'%3e%3cpath%20d='M9%2021H15'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M5.25001%209.75C5.25001%207.95979%205.96116%206.2429%207.22703%204.97703C8.4929%203.71116%2010.2098%203%2012%203C13.7902%203%2015.5071%203.71116%2016.773%204.97703C18.0388%206.2429%2018.75%207.95979%2018.75%209.75C18.75%2013.1081%2019.5281%2015.8063%2020.1469%2016.875C20.2126%2016.9888%2020.2472%2017.1179%2020.2474%2017.2493C20.2475%2017.3808%2020.2131%2017.5099%2020.1475%2017.6239C20.082%2017.7378%2019.9877%2017.8325%2019.8741%2017.8985C19.7604%2017.9645%2019.6314%2017.9995%2019.5%2018H4.50001C4.36874%2017.9992%204.23997%2017.964%204.12659%2017.8978C4.0132%2017.8317%203.91916%2017.7369%203.85387%2017.6231C3.78858%2017.5092%203.75432%2017.3801%203.75452%2017.2489C3.75472%2017.1176%203.78937%2016.9887%203.85501%2016.875C4.47282%2015.8063%205.25001%2013.1072%205.25001%209.75Z'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_4762_133'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M24%200H0V24H24V0Z'%20fill='white'%20fill-opacity='0.01'/%3e%3cpath%20d='M12%2011C14.2091%2011%2016%209.20914%2016%207C16%204.79086%2014.2091%203%2012%203C9.79086%203%208%204.79086%208%207C8%209.20914%209.79086%2011%2012%2011Z'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2021V20.4857C4%2018.5655%204%2017.6055%204.38753%2016.872C4.72841%2016.2269%205.27235%2015.7024%205.94138%2015.3737C6.70196%2015%207.6976%2015%209.68889%2015H14.3111C16.3024%2015%2017.298%2015%2018.0586%2015.3737C18.7276%2015.7024%2019.2716%2016.2269%2019.6125%2016.872C20%2017.6055%2020%2018.5655%2020%2020.4857V21'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_4762_139'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
用 Fluent Bit 收集 Nginx 日志到 OpenSearch
忘机山人
发布于70天前博客图片修整中,看不了可以先搜索公众号“忘机山人”看。
怎么用 Fluent Bit 把 Kubernetes 中 Nginx 的日志采集到 OpenSearch,并在 Dashboards 里查看和过滤。
需要在微服中开启已经有一个运行中的 OpenSearch 集群,如果没有可以点击这里安装。
https://appstore.lazycat.cloud/#/shop/detail/xu.deploy.opensearch
我这里使用一个Nginx作为例子,当然你也可以收集其他的应用来做APM
### 部署一个 Nginx 用于测试
先部署一个简单的 Nginx 作为日志来源:
```bash
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port=80
```
### 安装 Fluent Bit
添加 Helm 仓库:
```bash
helm repo add fluent https://fluent.github.io/helm-charts
helm repo update
```
Fluent Bit 的配置比较长,建议用 values 文件管理。创建 `fluent-bit-values.yaml`:
```yaml
config:
inputs: |
[INPUT]
Name tail
Path /var/log/containers/*.log
Exclude_Path /var/log/containers/fluent-bit*.log,/var/log/containers/opensearch*.log,/var/log/containers/dashboards*.log,/var/log/containers/*_kube-system_*.log
multiline.parser docker, cri
Tag kube.*
Mem_Buf_Limit 5MB
Skip_Long_Lines On
[INPUT]
Name systemd
Tag host.*
Systemd_Filter _SYSTEMD_UNIT=kubelet.service
Read_From_Tail On
filters: |
[FILTER]
Name kubernetes
Match kube.*
Merge_Log On
