graylog使用Sidecars方式收集springboot程序的日志

本文主要是介绍graylog使用Sidecars方式收集springboot程序的日志，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

1、部署graylog后台服务

使用docker-compose启动三个服务程序，包括graylog、mongodb、opensearch。

docker-compose.yml内容如下

version: '3'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongodb:
image: mongo:6.0.14
privileged: true
networks:
- graylog

opensearch:
image: "opensearchproject/opensearch:2.12.0"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
- "discovery.type=single-node"
- "action.auto_create_index=false"
- "plugins.security.ssl.http.enabled=false"
- "plugins.security.disabled=true"
# Can generate a password for `OPENSEARCH_INITIAL_ADMIN_PASSWORD` using a linux device via:
# tr -dc A-Z-a-z-0-9_@#%^-_=+ < /dev/urandom | head -c${1:-32}
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=+_8r#wliY3Pv5-HMIf4qzXImYzZf-M=M
privileged: true
ulimits:
memlock:
hard: -1
soft: -1
nofile:
soft: 65536
hard: 65536
restart: "on-failure"
networks:
- graylog

# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:5.2
environment:
- GRAYLOG_NODE_ID_FILE=/usr/share/graylog/data/config/node-id
- GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
- GRAYLOG_ELASTICSEARCH_HOSTS=http://opensearch:9200
- GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog
# CHANGE ME (must be at least 16 characters)!
- GRAYLOG_PASSWORD_SECRET=somepasswordpepper
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_HTTP_EXTERNAL_URI=http://127.0.0.1:9000/
privileged: true
entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 -- /docker-entrypoint.sh
networks:
- graylog
restart: always
depends_on:
- mongodb
- opensearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 1514:1514
# Syslog UDP
- 1514:1514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
- 5044:5044

networks:
graylog:
driver: bridge

2、部署k8s上graylog的后台服务

graylog2-service.yaml

启动运行kubectl apply -f graylog2-service.yaml

apiVersion: v1
kind: Service
metadata:
labels:
app: graylog2
name: graylog2
namespace: example
spec:
type: ClusterIP
ports:
- name: rest
port: 9000
protocol: TCP
- name: tsyslog
port: 1514
protocol: TCP
- name: usyslog
port: 1514
protocol: UDP
- name: tgelf
port: 12201
protocol: TCP
- name: ugelf
port: 12201
protocol: UDP
- name: tbeat
port: 5044
protocol: TCP
- name: ubeat
port: 5044
protocol: UDP
---
apiVersion: v1
kind: Endpoints
metadata:
labels:
app: graylog2
name: graylog2
namespace: example
subsets:
- addresses:
- ip: 上面执行docker-compose up -d的主机ip
ports:
- name: rest
port: 9000
protocol: TCP
- name: tsyslog
port: 1514
protocol: TCP
- name: usyslog
port: 1514
protocol: UDP
- name: tgelf
port: 12201
protocol: TCP
- name: ugelf
port: 12201
protocol: UDP
- name: tbeat
port: 5044
protocol: TCP
- name: ubeat
port: 5044
protocol: UDP

3、登录graylog后台配置Sidecars信息

登录地址

http://ip:9000

登录用户名/密码

admin/admin

顶部菜单选择【System】中的之后一个Sidecars，点击【Create or reuse a token for the graylog-sidecar user】

