
          readOnly<span class="token punctuation">:</span> <span class="token boolean important">true</span>
      terminationGracePeriodSeconds<span class="token punctuation">:</span> <span class="token number">30</span>
      volumes<span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> varlog
        hostPath<span class="token punctuation">:</span>
          path<span class="token punctuation">:</span> /var/log
      <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> varlibdockercontainers
        hostPath<span class="token punctuation">:</span>
          path<span class="token punctuation">:</span> /var/lib/docker/containers

apiVersion: v1

kind: ServiceAccount

metadata:

namespace: kube-logging

labels:

app: fluentd

---

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

labels:

app: fluentd

rules:

- apiGroups:

- ""

resources:

- pods

- namespaces

verbs:

- get

- list

- watch

---

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

roleRef:

kind: ClusterRole

apiGroup: rbac.authorization.k8s.io

subjects:

- kind: ServiceAccount

namespace: kube-logging

---

apiVersion: apps/v1

kind: DaemonSet

metadata:

namespace: kube-logging

labels:

app: fluentd

spec:

selector:

matchLabels:

app: fluentd

template:

metadata:

labels:

app: fluentd

spec:

serviceAccount: fluentd

serviceAccountName: fluentd

tolerations:

- key: node-role.kubernetes.io/master

effect: NoSchedule

containers:

- name: fluentd

image: fluent/fluentd-kubernetes-daemonset:v1.4.2-debian-elasticsearch-1.1

env:

- name: FLUENT_ELASTICSEARCH_HOST

value: "IP..." //Public IP của Elasticsearch đã cài ở trên

- name: FLUENT_ELASTICSEARCH_PORT

value: "9200"

- name: FLUENT_ELASTICSEARCH_USER

value: "elastic"

- name: FLUENT_ELASTICSEARCH_PASSWORD

value: "changeme"

- name: FLUENT_ELASTICSEARCH_SCHEME

value: "http"

- name: FLUENTD_SYSTEMD_CONF

value: disable

resources:

limits:

memory: 512Mi

requests:

cpu: 100m

memory: 200Mi

volumeMounts:

- name: varlog

mountPath: /var/log

- name: varlibdockercontainers

mountPath: /var/lib/docker/containers

readOnly: true

terminationGracePeriodSeconds: 30

volumes:

- name: varlog

hostPath:

path: /var/log

- name: varlibdockercontainers

hostPath:

path: /var/lib/docker/containers

Thực hiện tạo DaemonSet bằng command

$ kubectl apply -f fluentd.yaml

1 2	$ kubectl apply -f fluentd.yaml

Trong file cấu hình của fluentd có đoạn cấu hình:

<span class="token key atrule">containers</span><span class="token punctuation">:</span>
      <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> fluentd
        image<span class="token punctuation">:</span> fluent/fluentd<span class="token punctuation">-</span>kubernetes<span class="token punctuation">-</span>daemonset<span class="token punctuation">:</span>v1.4.2<span class="token punctuation">-</span>debian<span class="token punctuation">-</span>elasticsearch<span class="token punctuation">-</span><span class="token number">1.1</span>
        env<span class="token punctuation">:</span>
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span>  FLUENT_ELASTICSEARCH_HOST
            value<span class="token punctuation">:</span> "IP<span class="token punctuation">...</span>" //Public IP của Elasticsearch đã cài ở trên
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span>  FLUENT_ELASTICSEARCH_PORT
            value<span class="token punctuation">:</span> <span class="token string">"9200"</span>
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span>  FLUENT_ELASTICSEARCH_USER
            value<span class="token punctuation">:</span> <span class="token string">"elastic"</span>
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span>  FLUENT_ELASTICSEARCH_PASSWORD
            value<span class="token punctuation">:</span> <span class="token string">"changeme"</span>
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> FLUENT_ELASTICSEARCH_SCHEME
            value<span class="token punctuation">:</span> <span class="token string">"http"</span>
          <span class="token punctuation">-</span> <span class="token key atrule">name</span><span class="token punctuation">:</span> FLUENTD_SYSTEMD_CONF
            value<span class="token punctuation">:</span> disable

containers:

- name: fluentd

env:

- name: FLUENT_ELASTICSEARCH_HOST

value: "IP..." //Public IP của Elasticsearch đã cài ở trên

- name: FLUENT_ELASTICSEARCH_PORT

value: "9200"

- name: FLUENT_ELASTICSEARCH_USER

value: "elastic"

- name: FLUENT_ELASTICSEARCH_PASSWORD

value: "changeme"

- name: FLUENT_ELASTICSEARCH_SCHEME

value: "http"

- name: FLUENTD_SYSTEMD_CONF

value: disable

Fluentd sẽ gửi logs về cho Elasticsearch trên server IP thông qua port 9200 được config ở Docker stack bên trên.
Logs sẽ được hiển thị bên trong http://127.0.0.1:8601/

Tạm kết

Trên đây mình vừa đưa ra cấu hình cho ELK và Fluentd để thu thập logs từ Docker và Kubernettes. Tuy nhiên bộ config trên chưa thực sự tối ưu trên môi trường production khi số lượng container, pod đồng thời gửi logs về hệ thống Logs tập trung này nhiều lên, trong bài viết tới, mình sẽ chỉ ra những điểm cần thay đổi, cấu hình cho khả năng scaling của hệ thống.

Chia sẻ bài viết ngay

Nguồn bài viết : Viblo

Triển khai bộ log tập trung (Centralized logging) với Docker và Kubernettes cho server sử dụng ELK stack.

I. Thu thập logs từ Docker

Điều kiện cần

Triển khai ELK stack bằng Docker Stack

Lưu ý đối với containter Elasticsearch

Lưu ý với container Logstash

Kibana

Sử dụng Kibana

II. Thu thập logs từ trong Kubernetes.

Sử dụng Fluentd.

Tạo namespace kube-logging

Tạo Daemonset Fluentd

Tạm kết

Để web Rails mới của bạn thêm chuẩn SEO, thân thiện với Bot tìm kiếm

Câu hỏi và câu trả lời phỏng vấn iOS

10 plugin cần thiết của SublimeText dành cho các lập trình viên JavaScript

Hướng dẫn sử dụng ngôn ngữ R cho người mới bắt đầu