logging: Replace Graylog with ZincSearch

2022-09-16 08:33:29 +03:00
parent edcb6399df
commit c4208037e2
5 changed files with 238 additions and 495 deletions
--- a/logging/filebeat.yml
+++ b/logging/filebeat.yml
@@ -6,18 +6,13 @@ metadata:
  namespace: logging
 data:
  filebeat.yml: |-
+    setup:
+      ilm:
+        enabled: false
+      template:
+        name: filebeat
+        pattern: filebeat-*
    http.enabled: true
-    filebeat.inputs:
-    - type: container
-      paths:
-        - /var/log/containers/*.log
-      processors:
-        - add_kubernetes_metadata:
-            in_cluster: true
-            host: ${NODE_NAME}
-            matchers:
-            - logs_path:
-                logs_path: "/var/log/containers/"
    filebeat.autodiscover:
      providers:
        - type: kubernetes
@@ -27,50 +22,24 @@ data:
            type: container
            paths:
              - /var/log/containers/*${data.kubernetes.container.id}.log
-    processors:
-      - add_host_metadata:
-      - drop_fields:
-          fields:
-            - stream
-          ignore_missing: true
-      - rename:
-          fields:
-            - from: "kubernetes.node.name"
-              to: "source"
-            - from: "kubernetes.pod.name"
-              to: "pod"
-            - from: "stream"
-              to: "stream"
-            - from: "kubernetes.labels.app"
-              to: "app"
-            - from: "kubernetes.namespace"
-              to: "namespace"
-          ignore_missing: true
-      - drop_fields:
-          fields:
-            - agent
-            - container
-            - ecs
-            - host
-            - kubernetes
-            - log
-            - "@metadata"
-          ignore_missing: true
-    output.logstash:
-      hosts: ["graylog-logstash:5044"]
-    #output.console:
-    #  pretty: true
+    output:
+      elasticsearch:
+        hosts:
+          - http://zinc:4080
+        path: "/es/"
+        index: "filebeat-%{+yyyy.MM.dd}"
+        username: "${ZINC_FIRST_ADMIN_USER}"
+        password: "${ZINC_FIRST_ADMIN_PASSWORD}"
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: filebeat
-  namespace: logging
 spec:
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
-      maxUnavailable: 100%
+      maxUnavailable: 50%
  selector:
    matchLabels:
      app: filebeat
@@ -78,72 +47,86 @@ spec:
    metadata:
      labels:
        app: filebeat
+      annotations:
+        co.elastic.logs/json.keys_under_root: "true"
    spec:
      serviceAccountName: filebeat
      containers:
-      - name: filebeat
-        image: docker.elastic.co/beats/filebeat:7.17.6
-        args:
-         - -c
-         - /etc/filebeat.yml
-         - -e
-        securityContext:
-          runAsUser: 0
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: spec.nodeName
-        ports:
-          - containerPort: 5066
-        resources:
-          limits:
-            memory: 200Mi
-          requests:
-            cpu: 100m
-            memory: 100Mi
-        volumeMounts:
-        - name: filebeat-config
-          mountPath: /etc/filebeat.yml
-          readOnly: true
-          subPath: filebeat.yml
-        - name: data
-          mountPath: /usr/share/filebeat/data
-        - name: varlibdockercontainers
-          mountPath: /var/lib/docker/containers
-          readOnly: true
-        - name: varlog
-          mountPath: /var/log
-          readOnly: true
+        - name: filebeat
+          image: docker.elastic.co/beats/filebeat:8.4.1
+          args:
+            - -c
+            - /etc/filebeat.yml
+            - -e
+          securityContext:
+            runAsUser: 0
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: ZINC_FIRST_ADMIN_USER
+              value: admin
+            - name: ZINC_FIRST_ADMIN_PASSWORD
+              value: salakala
+          ports:
+            - containerPort: 5066
+          resources:
+            limits:
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          volumeMounts:
+            - name: filebeat-config
+              mountPath: /etc/filebeat.yml
+              readOnly: true
+              subPath: filebeat.yml
+            - name: data
+              mountPath: /usr/share/filebeat/data
+            - name: varlibdockercontainers
+              mountPath: /var/lib/docker/containers
+              readOnly: true
+            - name: varlog
+              mountPath: /var/log
+              readOnly: true
+        - name: exporter
+          image: sepa/beats-exporter
+          args:
+            - -p=5066
+          ports:
+            - containerPort: 8080
+              name: exporter
+              protocol: TCP
      volumes:
-      - name: filebeat-config
-        configMap:
-          defaultMode: 0600
-          name: filebeat-config
-      - name: varlibdockercontainers
-        hostPath:
-          path: /var/lib/docker/containers
-      - name: varlog
-        hostPath:
-          path: /var/log
-      - name: data
-        hostPath:
-          path: /var/lib/filebeat-data
-          type: DirectoryOrCreate
+        - name: filebeat-config
+          configMap:
+            defaultMode: 0600
+            name: filebeat-config
+        - name: varlibdockercontainers
+          hostPath:
+            path: /var/lib/docker/containers
+        - name: varlog
+          hostPath:
+            path: /var/log
+        - name: data
+          hostPath:
+            path: /var/lib/filebeat-data
+            type: DirectoryOrCreate
      tolerations:
-      - operator: "Exists"
-        effect: "NoExecute"
-      - operator: "Exists"
-        effect: "NoSchedule"
+        - operator: "Exists"
+          effect: "NoExecute"
+        - operator: "Exists"
+          effect: "NoSchedule"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: logging-filebeat
 subjects:
- kind: ServiceAccount
-  name: filebeat
-  namespace: logging
+  - kind: ServiceAccount
+    name: filebeat
+    namespace: logging
 roleRef:
  kind: ClusterRole
  name: filebeat
@@ -166,13 +149,35 @@ spec:
    matchLabels:
      app: filebeat
  policyTypes:
-  - Ingress
-  - Egress
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: prometheus-operator
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+      ports:
+        - protocol: TCP
+          port: 8080
  egress:
-  - to:
-    - podSelector:
-        matchLabels:
-          app: graylog
-    ports:
-    - protocol: TCP
-      port: 5044
+    - to:
+        - podSelector:
+            matchLabels:
+              app: zinc
+      ports:
+        - protocol: TCP
+          port: 4080
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: filebeat
+spec:
+  selector:
+    matchLabels:
+      app: filebeat
+  podMetricsEndpoints:
+    - port: exporter