日志收集方案

zwxu_2025-12-16 8:20

1.应用场景

常用于日志采集和数据回流场景

1.1 日志类型

非容器化日志即python组件/go组件/java组件业务日志,可自由进行日志轮转,支持按时间、大小、历史、总容量等

容器化日志(适用于stdout/stderr)单行最大长度是16k,即超过最大长度,日志会自动换行,仅仅按大小/文件数,按时间需结合logrotate

|-----------------------------------------------------------------------------------|
| { "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3" } } |

​​​​​​​1.2 日志轮转logrotate

apk add --no-cache logrotate并配合启动crond服务实现

|---------------------------------------------------------------------------------------------------------------------------|
| /usr/local/kong/logs/*.log { size 1k missingok rotate 7 copytruncate notifempty dateext dateyesterday create root root } |

​​​​​​​1.3 Filebeat-Logstash-Rabbitmq

Filebeat

|--------------------------------------------------------------------------------------------------------------------------------------|
| Input type=log scan_frequency 扫描新文件间隔 10s //不是仅实时可以降低 close_inactive 文件句柄关闭时间 5m Output type=logstash bulk_max_size 默认 2048 建议改成1024 |

Logstash

|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Input type=beat scan_frequency 扫描新文件间隔 10s //不是仅实时可以降低 close_inactive 文件句柄关闭时间 5m filter { grok { match => { "message" => '\[dataflow-logger\]\s+response_data:(?<json_str>\{.*\}) while logging request' } remove_field => ["message"] } if "_grokparsefailure" in [tags] { drop {} } drop { percentage => 90 } mutate { remove_field => ["@version","tags","@timestamp","log","input","host","agent","ecs"] } } output { rabbitmq { id => "my-plugin" exchange => "logstash-topic-exchange" exchange_type => "topic" key => "logstash-topic-routing-key" #默认端口必须是5672 host => "ip" user => "guest" password => "guest" vhost => "/" durable => true persistent => true codec => json } } |

​​​​​​​1.4 FluentBit-Kafka

fluent-bit.conf

|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [INPUT] Name tail Path /var/lib/docker/containers/*/*.log Parser docker Tag docker.* Docker_Mode On Docker_Mode_Flush 5 Mem_Buf_Limit 50MB Skip_Long_Lines Off DB /fluent-bit/tail.db DB.Sync Normal [FILTER] https://docs.fluentbit.io/manual/4.0/data-pipeline/filters/grep Name grep Match docker.* Regex log dataflow-logger [FILTER] https://docs.fluentbit.io/manual/4.0/data-pipeline/filters/parser Name parser Match docker.* Key_Name log Parser extract_logger Reserve_Data false Preserve_Key false [FILTER] Name throttle Match docker.* Rate 6000 #允许每分钟最多 6000 条 Window 60 #单位秒 Interval 1s [OUTPUT] Name kafka Match docker.* Brokers 172.29.232.69:9092 Topics dataflow-logs |

parsers.conf

|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [PARSER] Name docker Format json Time_Key time Time_Format %Y-%m-%dT%H:%M:%S.%L%z Time_Keep On [PARSER] Name extract_logger Format regex Regex \[dataflow-logger\]\s+response_data:(?<json_str>\{.*\})\s*$ |

1.5 对比总结

Filebeat-Logstash-Rabbitmq原生支持复杂采样/限流/过滤等处理,但性能欠缺,FluentBit-Kafka从日志采集到消息推送性能较高,且原生高度支持docker容器日志,缺点是业务处理复杂度不够

相关推荐
唐青枫7 小时前
告别频繁 GC:C#.NET PooledList 的设计与使用场景
c#·.net
音视频牛哥7 小时前
C#实战:如何开发设计毫秒级延迟、工业级稳定的Windows平台RTSP/RTMP播放器
人工智能·机器学习·机器人·c#·音视频·rtsp播放器·rtmp播放器
꧁执笔小白꧂16 小时前
C#+VisionMaster 学习笔记(目录)-目录
c#·visionmaster
sali-tec16 小时前
C# 基于halcon的视觉工作流-章68 深度学习-对象检测
开发语言·算法·计算机视觉·重构·c#
咖啡の猫1 天前
Python字典的查询操作
数据库·python·c#
czhc11400756631 天前
c# 1213
开发语言·数据库·c#
xiaoid1 天前
C#向jave平台的API接口推送
c#·post·webapi
小猪快跑爱摄影1 天前
【AutoCad 2025】【C#】零基础教程(三)——获取选中的 Entity 插件 =》 初识 Entity 派生类
c#·autocad
czhc11400756631 天前
c#w 1214
开发语言·c#
热门推荐
01GitHub 镜像站点02UV安装并设置国内源03【AutoGLM部署】本地私有化部署AI手机Agent04Linux下V2Ray安装配置指南05Open-AutoGLM Windows 安装部署教程06Cursor 又偷偷更新,这个功能太实用:Visual Editor for Cursor Browser07【超详细教程】手把手教你从微软官网免费下载Windows 10官方原版ISO镜像(2025最新版)08在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)09BongoCat - 跨平台键盘猫动画工具10Windows 11 官方系统安装与重装完整教程(2025年最新版)