# kubernetes日志管理最佳实践EFK
### 一、kubernetes和docker都有哪些日志
* 以上日志都是默认日志,对日志不进行配置就这样
* kubectl logs和docker logs一样的,都是查看容器内部应用的日志
* 对于容器内部应用产生stdout和stderr日志一定会被引擎拦截,如果在应用中通过代码把日志保存到容器内部,那么会产生两份日志;一份原生的日志(代码生成在项目中),一份经过加工过的日志比如json-file保存在/var/lib/docker/containers/<容器>/<容器>.log中。
### 二、kubernetes日志管理最佳实践EFK(采集)
 kubernetes efk三大组件配方
```
https://github.com/kubernetes/kubernetes/tree/v1.16.1/cluster/addons/fluentd-elasticsearch
复制代码
```
其实只需要安装fluentd-es到你的k8s集群即可,完全可以将elasticsearch和kibana单独部署,如果有票子可以直接买云厂商现成的,需要的修改fluentd-es的configMap中output:
```
output.conf: |-
@id elasticsearch
@type elasticsearch
...
...
host elasticsearch-logging # 替换集群外部的host
port 9200
user elastic # 如果开启账户验证
password elastic # 如果开启账户验证
...
...
复制代码
```
> 参考\
> [www.cnblogs.com/cocowool/p/…](https://link.juejin.im?target=https%3A%2F%2Fwww.cnblogs.com%2Fcocowool%2Fp%2FDocker_Kubernetes_Log_Location.html)
### 三、问题排查
**1、fluentd-es缓冲区**
查看`fluentd-es` pod日志文件,有个`[warn]`:
```
[elasticsearch] failed to write data into buffer by buffer overflow action=:block\n
复制代码
```
我们看采集具体流程
 我们可以修改`fluentd-es configMap`配置文件中的`buffer.chunk_limit_size`
```
output.conf: |-
@id elasticsearch
@type elasticsearch
@log_level info
type_name _doc
include_tag_key true
host es-cn-36200000.public.elasticsearch.aliyuncs.com
port 9200
user elastic
password elastic
logstash_format true
@type file
path /var/log/fluentd-buffers/kubernetes.system.buffer
flush_mode interval
...
chunk_limit_size 100M # 由原来的2M增加到100M,一般2M就够了,只是为了测试 :)
...
overflow_action block # 我们看到,这个block就是溢出标志
复制代码
```
> *如果出现缓冲区出现大量未处理的日志,那么一定是`elasticsearch`有性能瓶颈,不能实时获取最新的日志文件,需要优化一下`elasticsearch`*
**2、fluentd-es pod重复拉去自身的日志**
查看`fluentd-es` pod日志文件,有好多`[warn]`: 我们发现其中出现了很多了`\\\`这种转义字符,大概可以猜到应该是该日志文件经过多次采集,为什么会采集多次呢?我们仔细看该条日志记录的是
 也就是fluentd-es自身的日志。fluentd-es先采集自己的日志,然后把采集自己的日志又写在自己的日志上,就这样循环下去,直到内存溢出,pod挂了。\
我们需要继续修改`fluentd-es configMap`,通过`exclude_path`把这个日志文件排除了 :
```
containers.input.conf: |-
@id fluentd-containers.log
@type tail
path /var/log/containers/*.log
pos_file /var/log/es-containers.log.pos
exclude_path /var/log/containers/fluentd-es*.log # 这里将fluentd-es自己的日志排除,不采集
...
..
复制代码
```
**3、云厂商elasticsearch**
查看`fluentd-es` pod日志文件,有好多`[warn]`:
```
dump an error event: error_class=ArgumentError error=\"log does not exist\"
复制代码
```
一般云厂商提供的`elasticsearch`套件是不开启`允许自动创建索引`功能的,需要开启。
**4、排查所有问题**
将@log\_level设置为debug
```
output.conf: |-
@id elasticsearch
@type elasticsearch
@log_level debug # 如果测试没有出现问题,则改回info
...
...
host elasticsearch-logging # 替换集群外部的host
port 9200
user elastic # 如果开启账户验证
password elastic # 如果开启账户验证
...
...
复制代码
```
然后,查看`fluentd-es` pod日志文件,根据debug提示修复。
### 四、fluentd-es configMap demo
```
kind: ConfigMap
apiVersion: v1
metadata:
name: fluentd-es-config-v0.2.0
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: Reconcile
data:
