VictoriaLogs集群采集Kubernetes Pod日志
# VictoriaLogs 介绍
VictoriaLogs 是 VictoriaMetrics 团队推出的开源日志解决方案,旨在替代笨重的 Elasticsearch (ELK) 和架构复杂的 Loki
组件介绍
- vlinsert 接收来自 Fluent-bit、Vector 或 Logstash 的日志数据
- vlstorage 核心存储,将日志压缩并持久化到磁盘,响应查询请求。
- vlselect 查询网关,处理Grafana或CLI的搜索请求。
- vmauth 认证网关 - 可选,提供统一入口、负载均衡和身份验证。
# Helm部署VictoriaLogs Cluster
这里使用从 Kubernetes 中运行的所有容器收集日志,并将数据发送到已安装的集群版 VictoriaLogs。
vlstorage部署了两个实例,每个实例的保留期为180天,PVC 为200Gi。
首先添加helm仓库
helm repo add vm https://victoriametrics.github.io/helm-charts/
helm repo update
1
2
2
使用环境变量的方式,helm VictoriaLogs部署节点
export RETENTION=180d
export PVC_SIZE=200Gi
export VLSTORAGE_REPLICAS=2
export NAMESPACE=tools
# Install victoria-logs-cluster chart
helm install vlc vm/victoria-logs-cluster --namespace $NAMESPACE --wait \
--set "vlstorage.retentionPeriod=$RETENTION" --set "vlstorage.persistentVolume.size=$PVC_SIZE" \
--set vmauth.enabled=true \
--set vlstorage.replicaCount=$VLSTORAGE_REPLICAS
# Install victoria-logs-collector chart
helm install collector vm/victoria-logs-collector --namespace $NAMESPACE \
--set "remoteWrite[0].url=http://vlc-victoria-logs-cluster-vmauth:8427"
#注意,安装的时候注意容器时区问题
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
离线本地下载
export RETENTION=180d
export PVC_SIZE=200Gi
export VLSTORAGE_REPLICAS=2
export NAMESPACE=tools
# 基于本地tgz包安装
helm install vlc ./victoria-logs-cluster-0.0.20.tgz \
--namespace $NAMESPACE \
--timeout 15m \
--set vlstorage.persistentVolume.storageClassName=nfs-csi \
--set "vlstorage.retentionPeriod=$RETENTION" \
--set "vlstorage.persistentVolume.size=$PVC_SIZE" \
--set vmauth.enabled=true \
--set vlstorage.replicaCount=$VLSTORAGE_REPLICAS \
--set global.image.registry=docker.1ms.run \
--set vlstorage.image.registry=docker.1ms.run \
--set vlinsert.image.registry=docker.1ms.run \
--set vlselect.image.registry=docker.1ms.run
# 或基于解压后的目录安装(适合本地修改配置后)
helm install vlc ./victoria-logs-cluster \
--namespace $NAMESPACE --wait \
--set "vlstorage.retentionPeriod=$RETENTION" \
--set "vlstorage.persistentVolume.size=$PVC_SIZE" \
--set vmauth.enabled=true \
--set vlstorage.replicaCount=$VLSTORAGE_REPLICAS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
修改服务暴露,如果没有ingress,可以和我一样修改SVC类型
#修改写的映射
root@k8s-master-01:~# kubectl edit svc -n tools vlc-victoria-logs-cluster-vlinsert
type: NodePort
#修改读的映射
root@k8s-master-01:~# kubectl edit svc -n tools vlc-victoria-logs-cluster-vlselect
type: NodePort
1
2
3
4
5
6
2
3
4
5
6
最终效果
root@k8s-master-01:~# kubectl get svc -n tools|grep vlc
vlc-victoria-logs-cluster-vlinsert NodePort 10.96.3.162 <none> 9481:31072/TCP 29d
vlc-victoria-logs-cluster-vlselect NodePort 10.96.1.97 <none> 9471:31708/TCP 29d
vlc-victoria-logs-cluster-vlstorage ClusterIP None <none> 9491/TCP 29d
vlc-victoria-logs-cluster-vmauth ClusterIP 10.96.0.80 <none> 8427/TCP
1
2
3
4
5
2
3
4
5
# Grafana 安装插件
首先在Grafana中需要安装victoriametrics-logs-datasource插件
grafana cli plugins install victoriametrics-logs-datasource
1
# fluent-bit 采集Kubernetes日志
创建ConfigMap
- tools 部署命名空间
- 采集Pod日志/var/log/containers/*.log路径
- 写入日志地址 vlc-victoria-logs-cluster-vlinsert
- 写入日志端口9481
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-config
namespace: tools
labels:
app.kubernetes.io/name: fluent-bit
data:
fluent-bit.conf: |
[SERVICE]
Flush 1
Log_Level info
HTTP_Server On
HTTP_Listen 0.0.0.0
HTTP_Port 2020
Health_Check On
[INPUT]
Name tail
Tag kubernetes.*
Path /var/log/containers/*.log
Exclude_Path /var/log/containers/fluent-bit-*.log
Parser cri
DB /var/log/flb_kube.db
Mem_Buf_Limit 5MB
Skip_Long_Lines On
Refresh_Interval 10
[FILTER]
Name kubernetes
Match kubernetes.*
Kube_URL https://kubernetes.default.svc:443
Kube_CA_File /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Kube_Token_File /var/run/secrets/kubernetes.io/serviceaccount/token
Kube_Tag_Prefix kubernetes.var.log.containers.
