主页 / computer / 问题 / 1782364
Accepted
r2evans
Asked: 2023-05-04 21:43:10 +0800 CST

强制 filebeat 记录到文件

  • 772

使用 filebeat-8.7.1,我将其配置为将多个源推送到远程 elastisearch。我无法让它将自己的日志记录到本地文件中/var/log/filebeat/filebeat.log,并且我无法阻止它将其日志转储到/var/log/syslog(这也将用于 elastisearch)。

相关配置来自/etc/filebeat/filebeat.yml

filebeat.inputs:
- type: filestream
  id: rsc-server
  enabled: true
  paths:
    - /var/log/rstudio/rstudio-connect/rstudio*.log
  fields:
    log_type: rsc_server
- type: filestream
  enabled: true
  ignore_older: 5m
  id: rsc-jobs
  paths:
    - /srv/R/RSC/jobs/[0-9]*/*/*
  fields:
    log_type: rsc
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
  host: "http://my.elasti.host:30002"
output.elasticsearch:
  hosts: ["http://my.elasti.host:30003"]
  allow_older_versions: true
  username: "myuser"
  password: "mypass"
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
logging:
  - level: warning
  - to_syslog: false
  - to_stderr: false
  - json: true
  - files:
    - path: /var/log/filebeat
    - name: filebeat
    - keepfile: 3
    - permissions: 0644

/etc/filebeat/modules.d/目录中,生成的启用配置是:

# Module: nginx
# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-nginx.html
- module: nginx
  # Access logs
  access:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Error logs
  error:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
  ingress_controller:
    enabled: false
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
# Module: redis
# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-redis.html
- module: redis
  # Main logs
  log:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths: ["/var/log/redis/redis-server.log*"]
  # Slow logs, retrieved via the Redis API (SLOWLOG)
  slowlog:
    enabled: false
    # The Redis hosts to connect to.
    #var.hosts: ["localhost:6379"]
    # Optional, the password to use when connecting to Redis.
    #var.password:
# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-system.html
- module: system
  # Syslog
  syslog:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
  # Authorization logs
  auth:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

相信系统模块的使用syslog从中提取 /var/log/syslog,而不是推送到中。(当我禁用该模块时,行为不会改变。)

如何修复将logging.*日志发送到的部分/var/log/filebeat/,以及如何防止它发送到 syslog 和/var/log/syslog

(这是在 ubuntu-22.04 虚拟机上。)

编辑/lib/systemd/system/filebeat.service有一个空BEAT_LOG_OPTS参数(这是默认文件,不是我编辑的):

[Unit]
Description=Filebeat sends log files to Logstash or directly to Elasticsearch.
Documentation=https://www.elastic.co/beats/filebeat
Wants=network-online.target
After=network-online.target
[Service]
UMask=0027
Environment="GODEBUG='madvdontneed=1'"
Environment="BEAT_LOG_OPTS="
Environment="BEAT_CONFIG_OPTS=-c /etc/filebeat/filebeat.yml"
Environment="BEAT_PATH_OPTS=--path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat"
ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
Restart=always
[Install]
WantedBy=multi-user.target

重新加载(并且性能没有变化):

# systemctl daemon-reload
# systemctl restart filebeat.service
# systemctl status filebeat.service

● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
     Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-05-04 14:49:12 UTC; 20s ago
       Docs: https://www.elastic.co/beats/filebeat
   Main PID: 2080223 (filebeat)
      Tasks: 25 (limit: 76964)
     Memory: 114.4M
        CPU: 5.315s
     CGroup: /system.slice/filebeat.service
             └─2080223 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat

该进程以 root 身份运行,/var/log/filebeat目录由具有正常权限的 root 拥有:

# ps faxu | grep [/]filebeat
root     2080223  9.4  0.1 2635592 169112 ?      Ssl  14:49   0:36 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat

# ll -d /var/log/filebeat
drwxr-xr-x 2 root root 4096 May  4 12:54 /var/log/filebeat/
# ll  /var/log/filebeat
total 8
drwxr-xr-x  2 root root   4096 May  4 12:54 ./
drwxr-xr-x 18 root syslog 4096 May  4 12:54 ../

