我有一个 kubernetes 集群,我已经使用 Helm 在其上部署了一个 opensearch 集群和 opensearch 仪表板,我也能够使用 helm 成功部署 logstash,但我对如何集成它们感到困惑,我想使用 logstash 作为我的目标将数据提供给我的 Opensearch,因为我也找不到很多关于它的文档。任何帮助不胜感激。提前感谢!
也使用 Helm 和 logstash 部署了 opensearch,但无法集成它们
在此处更新!!
进行了一些更改以简化部署和对功能的更多控制,
这次我正在测试部署和服务文件,我将添加以下文件
开放搜索部署文件
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
namespace: logging
name: opensearch
labels:
component: opensearch
spec:
selector:
matchLabels:
component: opensearch
replicas: 1
serviceName: opensearch
template:
metadata:
labels:
component: opensearch
spec:
initContainers:
- name: init-sysctl
image: busybox
imagePullPolicy: IfNotPresent
command:
- sysctl
- -w
- vm.max_map_count=262144
securityContext:
privileged: true
containers:
- name: opensearch
securityContext:
capabilities:
add:
- IPC_LOCK
image: opensearchproject/opensearch
env:
- name: KUBERNETES_CA_CERTIFICATE_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: "cluster.name"
value: "opensearch-cluster"
- name: "network.host"
value: "0.0.0.0"
- name: "discovery.seed_hosts"
value: "[]"
- name: discovery.type
value: single-node
- name: OPENSEARCH_JAVA_OPTS
value: -Xmx512M -Xms512M
- name: "plugins.security.disabled"
value: "false"
ports:
- containerPort: 9200
name: http
protocol: TCP
- containerPort: 9300
name: transport
protocol: TCP
volumeMounts:
- name: os-mount
mountPath: /data
volumes:
- name: os-mount
persistentVolumeClaim:
claimName: nfs-pvc-os-logging
打开搜索 svc 文件
---
apiVersion: v1
kind: Service
metadata:
name: opensearch
namespace: logging
labels:
service: opensearch
spec:
type: ClusterIP
selector:
component: opensearch
ports:
- port: 9200
targetPort: 9200
开放搜索仪表板部署
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: open-dash
namespace: logging
spec:
replicas: 1
selector:
matchLabels:
app: open-dash
template:
metadata:
labels:
app: open-dash
spec:
# securityContext:
# runAsUser: 0
containers:
- name: opensearch-dashboard
image: opensearchproject/opensearch-dashboards:latest
ports:
- containerPort: 80
env:
# - name: ELASTICSEARCH_URL
# value: https://opensearch.logging:9200
# - name: "SERVER_HOST"
# value: "localhost"
# - name: "opensearch.hosts"
# value: https://opensearch.logging:9200
- name: OPENSEARCH_HOSTS
value: '["https://opensearch.logging:9200"]'
Opensearch Dashboard svc
---
apiVersion: v1
kind: Service
metadata:
name: opensearch
namespace: logging
labels:
service: opensearch
spec:
type: ClusterIP
selector:
component: opensearch
ports:
- port: 9200
targetPort: 9200
使用上述配置,我能够打开仪表板 UI,但在仪表板 pod 日志中,我可以看到 400 个代码日志,任何人都可以尝试重现此问题,我还需要将 logstash 与此堆栈集成。
{"type":"response","@timestamp":"2023-02-20T05:05:34Z","tags":[],"pid":1,"method":"head","statusCode":400,"req":{"url":"/app/home","method":"head","headers":{"connection":"Keep-Alive","content-type":"application/json","host":"3.108.199.0:30406","user-agent":"Manticore 0.9.1","accept-encoding":"gzip,deflate","securitytenant":"user"},"remoteAddress":"10.244.1.1",">userAgent":"Manticore 0.9.1"},"res":{"statusCode":400,"responseTime":2,"contentLength":9},"消息":"头/应用/主页 400 2ms - 9.0B
部署日志存储pod 时,我收到一个错误