Merge_Log On
Merge_Log_Key log_processed
K8S-Logging.Parser On
K8S-Logging.Exclude Off
[OUTPUT]
Name http
Match *
Host vlc-victoria-logs-cluster-vlinsert
Port 9481
URI /insert/jsonline?_msg_field=log&_stream_fields=kubernetes.namespace_name,kubernetes.pod_name,kubernetes.container_name,stream&_time_field=time
Format json_lines
Json_date_key time
Json_date_format iso8601
Header X-Scope-OrgID 1
tls Off
tls.verify Off
parsers.conf: |
[PARSER]
Name cri
Format regex
Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$
Time_Key time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
创建rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: fluent-bit
namespace: tools # 命名空间
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: fluent-bit-read
rules:
- apiGroups: [""]
resources:
- namespaces
- pods
- pods/logs
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: fluent-bit-read
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: fluent-bit-read
subjects:
- kind: ServiceAccount
name: fluent-bit
namespace: tools # 命名空间
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
创建DaemonSet.yaml Pod
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: fluent-bit
namespace: tools # 命名空间
labels:
app.kubernetes.io/name: fluent-bit
spec:
selector:
matchLabels:
app.kubernetes.io/name: fluent-bit
template:
metadata:
labels:
app.kubernetes.io/name: fluent-bit
spec:
containers:
- name: fluent-bit
image: harbor.frps.cn/tools/fluent-bit:3.0.1
imagePullPolicy: Always
ports:
- containerPort: 2020
env:
- name: FLB_PROCESSOR
value: "OFF"
volumeMounts:
- name: varlog
mountPath: /var/log
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
- name: fluent-bit-config
mountPath: /fluent-bit/etc/
- name: etcmachineid
mountPath: /etc/machine-id
readOnly: true
resources:
limits:
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
securityContext:
runAsUser: 0
privileged: true
serviceAccountName: fluent-bit
volumes:
- name: varlog
hostPath:
path: /var/log
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: fluent-bit-config
configMap:
name: fluent-bit-config
- name: etcmachineid
hostPath:
path: /etc/machine-id
type: File
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
部署完毕后,可以看到服务状态
root@k8s-master-01:~# kubectl get pod -n tools |grep fl
fluent-bit-d9ls4 1/1 Running 9 (4d21h ago) 16d
fluent-bit-dmr86 1/1 Running 3 (4d20h ago) 9d
fluent-bit-jhs7d 1/1 Running 7 (4d21h ago) 14d
fluent-bit-krkh4 1/1 Running 9 (4d21h ago) 14d
fluent-bit-t4znj 1/1 Running 6 (4d21h ago) 13d
fluent-bit-x9j5c 1/1 Running 7 (4d21h ago) 13d
1
2
3
4
5
6
7
2
3
4
5
6
7
现在我们访问页面就可以看到效果
node_ip:port
图形化访问的是vlselect
vlc-victoria-logs-cluster-vlselect NodePort 10.96.1.97 <none> 9471:31708/TCP
1
2
2
# 快速验证
你也可以直接尝试访问 vlstorage 的 API,确认存储层确实有数据:
bash
# 端口转发 vlstorage 服务
kubectl port-forward -n tools vlc-victoria-logs-cluster-vlstorage-0 9491:9491
# 在另一个终端查询日志
curl "http://localhost:9491/select/logsql/query" -d 'query=*'
1
2
3
4
5
2
3
4
5
# 检查 vlstorage 的实际数据时间范围
bash
# 进入 vlstorage 容器查看数据
kubectl exec -it vlc-victoria-logs-cluster-vlstorage-0 -n tools -- ls -la /storage/
# 查看数据目录大小
kubectl exec -it vlc-victoria-logs-cluster-vlstorage-0 -n tools -- du -sh /storage/
1
2
3
4
5
2
3
4
5
# 快速测试
创建测试 Pod 验证 vlinsert 接收:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: curl-test
namespace: tools
spec:
containers:
- name: curl
image: curlimages/curl:latest
command: ["sleep", "3600"]
restartPolicy: Never
EOF
# 等 Pod 运行后测试
kubectl exec -n tools curl-test -- curl -v -X POST "http://vlc-victoria-logs-cluster-vlinsert:9481/insert/jsonline?_msg_field=log&_stream_fields=kubernetes.namespace_name,kubernetes.pod_name,stream&_time_field=time" \