Keep_Log Off
K8S-Logging.Parser On
K8S-Logging.Exclude On
outputs: |
[OUTPUT]
Name opensearch
Match *
Host opensearch-cluster-master
Port 9200
HTTP_User admin
HTTP_Passwd
Index nginx-logs
Logstash_Format On
Logstash_Prefix nginx-logs
tls On
tls.verify Off
Suppress_Type_Name On
```
安装:
```bash
helm install fluent-bit fluent/fluent-bit -f fluent-bit-values.yaml
```
### 配置详解
这里解释几个关键配置项:
#### Exclude_Path — 排除不需要的日志
```
Exclude_Path /var/log/containers/fluent-bit*.log,/var/log/containers/opensearch*.log,/var/log/containers/dashboards*.log,/var/log/containers/*_kube-system_*.log
```
这是我们踩过的一个坑。Fluent Bit 作为 DaemonSet 运行在每个节点上,默认会采集 `/var/log/containers/` 下所有容器的日志。如果节点上跑了 OpenSearch、Dashboards 这些日志量很大的服务,Fluent Bit 的内存缓冲区(`Mem_Buf_Limit 5MB`)会很快被填满,导致其他日志(比如 Nginx)发送失败,表现为不断报 `failed to flush chunk` 错误。
另外特别要注意排除 Fluent Bit 自己的日志。如果开了 debug 模式,Fluent Bit 会疯狂输出日志,而这些日志又会被自己的 tail input 读取,形成死循环,直接把缓冲区撑爆。
#### Logstash_Format — 按日期轮换索引
```
Logstash_Format On
Logstash_Prefix nginx-logs
```
开启后索引名会变成 `nginx-logs-2026.03.23` 这样按天轮换,方便后续做索引生命周期管理。在 Dashboards 里创建 index pattern 时用 `nginx-logs-*` 即可匹配所有日期的索引。
#### kubernetes filter — 添加 Pod 元数据
```
[FILTER]
Name kubernetes
Match kube.*
Merge_Log On
```
这个 filter 会自动给每条日志加上 `kubernetes.pod_name`、`kubernetes.namespace_name`、`kubernetes.container_name` 等字段,这样在 Dashboards 里就可以按 Pod 名称过滤日志了。
### 产生测试日志
Nginx 在没有请求的时候不会输出 access log,需要手动访问一下:
```bash
kubectl port-forward svc/nginx 8080:80 &
for i in $(seq 1 100); do curl -s http://localhost:8080 > /dev/null; done
```
### 查看日志索引
我们能够看到已经馋看了nginx-log这个索引,并且按照时间轮换。
### 在 Dashboards 中查看
1. 打开 OpenSearch Dashboards(`kubectl port-forward svc/dashboards-opensearch-dashboards 5601:5601`)
3. 进入 Stack Management → Index Patterns,创建 `nginx-logs-*` 的 index pattern。
时间字段选 `@timestamp`
3. 进入 Discover,选择刚创建的 index pattern
4. 在左侧 Available fields 找到 `kubernetes.pod_name`或者其他字段(我这里用的imaeg的名字),点击过滤即可按 Pod 查看日志
如果在 Available fields 里看不到 kubernetes 相关字段,去 Index Patterns 里点刷新按钮(🔄)刷新字段列表。
### 常见问题
#### Fluent Bit 一直报 failed to flush chunk
大概率是缓冲区被其他 Pod 的日志挤满了。用 `Exclude_Path` 排除不需要的日志,或者加大 `Mem_Buf_Limit`。
#### Dashboards 里看不到 Nginx 日志但能看到其他 Pod
检查 Nginx Pod 所在节点的 Fluent Bit 是否正常。可能是那个节点的 Fluent Bit 启动时 OpenSearch 还没 ready,导致一直 flush 失败。删掉那个 Fluent Bit Pod 让 DaemonSet 重建即可。
#### 手动 curl OpenSearch 能写入但 Fluent Bit 写不进去
确认 Fluent Bit output 配置里的 `Host`、`Port`、`HTTP_User`、`HTTP_Passwd`、`tls` 是否正确。可以用以下命令从集群内部测试连通性:
```bash
kubectl run test-curl --image=curlimages/curl --rm -it --restart=Never -- curl -sk https://opensearch-cluster-master:9200 -u 'admin:'
```
### 总结
Fluent Bit + OpenSearch 是轻量级日志方案的经典组合。核心要点是合理配置 `Exclude_Path` 控制采集范围,避免无关日志挤占缓冲区。配合 `Logstash_Format` 做索引轮换,再加上 kubernetes filter 提供的 Pod 元数据,就能在 Dashboards 里方便地按 Pod、Namespace 等维度过滤和分析日志了。
评论
0暂无评论