[警告] 2023-02-20 05:13:52.212 [Ruby-0-Thread-9:/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-opensearch-2.0.1-java/lib/logstash/outputs/opensearch/http_client/pool.rb:217] opensearch - 试图恢复与失效的OpenSearch实例的连接,但出现错误{:url=>"http://logstash:xxxxxx@opensearch.logging:9200/", :exception=>LogStash::Outputs::OpenSearch::HttpClient::P ool::HostUnreachableError, :message=>"OpenSearch 无法访问:[http://logstash:xxxxxx@opensearch.logging:9200/][Manticore::ClientProtocolException] opensearch.logging:9200 未能响应"}
有人可以尝试帮助我解决这个难题
吗@Benla已根据您的建议进行了更改,现在我在logstash中获得了以下日志
[2023-02-20T05:18:43,028][INFO ][logstash.agent ] 已成功启动 Logstash API 端点 {:p ort=>9600, :ssl_enabled=>false} [2023-02-20T05:18:43,147][资讯][org.reflections.Reflections] 反射扫描 1 个 url 需要 70 毫秒,生成 127 个键和 444 个值 [2023-02-20T05:18:43,351][资讯][logstash.javapipeline ] 管道
main配置了pipeline.ecs_compatibility: v8设置。除非另有明确配置,否则此管道中的所有插件都将默认为ecs_compatibility => v8。 [2023-02-20T05:18:43,370][资讯][logstash.javapipeline ][主要]启动管道 {:p ipeline_id=>"main", "pipeline.workers"=>16, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2000, "pipeline.sources"=>["/usr/share/logstash/pipeline/logstash.conf"], :thread=>"#"} [2023-02-20T05:18:43,811][资讯][logstash.javapipeline ][主要]管道 Java 执行初始化时间 {"秒"=>0.44} [2023-02-20T05:18:43,816][资讯][logstash.inputs.beats ][主要]启动输入侦听器 {:address=>"0.0.0.0:5044"} [2023-02-20T05:18:43,821][资讯][logstash.javapipeline ][主要]管道已启动 {"pipeline.id"=>"main"} [2023-02-20T05:18:43,835][资讯][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]} [2023-02-20T05:18:43,869][资讯][org.logstash.beats.Server][主要][0710cad67e8f47667bc7612580d5b91f691dd8262a4187d9eca8cf87229d04aa] 端口上的启动服务器:5044
我开始得到这些无休止的日志循环
[警告] 2023-02-20 05:13:37.191 [Ruby-0-Thread-9:/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-opensearch-2.0.1-java/lib/logstash/outputs/opensearch/http_client/pool.rb:217] opensearch - 试图恢复与失效的OpenSearch实例的连接,但出现错误{:url=>"http://logstash:xxxxxx@opensearch.logging:9200/", :exception=>LogStash::Outputs::OpenSearch::HttpClient::P ool::HostUnreachableError, :message=>"OpenSearch 无法访问:[http://logstash:xxxxxx@opensearch.logging:9200/][Manticore::ClientProtocolException] opensearch.logging:9200 未能响应"}
对于 opensearch SSO(KeyCloak),请使用以下步骤: 打开搜索:
-
为opensearch制作一个自定义的iamge,为此制作2个文件,如下所示。 i.config.yml(用于 opensearch 安全插件) --- _元: 类型:"配置" config_version: 2
config: dynamic: http: anonymous_auth_enabled: false authc: internal_auth: order: 0 description: "HTTP basic authentication using the internal user database" http_enabled: true transport_enabled: true http_authenticator: type: basic challenge: false authentication_backend: type: internal openid_auth_domain: http_enabled: true transport_enabled: true order: 1 http_authenticator: type: openid challenge: false config: subject_key: preferred_username roles_key: roles openid_connect_url: "https://keycloak-url/realms/realm-name/.well-known/openid-configuration" authentication_backend: type: noop ---
第二。 log4j2.properties(此文件将在opensearch中启动日志,以便我们可以看到否则关闭的日志)
---
logger.securityjwt.name = com.amazon.dlic.auth.http.jwt
logger.securityjwt.level = trace
---
三、道克文件
---
FROM opensearchproject/opensearch:2.5.0