我看到--environment systemd每个filebeat 命令行选项意味着

如果指定了 systemd 或 container,Filebeat 将默认记录到 stdout 和 stderr。

/var/log/syslog这表明日志记录将由于systemd处理进程中的 stdout/stderr 的方式而发生。这似乎是一个进步,但我们仍然没有日志记录到/var/log/filebeat/,这最终是 stdout/stderr 应该去的地方(这将解决日志记录到的问题/var/log/syslog)。

systemd

2 个回答

  1. Best Answer

    请参阅帖子 Filebeat 拒绝登录到文件

    从发行说明中引用的解释 是:

    在带有 systemd 的系统上,Beats 日志现在默认写入 journald 而不是文件。要恢复此行为,请使用空值覆盖 BEAT_LOG_OPTS

    解决方案本身可能会适应您的环境:

    要覆盖这些变量,请在 /etc/systemd/system/filebeat.service.d 目录中创建一个插入式单元文件。

    要使用 Filebeat 文件中的 [日志记录] 设置,请清空环境变量。例如:

    [Service]
Environment="BEAT_LOG_OPTS="

    要应用您的更改,请重新加载 systemd 配置并重新启动服务:

    systemctl daemon-reload
systemctl restart filebeat

    建议您使用配置管理工具来包含插入式单元文件。如果您需要手动添加插件,请使用 systemctl edit filebeat.service 。

    filebeat的命令行参考,了解unit file的作用和作用: https://www.elastic.co/guide/en/beats/filebeat/7.0/command-line-options.html#global-旗帜 4

    要查看安装附带的默认 filebeat 单元文件,请执行以下操作:

    systemctl status filebeat

    并检查单元文件的内容。(单元文件的路径在上述命令的输出中。)

    • 0

  2. harrymc 帮助确定了罪魁祸首,这里有一些最后的步骤和一个替代的解决方法。

    filebeat 日志记录的问题与服务/var/log/syslog有关,而不是 filebeat 本身:在 filebeat 命令行上systemd使用(这是 ubuntu 上的默认设置,可能是问题的一部分)导致 filebeat 强制日志记录到 stdout。这与建议仅在未另外定义日志记录时才会发生此绕过的文档相反:--environment systemd

     -environment
    For logging purposes, specifies the environment that Filebeat is
    running in. This setting is used to select a default log output
    when no log output is configured. Supported values are: systemd,
    container, macos_service, and windows_service. If systemd or
    container is specified, Filebeat will log to stdout and stderr
    by default.

    选项 1:删除--environment systemd

    运行systemctl edit filebeat.service,并从中删除命令行参数ExecStart(在首先清除该变量之后)。编辑后的文本应包含

    ### /lib/systemd/system/filebeat.service
[Service]
ExecStart=
ExecStart=/usr/share/filebeat/bin/filebeat $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS

    第一个 ExecStart=是故意的:没有它,systemd 会抱怨Service has more than one ExecStart= setting.

    通过这样做,我们现在看到/var/log/filebeat/filebeat-20230504.ndjson

    非常感谢@user1686 帮助我找到了多个ExecStart=设置的分辨率。

    选项 2:通过 systemd 重定向标准输出/标准错误

    另一种选择是将 filebeat 转储到其 stdout/stderr 并使用其内部机制重定向到文件。/lib/systemd/system/filebeat.service(如果您对选项 1进行了更改,则撤消此选项的更改。)

    打电话systemctl edit filebeat.service并包括这个,

    [Service]
StandardOutput=file:/var/log/filebeat/filebeat_stdout.log
StandardError=file:/var/log/filebeat/filebeat_stderr.log

    (存储在 中/etc/systemd/system/filebeat.service.d/override.conf)。然后重新启动服务,我们现在看到了/var/log/filebeat/filebeat_stdout.log(和_stderr)。

    • 0

相关问题