k8s接入graylog

https://zhangzhuo.ltd/articles/2022/03/12/1647093697299.html

![](/media/202310/2023-10-17_154715_7681260.2508311633082051.png)
* filebeat.inputs：输入也就是采集日志的源设置，这里需要使用container输入读取容器日志文件。
* processors:解析器，可以配置解析日志来源添加一些有用字段
* output.elasticsearch：输出配置

```yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: kube-system
  labels:
    k8s-app: filebeat
data:
  filebeat.yml: |-
    logging.level: info
    filebeat.inputs:    #日志来源container，这里无需修改默认
    - type: container
      ignore_older: 2h
      combine_partial: true
      cri.parse_flags: true
      cri.force: true      
      ids:
        - "*"
      paths:
        - /var/log/containers/*.log
      processors:
        - add_kubernetes_metadata:
            in_cluster: true
            host: ${NODE_NAME}
            matchers:
            - logs_path:
                logs_path: "/var/log/containers/"
    processors:   #日志的具体处理
      - drop_event.when:  #不需要采集那些容器日志
          or:
          - equals:
              kubernetes.container.name: "filebeat"
      - rename:  #重写kubernetes源数据信息
          fields:
          - from: "kubernetes.node.name"
            to: "node"
          - from: "kubernetes.pod.name"
            to: "pod"
          - from: "kubernetes.namespace"
            to: "namespace"
      - drop_fields:  #不需要那些字段
          fields: ["input","agent","stream","log","host","ecs","kubernetes.container","kubernetes.pod.uid","kubernetes.replicaset.name"]
    output.logstash:
      hosts: ["192.168.1.161:5044"] #输出到logstash配置    输出到es 或者 logstash 只能二选一
	output.elasticsearch:
      hosts: ["192.168.10.71:9200"]  #输出es配置
      username: "elastic"
      password: "123456"
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: filebeat
  namespace: kube-system
  labels:
    k8s-app: filebeat
spec:
  selector:
    matchLabels:
      k8s-app: filebeat
  template:
    metadata:
      labels:
        k8s-app: filebeat
    spec:
      serviceAccountName: filebeat
      terminationGracePeriodSeconds: 30
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      containers:
      - name: filebeat
        image: elastic/filebeat:7.6.1
        args: [
          "-c", "/etc/filebeat.yml",
          "-e",
        ]
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
          runAsUser: 0
          # If using Red Hat OpenShift uncomment this:
          #privileged: true
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: config
          mountPath: /etc/filebeat.yml
          readOnly: true
          subPath: filebeat.yml
        - name: data
          mountPath: /usr/share/filebeat/data
        - name: varlibdockercontainers
          mountPath: /var/log/containers
          readOnly: true
        - name: varlog
          mountPath: /var/log
          readOnly: true
      volumes:
      - name: config
        configMap:
          defaultMode: 0600
          name: filebeat-config
      - name: varlibdockercontainers
        hostPath:
          path: /var/log/containers
      - name: varlog
        hostPath:
          path: /var/log
      # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
      - name: data
        hostPath:
          path: /var/lib/filebeat
          type: DirectoryOrCreate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: filebeat
subjects:
- kind: ServiceAccount
  name: filebeat
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: filebeat
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: filebeat
  labels:
    k8s-app: filebeat
rules:
- apiGroups: [""] # "" indicates the core API group
  resources:
  - namespaces
  - pods
  verbs:
  - get
  - watch
  - list
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: filebeat
  namespace: kube-system
  labels:
    k8s-app: filebeat
---
```

graylog 新建 input

![](/media/202310/2023-10-17_153458_9175730.45613800449423325.png)

![](/media/202310/2023-10-17_153611_0152900.043889046136085685.png)

![](/media/202310/2023-10-17_153820_6347270.030725180057562418.png)

![](/media/202310/2023-10-17_153918_1931440.5706126413677647.png)

![](/media/202310/2023-10-17_154224_3216700.08580120085614196.png)

![](/media/202310/2023-10-17_154626_0752550.8736716693962867.png)