RUN mkdir /usr/share/opensearch/plugins/opensearch-security/securityconfig
COPY config.yaml /usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml
COPY config.yaml /usr/share/opensearch/config/opensearch-security/config.yml
COPY log4j2.properties /usr/share/opensearch/config/log4j2.properties
---
- 使用 opensearch
helm chart 部署 opensearch(使用上述配置构建的自定义映像更改图像)。 OpenSearch 将部署 3 个 pod,现在进入每个 pod 并触发 belo 命令来启动安全插件(对于 OpenSearch 的每个 Pod 只执行一次)。
/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh
/usr/share/opensearch/config/root-ca.pem
-cacert
-cert/usr/share/opensearch/config/kirk.pem
-key/usr/share/opensearch/config/kirk-key.pem
-cd/usr/share/opensearch/config/opensearch-security
-h localhost确保所有 3 个 Pod 都已启动并处于就绪状态。 打开搜索仪表板
3.现在我们将配置开放搜索仪表板 i. 在 opensearch-dashboard 搜索配置的 helm 图表的 values.yml 中
---
config:
opensearch_dashboards.yml: |
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: admin
opensearch.password: admin
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: false
server.host: '0.0.0.0'
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://keycloak-url/realms/realm-name/.well-known/openid-configuration"
opensearch_security.openid.client_id: "admin"
opensearch_security.openid.client_secret: "asgduasdjsadk"
opensearch_security.openid.scope: "email openid"
opensearch_security.openid.base_redirect_url: "https://opensearch_dashboards-url.io"
---
ii. 部署opensearch_dashboards。
Now once opensearch_dashboards is deployed and pod is in up and ready state you can go to https://opensearch_dashboards-url.io (your opensearch_dashboards url ) and you will see keycloak login form.
我认为部署logstash<->opensearch管道与在K8S中部署logstash<->elasticsearch没有太大区别, 我遇到的唯一区别是:
- docker 或其他容器运行时映像应
opensearchproject/logstash-oss-with-opensearch-output-plugin:latest,而不是logstash。 logstash配置文件中的输出插件应该是opensearch而不是elasticsearch.
除了您可以在 K8S 教程中访问每个Logstash<->ElasticSearch之外,还有很多。
祝你好运!
我还没有用 SSO 对此进行测试,请告诉我们这方面的建议
Opensearch,Opensearch Dashboard(Official Helm charts),Filebeat(Official Helm Charts)和Logstash Deployment(Official Helm Charts)
- Opensearch & Opensearch-dashboard https://github.com/opensearch-project/helm-charts
- 文件节拍 https://github.com/elastic/helm-charts/tree/main/filebeat
- 日志藏匿 [https://github.com/elastic/helm-charts/tree/main/logstash]
我的 ELK 堆栈分为 3 个部分,每个部分使用 Helm 图表部署单独的组件
- 开放搜索(A)
- 仪表板(B)
- 文件节拍
- 日志存储
建议为 k8s 集群上的日志记录堆栈创建单独的命名空间
打开搜索部署(A)
导航到"/opensearchhelm/opensearch/helm-charts/charts/opensearch"目录 在 opensearch 目录中,您将找到包含 helm 图表配置的 values.yaml
为 Opensearch 创建持久卷 然后,您可以运行该命令以在您选择的命名空间中部署 Helm 图表
helm install opensearch opensearch/ -n namespace
使用以下命令验证部署
kubectl get pods -n development
执行到安装了 curl 的现有 Pod 中,以检查集群之间的连接
kubectl exec -it -n namespace podname /bin/sh
一旦进入 pod 卷曲服务名称命名空间,如下所示,这应该返回一个 json 输出作为回报
curl -X GET https://opensearch.logging:9200 -u 'admin:admin' --insecure
{
"name" : "opensearch-cluster-master-0",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "nEFZv3l0RRyx3A0nGtQgug",
"version" : {
"distribution" : "opensearch",
"number" : "2.4.0",
"build_type" : "tar",
"build_hash" : "744ca260b892d119be8164f48d92b8810bd7801c",