-H "Content-Type: application/json" \
-H "X-Scope-OrgID: 1" \
-d '{"log":"test message","stream":"stdout","time":"2026-05-23T12:30:00Z"}'
# 等 Pod 运行后测试
kubectl exec -n tools curl-test -- curl -v -X POST "http://vlc-victoria-logs-cluster-vlinsert:9481/insert/jsonline?_msg_field=log&_stream_fields=kubernetes.namespace_name,kubernetes.pod_name,stream&_time_field=time" \
-H "Content-Type: application/json" \
-H "X-Scope-OrgID: 1" \
-d '{"log":"test message","stream":"stdout","time":"2026-05-23T12:30:00Z"}'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 验证 Service 访问(可选)
# 检查 service 是否正确
kubectl get svc -n tools | grep victoria
# 从 vlselect pod 测试访问 vlstorage
kubectl exec -it vlc-victoria-logs-cluster-vlselect-64499c4f8d-hdj24 -n tools -- wget -O- http://vlc-victoria-logs-cluster-vlstorage-0.vlc-victoria-logs-cluster-vlstorage.tools.svc.cluster.local.:9491/health
1
2
3
4
5
2
3
4
5
# LogsQL 语法
如果你正在学习 VictoriaLogs,我建议优先掌握 20% 最常用的 LogsQL 语法,基本就能完成 Kubernetes 生产环境 80% 的日志排查工作。
官方文档:VictoriaLogs LogsQL 官方文档 (opens new window) (docs.victoriametrics.com (opens new window))
# 1. 最简单查询
查询包含 error 的日志:
error
1
等价于:
在 _msg 字段中搜索 error
1
例如匹配:
error
an error happened
error: open file failed
1
2
3
2
3
(docs.victoriametrics.com (opens new window))
# 2. 精确匹配
查询日志级别为 error:
level:="error"
1
或者:
log.level:="error"
1
注意:
level:error
1
表示包含 error
而
level:="error"
1
表示完全等于 error
(docs.victoriametrics.com (opens new window))
# 3. Kubernetes 最常用字段查询
# 查询命名空间
kubernetes.namespace_name:="tools"
1
# 查询 Pod
kubernetes.pod_name:="nginx-7d9b6f9f"
1
# 查询容器
kubernetes.container_name:="nginx"
1
# 查询 Node
kubernetes.node_name:="k8s-node01"
1
# 查询 Deployment
kubernetes.deployment_name:="nginx"
1
# 4. 多条件查询
查询 tools 命名空间中的 nginx 日志:
kubernetes.namespace_name:="tools"
AND kubernetes.container_name:="nginx"
1
2
2
或者直接写:
kubernetes.namespace_name:="tools"
kubernetes.container_name:="nginx"
1
2
2
LogsQL 默认 AND。
(docs.victoriametrics.com (opens new window))
# 5. OR 查询
查询 error 或 warn:
error OR warn
1
查询多个 namespace:
kubernetes.namespace_name:="tools"
OR
kubernetes.namespace_name:="monitoring"
1
2
3
2
3
(docs.victoriametrics.com (opens new window))
# 6. NOT 查询
排除探针日志:
error NOT readiness
1
或者:
error AND NOT readiness
1
# 7. 模糊查询
查询包含 mysql:
mysql
1
查询包含 connection refused:
"connection refused"
1
(docs.victoriametrics.com (opens new window))
# 8. 大小写忽略
查询 ERROR、Error、error:
i(error)
1
查询:
i("connection refused")
1
(docs.victoriametrics.com (opens new window))
# 9. 正则查询
查询 HTTP 状态码:
~"5[0-9][0-9]"
1
查询 404 或 500:
~"(404|500)"
1
(docs.victoriametrics.com (opens new window))
# 10. 时间范围查询
最近 5 分钟:
_time:5m
1
最近 1 小时:
_time:1h
1
最近 1 天:
_time:1d
1
(docs.victoriametrics.com (opens new window))
# 11. Kubernetes 运维最常用排障语句
# 查 Pod Crash
kubernetes.pod_name:="nginx-xxx"
1
# 查 OOM
OOM
1
或者
"Out Of Memory"
1
# 查镜像拉取失败
"ImagePullBackOff"
1
# 查探针失败
readiness
1
或者
liveness
1
# 查数据库连接失败
"connection refused"
1
# 查 Java 异常
Exception
1
# 查 Nginx 5xx
~"5[0-9][0-9]"
1
# 12. 你刚才报错的根本原因
你截图里出现:
kubernetes.namespace_name=apply01
1
这是错误写法。
VictoriaLogs 使用:
字段名:过滤器
1
而不是:
字段名=值
1
正确写法应该是:
kubernetes.namespace_name:="apply01"
1
或者:
kubernetes.namespace_name:apply01
1
所以当你在 Group By 中点击 namespace 时,如果自动生成了:
namespace_name=apply01
1
就会出现:
cannot parse query
missing whitespace or ':'
1
2
2
这个错误。(docs.victoriametrics.com (opens new window))
对于 Kubernetes 运维/SRE 面试和实际排障,我建议你先熟练掌握下面这几个查询模板:
kubernetes.namespace_name:="xxx"
kubernetes.pod_name:="xxx"
error
warn
Exception
OOM
"connection refused"
~"5[0-9][0-9]"
_time:1h
field1 AND field2
field1 OR field2
field1 NOT field2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
基本已经覆盖生产环境日志排查的大部分场景。
上次更新: 2026/06/03, 10:21:09
|