其中Token Name自定义填写，点击Create Token按钮，会生成token信息。

生成的Token需要复制保留，下面file-service.yaml文件需要使用到

查看节点id信息，在System元素处，会看见节点id信息：Node ID

节点ID需要复制保留，下面file-service.yaml文件需要使用到

4、部署springboot程序在k8s上

file-service.yaml，启动运行kubectl apply -f file-service.yaml

apiVersion: v1
kind: Service
metadata:
name: file-service
namespace: example
labels:
service: file-service
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
nodePort: 30250
selector:
app: file-service
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
name: file-service-headless
namespace: example
labels:
app: file-service
spec:
ports:
- name: http
port: 8080
targetPort: 8080
clusterIP: None
selector:
app: file-service
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: file-service
namespace: example
spec:
replicas: 1
serviceName: file-service-headless
selector:
matchLabels:
app: file-service
template:
metadata:
labels:
app: file-service
release: default
spec:
restartPolicy: Always
containers:
- name: file-service
resources:
requests:
ephemeral-storage: 2048Mi
limits:
ephemeral-storage: 2048Mi
imagePullPolicy: IfNotPresent
image: file-service:v1
ports:
- name: http
containerPort: 8080
volumeMounts:
- name: volume-localtime
mountPath: /etc/localtime
- name: graylog2-logs
#springboot程序容器内产生日志的目录
mountPath: /opt/file-service/logs
- name: sidecar-collector-logs
imagePullPolicy: IfNotPresent
image: graylog-log-sidecar-collector:latest
env:
- name: GS_SERVER_URL
#定义graylog后台服务的地址
value: "http://graylog2:9000/api/"
#定义graylog服务的节点id，取值来自上一步复制的内容
- name: GS_NODE_ID
value: "5861f0cb-e128-4f2e-a17b-3e42f8bff6af"
#节点名称自定义
- name: GS_NODE_NAME
value: "sidecar-collector-logs-file-service"
#使用的token，取值来自上一步复制的内容
- name: GS_SERVER_API_TOKEN
value: "17b7haug3bvflmtuj23e34eg9raen6bsmcppdo1aluls7s05juvn"
#采集器容器的目录,通过挂载的方式GS_LIST_LOG_FILES与运行springboot程序的graylog2-logs目录进行关联
- name: GS_LIST_LOG_FILES
value: "/graylog2-logs"
volumeMounts:
- name: graylog2-logs
mountPath: /graylog2-logs
volumes:
- name: volume-localtime
hostPath:
path: /etc/localtime
type: ''
#同时映射了宿主机目录，如果产生的日志不够，可以在这个文件夹内手动添加*.log日志。
- name: graylog2-logs
hostPath:
path: /home/volume
type: DirectoryOrCreate

5、配置Sidecars

springboot正常启动后，会自动注册到graylog上。

下面是两个容器，一个复制运行程序，另一个负责日志收集上报。

sidecars的运行状态已经是Running，但此时还需要配置file beat信息

点击名称链接，进入新页面，可以看到加载的日志目录信息

指派filebeat配置

编辑Configuration下的Log Collectors，选项下图的内容进行编辑，Executable Path要改成实际的目录，

graylog-log-sidecar-collector:latest 镜像我将filebeat放到了

/usr/share/filebeat/bin/filebeat，需要根据实际情况进行修改。点击Update Collectors进行保存。

Configurations中选择下面内容进行编辑

模板配置内容

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
hosts: ["${user.graylog_host}:5044"]

#hosts: ["${user.graylog_host}:12201"]
path:
data: ${sidecar.spoolDir!"/var/lib/graylog-sidecar/collectors/filebeat"}/data
logs: ${sidecar.spoolDir!"/var/lib/graylog-sidecar/collectors/filebeat"}/log

filebeat.inputs:
- type: log
id: sidecar-collector-logs-file-service
enabled: true
paths:
- /graylog2-logs/*.log
fields_under_root: true
fields:
event_source_product: springboot

修改右侧的环境变量信息，k8s中使用域名访问服务。

重启Sidecar插件服务

观察容器内日志

6、配置Input

填写名称即可，选择Global全局的。

7、查看收集日志效果

8、Sidecar Dockerfile

FROM debian:buster-slim

LABEL maintainer 'Markus Gulden <mg@gulden.consulting>'

RUN apt-get update && apt-get install -y openssl libapr1 libdbi1 libexpat1 ca-certificates

ENV SIDECAR_BINARY_URL https://github.com/Graylog2/collector-sidecar/releases/download/1.5.0/graylog-sidecar_1.5.0-1_amd64.deb
ENV FILEBEAT_BINARY_URL https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.1.1-amd64.deb

RUN apt-get install -y --no-install-recommends curl && curl -Lo sidecar.deb ${SIDECAR_BINARY_URL} && dpkg -i sidecar.deb && rm sidecar.deb && curl -Lo filebeat.deb ${FILEBEAT_BINARY_URL} && dpkg -i filebeat.deb && rm filebeat.deb && apt-get purge -y --auto-remove curl

#GS_LIST_LOG_FILES="[]"

ENV GS_UPDATE_INTERVAL=10 \
GS_TLS_SKIP_VERIFY="false" \
GS_SEND_STATUS="true" \
GS_CACHE_PATH="/var/cache/graylog-sidecar" \
GS_COLLECTOR_CONFIGURATION_DIRECTORY="/var/lib/graylog-sidecar/generated" \
GS_LOG_PATH="/var/log/graylog-sidecar" \
   GS_LOG_ROTATE_MAX_FILE_SIZE="1MiB" \
   GS_LOG_ROTATE_KEEP_FILES=100 \
   GS_COLLECTOR_BINARIES_WHITELIST="["/usr/bin/filebeat", "/usr/bin/packetbeat", "/usr/bin/metricbeat", "/usr/bin/heartbeat", "/usr/bin/auditbeat", "/usr/bin/journalbeat", "/usr/share/filebeat/bin/filebeat", "/usr/share/packetbeat/bin/packetbeat", "/usr/share/metricbeat/bin/metricbeat", "/usr/share/heartbeat/bin/heartbeat", "/usr/share/auditbeat/bin/auditbeat", "/usr/share/journalbeat/bin/journalbeat", "/usr/bin/nxlog", "/opt/nxlog/bin/nxlog"]"
ADD ./data /data
CMD /usr/bin/graylog-sidecar -c /data/sidecar.yml