1:OpenSearch + Fluent Bit 简介
OpenSearch
OpenSearch 是一个由 Amazon 主导的开源搜索与分析引擎,原本是 Elasticsearch 的一个分支,支持全文搜索、日志分析、指标监控等。
- 类似于 Elasticsearch(兼容其 API)
- 内置 OpenSearch Dashboards(相当于 Kibana)
- 支持分布式架构、高可用、强扩展性
- 适用于日志分析、安全监控、APM 等场景
Fluent Bit
Fluent Bit 是一个轻量级的日志收集器和转发器,专为边缘和高性能场景设计。
- 占用资源小(比 Fluentd 更轻)
- 支持多种输入(tail、systemd、tcp等)和输出插件(Elasticsearch、OpenSearch、Kafka、Loki等)
- 支持数据过滤、标签、缓冲机制
组合使用场景
使用 Fluent Bit 将日志从各类源(如容器、主机、应用)采集并直接发送至 OpenSearch 进行存储和分析,可替代 ELK 堆栈中的 Logstash。
2: opensearch 安装配置
2.1: 安装配置:
官方文档:Getting started - OpenSearch Documentation
需要安装opensearch,opensearch-dashboard。仅测试可用docker和docker-compose,生产环境用主机安装方式,配置比较齐全。
主机apt安装完成后,需要修改配置文件
opensearch配置文件修改:/etc/opensearch/opensearch.yml
|----------------------------------------------------------------------------------------------|
| network.host: 0.0.0.0 #只有一个opensearch,需要开启单节点模式,否则启动失败 discovery.``type``: single-node |
opensearch_dashboards配置文件修改:/etc/opensearch-dashboards/opensearch_dashboards.yml
|---------------------------------------|
| #默认只监听本地 server.host: ``"0.0.0.0" |
2.2: ISM生命周期策略配置管理
Index State Management (ISM)和ELK的ILM生命周期差不多,名称不同。在使用 OpenSearch + Fluent Bit 时,结合 Index State Management (ISM) 可以实现自动化的日志索引生命周期管理(如:滚动、迁移、删除等)
在Dev Tools 创建策略
创建策略(一次):
策略两个动作:rollover 和 delete
rollover条件:索引最小100M,最小文档数100000,最小1天。(测试可以设置小一点观察)
任意条件达成则rollover(如:dev-gateway-logs-000001、dev-gateway-logs-000002)。
delete: rollover后,删除7天前到索引。
ism_template:可以匹配所有索引,也可以添加多个,支持正则表达式。
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| PUT _plugins``/_ism/policies/delete-7-days { ``"policy"``: { ``"policy_id"``: ``"delete-7-days"``, ``"description"``: ``"Rollover then delete after 7 day"``, ``"default_state"``: ``"rollover_wait"``, ``"states"``: [ ``{ ``"name"``: ``"rollover_wait"``, ``"actions"``: [ ``{ ``"retry"``: { ``"count"``: 3, ``"backoff"``: ``"exponential"``, ``"delay"``: ``"1m" ``}, ``"rollover"``: { ``"min_size"``: ``"100mb"``, ``"min_doc_count"``: 1000000, ``"min_index_age"``: ``"1d"``, ``"copy_alias"``: ``false ``} ``} ``], ``"transitions"``: [ ``{ ``"state_name"``: ``"delete_after_7d"``, ``"conditions"``: { ``"min_index_age"``: ``"7d" ``} ``} ``] ``}, ``{ ``"name"``: ``"delete_after_7d"``, ``"actions"``: [ ``{ ``"retry"``: { ``"count"``: 3, ``"backoff"``: ``"exponential"``, ``"delay"``: ``"1m" ``}, ``"delete"``: {} ``} ``], ``"transitions"``: [] ``} ``], ``"ism_template"``: [ ``{ ``"index_patterns"``: [``"dev-*-logs*"``], ``"priority"``: 1 ``} ``] ``} } |
创建模版(每个索引一个模版):
不能多个索引同时使用同一个模版,否则无法正常rollover或报错。
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| PUT ``/_index_template/dev-ls-node-prematch-logs { ``"index_patterns"``: [``"dev-ls-node-prematch-logs*"``], ``"template"``: { ``"settings"``: { ``"number_of_replicas"``: 0, ``"number_of_shards"``: 1, ``"plugins.index_state_management.rollover_alias"``: ``"dev-ls-node-prematch-logs" ``} ``} } |
创建初始化索引:
对于ISM管理的需要初始化创建索引。
|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| PUT dev-``ls``-node-prematch-logs-000001 { ``"aliases"``: { ``"dev-ls-node-prematch-logs"``: { ``"is_write_index"``: ``true ``} ``} } |
2.3: 脚本创建 模版 和 索引
如果有太多日志和索引类型,需要创建多个模版和初始化索引。所以可以脚本shell用API的方式创建。
创建shell脚本:
|-----------------------------------|
