0

请帮助我了解如何防止 td-agent 插入不需要的元数据。

它将表单的记录转换JSONBLOBTIMESTAMP LOGNAME JSONBLOB.

我只想要 json,而不是时间戳和日志名。

例如 -

td-agent 转换如下所示的日志:

{"log":"I0123 01:58:21.668297       1 nanny.go:108] dnsmasq[14]: 130404 192.168.178.209/44096 reply bitesize-docker-registry.s3.amazonaws.com.cluster.local is NXDOMAIN\n","stream":"stderr","docker":{"container_id":"52d1f2122ea4d144fb07835e1d8b7d210e2ac05c4c0bfd7d2e09237b597bf6a3"},"kubernetes":{"container_name":"dnsmasq","namespace_name":"kube-system","pod_name":"kube-dns-5c9464f66b-whljm"},"target_index":"kube-system-1970.01.01"}

对此:

1970-01-01T00:33:40+00:00       kubernetes.var.log.containers.kube-dns-5c9464f66b-whljm_kube-system_dnsmasq-52d1f2122ea4d144fb07835e1d8b7d210e2ac05c4c0bfd7d2e09237b597bf6a3.log       {"log":"I0123 01:58:21.668297       1 nanny.go:108] dnsmasq[14]: 130404 192.168.178.209/44096 reply bitesize-docker-registry.s3.amazonaws.com.cluster.local is NXDOMAIN\n","stream":"stderr","docker":{"container_id":"52d1f2122ea4d144fb07835e1d8b7d210e2ac05c4c0bfd7d2e09237b597bf6a3"},"kubernetes":{"container_name":"dnsmasq","namespace_name":"kube-system","pod_name":"kube-dns-5c9464f66b-whljm"},"target_index":"kube-system-1970.01.01"}

我的配置如下所示:

<source>
  @type tail
  @id in_tail_container_logs
  path /var/log/containers/*.log
  exclude_path ["/var/log/containers/td-agent*.log"]
  pos_file /var/log/td-agent/td-agent-containers.log.pos
  tag kubernetes.*
  read_from_head true
  keep_time_key true
  <parse>
    @type json
    json_parser json
    time_format %Y-%m-%dT%H:%M:%S.%NZ
  </parse>
</source>

<filter kubernetes.var.log.containers.**>
  @type parser
  <parse>
    @type json
    json_parser json
  </parse>
  replace_invalid_sequence true
  emit_invalid_record_to_error false
  key_name log
  reserve_data true
</filter>

#Filter only kubernetes logs
<filter kubernetes.**>
  @type grep
  regexp kubernetes namespace_name
</filter>

<filter **>
  @type record_transformer
  enable_ruby
  <record>
    target_index system_log
  </record>
</filter>

<filter kubernetes.**>
  @type record_transformer
  enable_ruby
  <record>
    target_index ${record["kubernetes"]["namespace_name"]}-${time.strftime('%Y.%m.%d')}
  </record>
</filter>

<match fluent.**>
  @type null
</match>

# relabel
<match kubernetes.**>
 @type copy
 <store>
  @type relabel
  @label @AWSES
 </store>
 <store>
  @type relabel
  @label @CCL
 </store>
</match>

# AWS ElasticSearch logging
<label @AWSES>
   <match kubernetes.**>
   @type aws-elasticsearch-service
   @log_level info
   ssl_verify false
   reload_connections false
   time_key "time"
   ssl_version TLSv1_2
   resurrect_after 5s
   target_index_key target_index
   logstash_format true
   include_tag_key false
   type_name "access_log"
   <buffer>
     flush_mode interval
     retry_type exponential_backoff
     flush_thread_count 4
     flush_interval 5s
     retry_forever true
     retry_max_interval 30
     chunk_limit_size 32M
     queue_limit_length 32
     total_limit_size 5G
     queued_chunks_limit_size 100
     overflow_action block
     disable_chunk_backup true
   </buffer>
   <endpoint>
     url https://elasticsearch.idoug0122.us-east-2.dev:443
     region us-east-2
   </endpoint>
  </match>
</label>

# CISO Centralized logging
<label @CCL>
   <match kubernetes.**>
   @type s3
   s3_bucket loggingbucket-us-east-2-602604727914
   s3_region us-east-2
   path k8s/dev/idoug0122/
   <buffer>
     flush_mode interval
     retry_type exponential_backoff
     flush_thread_count 4
     flush_interval 5s
     retry_forever true
     retry_max_interval 30
     chunk_limit_size 32M
     queue_limit_length 32
     total_limit_size 5G
     queued_chunks_limit_size 100
     overflow_action block
     disable_chunk_backup true
   </buffer>
   </match>
</label>

任何帮助,将不胜感激!

4

1 回答 1

0

通过在“过滤器”或“匹配”部分下添加格式指令来获得所需的格式:

   <match kubernetes.**>
    <format>
      @type json
    </format>
   </match kubernetes.**>
于 2020-01-23T17:30:02.800 回答