"build_date" : "2022-11-15T04:42:29.671309257Z",
"build_snapshot" : false,
"lucene_version" : "9.4.1",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
一旦你得到类似的输出,我们就可以确认你的opensearch已成功安装
。开放搜索仪表板部署(B)
导航到 elk 目录中的"/opensearchhelm/opensearch/helm-charts/charts/opensearch-dashboard"。
在 opensearch 目录中,您将找到包含 helm 图表配置的 values.yaml。
将服务名称替换为您的 opensearch 服务名称,如以下示例所示,在 values.yaml 中的"opensearchHosts"属性中
opensearchHosts: "https://opensearch-cluster-master:9200"
然后,从 opensearchhelm/opensearch/helm-charts/charts/中,您可以运行命令以在您选择的命名空间中部署 helm 图表
helm install opensearchdash opensearch-dashboard/ -n namespace
这将部署 Opensearch 仪表板,该仪表板可用于从 Opensearch 数据创建仪表板。
文件节拍部署
为了将数据从opensearch获取到logstash,我们使用filebeat,它从Opensearch中抓取数据并将其提供给Logstash Filebeat 不使用持久卷声明,因此我们可以继续进行部署。 Filebeat 将自动从命名空间中的现有 Opensearch 中获取日志
*文件节拍配置和其他文件可以在文件节拍中找到 导航到包含文件节拍的目录
helm install filebeat filebeat -n namespace
这会在命名空间中部署 filebeat pod 以及其他资源。
Filebeat Pod 的数量应该与你的 kubernetes 节点数量相同(不包括命名空间)
您可以通过检查 Pod 的日志来验证部署
kubectl logs -f filebeat-filebeat-4tkk6 -n namespace
查询日志应该会得到如下所示的输出
{"log.level":"info","@timestamp":"2023-03-22T07:55:12.614Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":186},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"stats":{"periods":104,"throttled":{"ns":506844664,"periods":5}}},"cpuacct":{"total":{"ns":1293495129}},"memory":{"mem":{"usage":{"bytes":150925312}}}},"cpu":{"system":{"ticks":3000,"time":{"ms":60}},"total":{"ticks":30650,"time":{"ms":630},"value":30650},"user":{"ticks":27650,"time":{"ms":570}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":18},"info":{"ephemeral_id":"c4c9fe7b-a469-4a98-a59a-9031a681c0a7","uptime":{"ms":1350147},"version":"8.5.1"},"memstats":{"gc_next":41205704,"memory_alloc":24577840,"memory_total":3591430176,"rss":123326464},"runtime":{"goroutines":90}},"filebeat":{"events":{"active":293,"added":415,"done":122},"harvester":{"open_files":6,"running":6}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":420,"active":0,"batches":22,"total":420},"read":{"bytes":132},"write":{"bytes":88426}},"pipeline":{"clients":1,"events":{"active":0,"published":415,"total":415},"queue":{"acked":420}}},"registrar":{"states":{"current":454,"update":420},"writes":{"success":18,"total":18}},"system":{"load":{"1":0.06,"15":0.46,"5":0.22,"norm":{"1":0.0038,"15":0.0288,"5":0.0138}}}},"ecs.version":"1.6.0"}}
日志存储部署
Logstash 配置和其他舵图文件可以在 logstash/中找到
导航到日志存储
编辑 values.yaml 并更新 opensearch 配置和索引的配置,如以下示例所示
vim values.yaml
在下面添加示例配置
# Allows you to add any pipeline files in /usr/share/logstash/pipeline/
### ***warn*** there is a hardcoded logstash.conf in the image, override it first
logstashPipeline:
logstash.conf: |
input {
beats {
port => 5044
}
}
output {
opensearch{
hosts => "https://opensearch-cluster-master.logging"
user => "admin"
password => "admin"
index => "myindex"
ssl_certificate_verification => false } }
这将创建一个索引,我们将能够在Opensearch仪表板UI中查询该索引
导航到 logstah 目录并安装舵图 运行 helm 命令以部署 Logstash 工具
helm install logstash logstash/ -n namespace
验证堆栈登录到您的 Opensearch 仪表板是否正常工作
从侧边菜单导航到开发工具
如果您能够找到您创建的 ondex,请运行以下查询
获取我的索引/_search?漂亮
如果一切正常,您应该获得索引的 JSON 输出