diff --git a/logging/filebeat.yml b/logging/filebeat.yml new file mode 100644 index 0000000..eece903 --- /dev/null +++ b/logging/filebeat.yml @@ -0,0 +1,196 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: filebeat-config + namespace: logging +data: + filebeat.yml: |- + http.enabled: true + filebeat.inputs: + - type: container + paths: + - /var/log/containers/*.log + processors: + - add_kubernetes_metadata: + in_cluster: true + host: ${NODE_NAME} + matchers: + - logs_path: + logs_path: "/var/log/containers/" + filebeat.autodiscover: + providers: + - type: kubernetes + host: ${NODE_NAME} + hints.enabled: true + hints.default_config: + type: container + paths: + - /var/log/containers/*${data.kubernetes.container.id}.log + processors: + - add_host_metadata: + - drop_fields: + fields: + - stream + ignore_missing: true + - rename: + fields: + - from: "kubernetes.node.name" + to: "source" + - from: "kubernetes.pod.name" + to: "pod" + - from: "stream" + to: "stream" + - from: "kubernetes.labels.app" + to: "app" + - from: "kubernetes.namespace" + to: "namespace" + ignore_missing: true + - drop_fields: + fields: + - agent + - container + - ecs + - host + - kubernetes + - log + - "@metadata" + ignore_missing: true + output.logstash: + hosts: ["graylog-logstash:5044"] + #output.console: + # pretty: true +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: filebeat + namespace: logging +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 100% + selector: + matchLabels: + app: filebeat + template: + metadata: + labels: + app: filebeat + spec: + serviceAccountName: filebeat + containers: + - name: filebeat + image: docker.elastic.co/beats/filebeat:7.17.6 + args: + - -c + - /etc/filebeat.yml + - -e + securityContext: + runAsUser: 0 + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + ports: + - containerPort: 5066 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: filebeat-config + mountPath: /etc/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: data + mountPath: /usr/share/filebeat/data + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + - name: varlog + mountPath: /var/log + readOnly: true + volumes: + - name: filebeat-config + configMap: + defaultMode: 0600 + name: filebeat-config + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + - name: varlog + hostPath: + path: /var/log + - name: data + hostPath: + path: /var/lib/filebeat-data + type: DirectoryOrCreate + tolerations: + - operator: "Exists" + effect: "NoExecute" + - operator: "Exists" + effect: "NoSchedule" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: filebeat +subjects: +- kind: ServiceAccount + name: filebeat + namespace: logging +roleRef: + kind: ClusterRole + name: filebeat + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: filebeat + labels: + app: filebeat +rules: +- apiGroups: + - "" + resources: + - namespaces + - pods + - nodes + verbs: + - get + - watch + - list +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: filebeat + namespace: logging + labels: + app: filebeat +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: filebeat +spec: + podSelector: + matchLabels: + app: filebeat + policyTypes: + - Ingress + - Egress + egress: + - to: + - podSelector: + matchLabels: + app: graylog + ports: + - protocol: TCP + port: 5044