Administrator / elk-aws-eks · Files

logstash-deployment.yaml 1.99 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: logstash
  namespace: logging
  labels:
    app: logstash
spec:
  replicas: 1
  selector:
    matchLabels:
      app: logstash
  template:
    metadata:
      labels:
        app: logstash
    spec:
      containers:
      - name: logstash
        image: docker.elastic.co/logstash/logstash:7.0.0
        env:
        - name: XPACK_MONITORING_ENABLED
          value: "false"
        - name: LS_JAVA_OPTS
          value: "-Xmx512m -Xms256m"
        ports:
        - containerPort: 5044
          name: beats
        - containerPort: 9600
          name: http
        resources:
          requests:
            memory: "512Mi"
            cpu: "1000m"
          limits:
            memory: "1Gi"
            cpu: "2000m"
        volumeMounts:
        - name: config
          mountPath: /usr/share/logstash/pipeline/
        livenessProbe:
          httpGet:
            path: /_node/stats
            port: 9600
          initialDelaySeconds: 60
          periodSeconds: 30
        readinessProbe:
          tcpSocket:
            port: 5044
          initialDelaySeconds: 30
          periodSeconds: 10
      volumes:
      - name: config
        configMap:
          name: logstash-config
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: logstash-config
  namespace: logging
data:
  logstash.conf: |
    input {
      beats {
        port => 5044
      }
    }
    
    filter {
      if [kubernetes] {
        mutate {
          add_field => {
            "cluster_name" => "my-eks-cluster"
          }
        }
      }
      
      # 解析 JSON 日志
      if [message] and [message] =~ /^{.*}$/ {
        json {
          source => "message"
          target => "json_payload"
        }
      }
      
      # 添加时间戳
      date {
        match => [ "timestamp", "ISO8601" ]
        target => "@timestamp"
      }
    }
    
    output {
      elasticsearch {
        hosts => ["elasticsearch-service:9200"]
        index => "logstash-%{+YYYY.MM.dd}"
      }
    }