| vim opensearch_create_index.sh |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| #!/bin/bash #set -x read -p ``"请输入索引基础名称(如 dev-gateway-logs): " app_log_name echo "" index_name=``"$app_log_name" echo "==> 创建索引模板:$index_name" curl -k -u ``"admin:qwe123" -X PUT ``"https://localhost:9200/_index_template/$index_name" -H ``'Content-Type: application/json' -d @- <<EOF { ``"index_patterns"``: [``"${index_name}*"``], ``"template"``: { ``"settings"``: { ``"number_of_replicas"``: 0, ``"number_of_shards"``: 1, ``"plugins.index_state_management.rollover_alias"``: ``"${index_name}" ``} ``} } EOF echo -e ``"\n==> 创建初始索引:${index_name}-000001" curl -k -u ``"admin:qwe123" -X PUT ``"https://localhost:9200/${index_name}-000001" -H ``'Content-Type: application/json' -d @- <<EOF { ``"aliases"``: { ``"${index_name}"``: { ``"is_write_index"``: ``true ``} ``} } EOF echo -e ``"\n 已完成索引模板和初始索引创建。" |
运行测试脚本添加模版和初始化索引:
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| root@opensearch:``# bash opensearch_create_index.sh 请输入索引基础名称(如 dev-gateway-logs): dev-system-app-logs ==> 创建索引模板:dev-system-app-logs {``"acknowledged"``:``true``} ==> 创建初始索引:dev-system-app-logs-000001 {``"acknowledged"``:``true``,``"shards_acknowledged"``:``true``,``"index"``:``"dev-system-app-logs-000001"``} ``已完成索引模板和初始索引创建。 |
以上说明创建成功。
3: fluentbit 安装配置
日志收集模式:
1: 应用端fluentbit >> 中转fluentbit >> opensearch
2: 应用端fluentbit >> opensearch
如果太多类型应用日志,可以不需要中转fluentbit集中采集处理,否则在中转fluentbit需要重复太多OUTPUT配置,这里使用直接传送到opensearch。
3.1: 安装
安装方式,参考官网:Getting Started with Fluent Bit | Fluent Bit: Official Manual
这里用apt安装方式:
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| apt ``install gnupg -y curl https:``//packages``.fluentbit.io``/fluentbit``.key | gpg --dearmor > ``/usr/share/keyrings/fluentbit-keyring``.gpg #debian12 系统 echo "deb [signed-by=/usr/share/keyrings/fluentbit-keyring.gpg] https://packages.fluentbit.io/debian/bookworm bookworm main" | ``sudo tee /etc/apt/sources``.list.d``/fluentbit``.list apt update -y apt ``install fluent-bit=4.0.3 -y systemctl ``enable fluent-bit.service systemctl restart fluent-bit.service |
3.2:Fluent bit配置文件
parsers_multiline.conf配置文件,默认没有,默认一行就是一行。
对于错误日志也会多行分开收集,所以需要添加格式化输出日志。
|--------------------------------------------------|
| vim ``/etc/fluent-bit/parsers_multiline``.conf |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [MULTILINE_PARSER] ``Name java_multiline ``Type regex ``Flush_Timeout 1000 ``#匹配时间格式:2025-06-11 10:47:46.477,直到下一行同样的格式停止 ``Rule ``"start_state" "^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3}" "cont" ``Rule ``"cont" "^(?!\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3}).*" "cont" |
修改默认配置文件
示例:添加收集/app/logs/stdout/gateway.log的日志
多个日志,需要重新添加个 INPUT 和 OUTPUT
|--------------------------------------------|
| vim ``/etc/fluent-bit/fluent-bit``.conf |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [SERVICE] ``flush 1 ``daemon Off ``log_level info ``parsers_file parsers.conf ``#配置了parsers_multiline后添加 ``Parsers_File parsers_multiline.conf ``plugins_file plugins.conf ``http_server Off ``http_listen 0.0.0.0 ``http_port 2020 ``storage.metrics on [INPUT] ``Name ``tail ``Path ``/app/logs/stdout/gateway``.log ``#parsers_multiline定义的name ``multiline.parser java_multiline ``#用于OUTPUT中匹配标签,自定义名称 ``Tag gateway ``#持久化存储,防止重启后日志丢失 ``DB ``/etc/fluent-bit/logs``.db ``Read_from_Head ``true [OUTPUT] ``Name es ``Match gateway ``#opensearch地址信息 ``Host 192.168.10.100 ``Port 9200 ``TLS On ``TLS.Verify Off ``HTTP_User admin ``HTTP_Passwd qwe123 ``#索引名称 ``Index dev-gateway-logs ``Suppress_Type_Name On #标准输出日志,调试查看实时日志可开启 #[OUTPUT] # Name stdout # Match * |
最后重启systemctl restart fluent-bit.service服务即可。
调试命令输出,如果开启了Name stdout,用以下命令标准输出查看日志状态,或者是否错误。
|---------------------------------------------------------------------------|
| /opt/fluent-bit/bin/fluent-bit -c ``/etc/fluent-bit/fluent-bit``.conf |
最后登录opensearch查看索引即可