system.conf: |-
root_dir /tmp/fluentd-buffers/
containers.input.conf: |-
# This configuration file for Fluentd / td-agent is used
# to watch changes to Docker log files. The kubelet creates symlinks that
# capture the pod name, namespace, container name & Docker container ID
# to the docker logs for pods in the /var/log/containers directory on the host.
# If running this fluentd configuration in a Docker container, the /var/log
# directory should be mounted in the container.
#
# These logs are then submitted to Elasticsearch which assumes the
# installation of the fluent-plugin-elasticsearch & the
# fluent-plugin-kubernetes_metadata_filter plugins.
# See https://github.com/uken/fluent-plugin-elasticsearch &
# https://github.com/fabric8io/fluent-plugin-kubernetes_metadata_filter for
# more information about the plugins.
#
# Example
# =======
# A line in the Docker log file might look like this JSON:
#
# {"log":"2014/09/25 21:15:03 Got request with path wombat\n",
# "stream":"stderr",
# "time":"2014-09-25T21:15:03.499185026Z"}
#
# The time_format specification below makes sure we properly
# parse the time format produced by Docker. This will be
# submitted to Elasticsearch and should appear like:
# $ curl 'http://elasticsearch-logging:9200/_search?pretty'
# ...
# {
# "_index" : "logstash-2014.09.25",
# "_type" : "fluentd",
# "_id" : "VBrbor2QTuGpsQyTCdfzqA",
# "_score" : 1.0,
# "_source":{"log":"2014/09/25 22:45:50 Got request with path wombat\n",
# "stream":"stderr","tag":"docker.container.all",
# "@timestamp":"2014-09-25T22:45:50+00:00"}
# },
# ...
#
# The Kubernetes fluentd plugin is used to write the Kubernetes metadata to the log
# record & add labels to the log record if properly configured. This enables users
# to filter & search logs on any metadata.
# For example a Docker container's logs might be in the directory:
#
# /var/lib/docker/containers/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b
#
# and in the file:
#
# 997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b-json.log
#
# where 997599971ee6... is the Docker ID of the running container.
# The Kubernetes kubelet makes a symbolic link to this file on the host machine
# in the /var/log/containers directory which includes the pod name and the Kubernetes
# container name:
#
# synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
# ->
# /var/lib/docker/containers/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b-json.log
#
# The /var/log directory on the host is mapped to the /var/log directory in the container
# running this instance of Fluentd and we end up collecting the file:
#
# /var/log/containers/synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
#
# This results in the tag:
#
# var.log.containers.synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
#
# The Kubernetes fluentd plugin is used to extract the namespace, pod name & container name
# which are added to the log message as a kubernetes field object & the Docker container ID
# is also added under the docker field object.
# The final tag is:
#
# kubernetes.var.log.containers.synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
#
# And the final log record look like:
#
# {
# "log":"2014/09/25 21:15:03 Got request with path wombat\n",
# "stream":"stderr",
# "time":"2014-09-25T21:15:03.499185026Z",
# "kubernetes": {
# "namespace": "default",
# "pod_name": "synthetic-logger-0.25lps-pod",
# "container_name": "synth-lgr"
# },
# "docker": {
# "container_id": "997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b"
# }
# }
#
# This makes it easier for users to search for logs by pod name or by
# the name of the Kubernetes container regardless of how many times the
# Kubernetes pod has been restarted (resulting in a several Docker container IDs).
# Json Log Example:
# {"log":"[info:2016-02-16T16:04:05.930-08:00] Some log text here\n","stream":"stdout","time":"2016-02-17T00:04:05.931087621Z"}
# CRI Log Example:
# 2016-02-17T00:04:05.931087621Z stdout F [info:2016-02-16T16:04:05.930-08:00] Some log text here
@id fluentd-containers.log
@type tail
path /var/log/containers/*.log
pos_file /var/log/es-containers.log.pos
exclude_path /var/log/containers/fluentd-es*.log
tag raw.kubernetes.*
read_from_head true
@type multi_format
format json
time_key time
time_format %Y-%m-%dT%H:%M:%S.%NZ
format /^(?
# Detect exceptions in the log output and forward them as one log entry.
@id raw.kubernetes
@type detect_exceptions
remove_tag_prefix raw
message log
stream stream
multiline_flush_interval 5
max_bytes 500000
max_lines 1000
# Concatenate multi-line logs
@id filter_concat
@type concat
key message
multiline_end_regexp /\n$/
separator ""
# Enriches records with Kubernetes metadata
@id filter_kubernetes_metadata
@type kubernetes_metadata
# Fixes json fields in Elasticsearch
@id filter_parser
@type parser
key_name log
reserve_data true
remove_key_name_field true
@type multi_format
format json
format none
system.input.conf: |-
# Example:
# 2015-12-21 23:17:22,066 [salt.state ][INFO ] Completed state [net.ipv4.ip_forward] at time 23:17:22.066081
@id minion
@type tail
format /^(?
# Example:
# Dec 21 23:17:22 gke-foo-1-1-4b5cbd14-node-4eoj startupscript: Finished running startup script /var/run/google.startup.script
#
# @id startupscript.log
# @type tail
# format syslog
# path /var/log/startupscript.log
# pos_file /var/log/es-startupscript.log.pos
# tag startupscript
#
# Examples:
# time="2016-02-04T06:51:03.053580605Z" level=info msg="GET /containers/json"
# time="2016-02-04T07:53:57.505612354Z" level=error msg="HTTP Error" err="No such image: -f" statusCode=404
# TODO(random-liu): Remove this after cri container runtime rolls out.
#
# @id docker.log
# @type tail
# format /^time="(?
# Example:
# 2016/02/04 06:52:38 filePurge: successfully removed file /var/etcd/data/member/wal/00000000000006d0-00000000010a23d1.wal
#
# @id etcd.log
# @type tail
# # Not parsing this, because it doesn't have anything particularly useful to
# # parse out of it (like severities).
# format none
# path /var/log/etcd.log
# pos_file /var/log/es-etcd.log.pos
# tag etcd
#
# Multi-line parsing is required for all the kube logs because very large log
# statements, such as those that include entire object bodies, get split into
# multiple lines by glog.
# Example:
# I0204 07:32:30.020537 3368 server.go:1048] POST /stats/container/: (13.972191ms) 200 [[Go-http-client/1.1] 10.244.1.3:40537]
#
# @id kubelet.log
# @type tail
# format multiline
# multiline_flush_interval 5s
# format_firstline /^\w\d{4}/
# format1 /^(?\w)(?