为什么要用VictoriaLogs ?
- 与Elasticsearch /Grafana Loki相比几十倍的CPU/内存/存储资源占用的差距,能极大的节省硬件资源。
- VVG可以实现ELK的Web查询、日志压缩存储、syslog 日志接收,日志告警。
简介
- VictoriaLogs 兼容支持多种数据输入软件,Vector 也支持多种数据输入,并且支持更灵活的输入输出,和更强大的转换器。
- VictoriaLogs 的Web UI很简陋,所以要用Grafana。
- VictoriaLogs 是HTTP访问是无认证的,需要套其他软件来实现。(默认端口9428)
- VictoriaLogs 的数据过期时间是全局的,所以如果有需求,只能部署多个实例。
- Vector 相对Logstash 性能更好,也比VictoriaLogs 自带的Syslog输入功能更多。
Docker 国内安装
https://mirror.nju.edu.cn/mirrorz-help/docker-ce/?mirror=NJU
Docker Hub国内加速
1
2
3
4
5
6
7
8
9
10
11
12
13
| sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": [
"https://dockerproxy.net",
"https://docker.mirrors.ustc.edu.cn",
"https://docker.nju.edu.cn"
]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
|
什么是Vector
Vector 是一个高性能的可观测性数据管道的开源软件,能够采集、转换和路由所有日志和指标、跟踪路由数据。
本教程是主要讲解用于收集Syslog日志发送到Victorialogs,用于取代Filebeat。
VictoriaLogs 系列文章: https://songxwn.com/tags/VictoriaLogs/
VVG 技术架构
Vector 接收Syslog等数据 ,并进行日志分段,并发送到VictoriaLogs 持久化存储日志 ,Grafana 可视化、数据查询、告警、数据导出。
使用包管理安装和配置Vector
RHEL系列安装
1
2
3
4
5
6
7
8
| bash -c "$(curl -L https://setup.vector.dev)"
dnf install vector -y
systemctl enable --now vector.service
#
|
Debian系列安装
1
2
3
4
5
6
7
8
9
10
11
12
| bash -c "$(curl -L https://setup.vector.dev)"
apt-get install vector
systemctl enable --now vector.service
#
|
配置文件示例
vim /etc/vector/vector.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| sources:
syslog_udp:
type: socket
address: "0.0.0.0:7514"
mode: udp
max_length: 10240
transforms:
add_fields:
type: remap
inputs: ["syslog_udp"]
source: |
.type = "udp"
sinks:
vlogs:
inputs:
- syslog_udp
type: elasticsearch
endpoints:
- http://localhost:9428/insert/elasticsearch/
api_version: v8
compression: gzip
healthcheck:
enabled: false
query:
_msg_field: message
_time_field: timestamp
_stream_fields: host,container_name
|
配置文件说明
这份 Vector 配置文件的作用是:通过 UDP 7514 端口接收原始日志数据,并将其发送到 VictoriaLogs 的 Elasticsearch 兼容接口进行存储。下面我来逐段讲解它的结构和功能:
🟢 sources 部分:接收 UDP 数据
1
2
3
4
5
6
| sources:
syslog_udp:
type: socket
address: "0.0.0.0:7514"
mode: udp
max_length: 10240
|
type: socket:使用 Vector 的通用 socket source 来接收原始数据流。
address: "0.0.0.0:7514":监听本机所有网卡的 UDP 7514 端口。
mode: udp:指定使用 UDP 协议。
max_length: 10240:设置每条消息最大长度为 10KB,防止截断。
📌 注意:此 source 不会自动解析 Syslog 格式,它只是接收原始文本。
1
2
3
4
5
6
| transforms:
add_fields:
type: remap
inputs: ["syslog_udp"]
source: |
.type = "udp"
|
📌 你可以在这里添加更多字段,比如 .source = "syslog" 或 .host = get_hostname()。
🔴 sinks 部分:发送到 VictoriaLogs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| sinks:
vlogs:
inputs:
- syslog_udp
type: elasticsearch
endpoints:
- http://localhost:9428/insert/elasticsearch/
api_version: v8
compression: gzip
healthcheck:
enabled: false
query:
_msg_field: message
_time_field: timestamp
_stream_fields: host,container_name
|
type: elasticsearch:使用 Vector 的 Elasticsearch sink。
endpoints: 指向 VictoriaLogs 的 Elasticsearch 兼容 HTTP 插入接口。
api_version: v8:模拟 Elasticsearch v8 的 API。
compression: gzip:启用 gzip 压缩,提高传输效率。
healthcheck.enabled: false:关闭健康检查(VictoriaLogs 不一定支持标准 ES 健康检查)。
query:
📌 注意:VictoriaLogs 支持 Elasticsearch 插入协议,但字段映射必须正确,否则可能无法索引或查询。
✅ 总结
这份配置的流程如下:
Vector 监听 UDP 7514 端口,接收原始日志数据。
添加一个标记字段 type: udp。
将日志通过 Elasticsearch 协议发送到 VictoriaLogs 的 HTTP 插入接口。
Docker compose安装和配置VVG
Docker -Vector yaml配置文件示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| sources:
syslog_udp:
type: socket
address: "0.0.0.0:7514"
mode: udp
max_length: 10240
transforms:
add_fields:
type: remap
inputs: ["syslog_udp"]
source: |
.type = "udp"
sinks:
vlogs:
inputs:
- syslog_udp
type: elasticsearch
endpoints:
- http://syslog-victoria-logs:9428/insert/elasticsearch/
api_version: v8
compression: gzip
healthcheck:
enabled: false
query:
_msg_field: message
_time_field: timestamp
_stream_fields: host,container_name
|
VVG Docker-compose 文件示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| services:
victoria-logs:
image: victoriametrics/victoria-logs:latest
container_name: syslog-victoria-logs
volumes:
- ./victoria-logs-data:/victoria-logs-data
restart: always
command: [
"--retentionPeriod=365d"
]
environment:
- TZ=Asia/Shanghai
healthcheck:
test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:9428/health"]
interval: 1m30s
timeout: 10s
retries: 3
grafana:
image: grafana/grafana-enterprise
container_name: syslog-grafana
ports:
- "3000:3000"
environment:
- GF_INSTALL_PLUGINS=victoriametrics-logs-datasource
- GF_SECURITY_ADMIN_PASSWORD=Songxwn.com
- TZ=Asia/Shanghai
volumes:
- ./grafana-data:/var/lib/grafana
- ./provisioning:/etc/grafana/provisioning
restart: always
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/api/health"]
interval: 1m30s
timeout: 10s
retries: 3
vector:
image: timberio/vector:latest-alpine
container_name: syslog-vector
ports:
- "7514:7514/udp"
volumes:
- ./vector.yaml:/etc/vector/vector.yaml:ro
command: ["--config", "/etc/vector/vector.yaml"]
restart: always
environment:
- TZ=Asia/Shanghai
|
NC命令测试发送udp日志
1
| echo "songxwn.com!" | nc -4u 192.168.0.1 7514
|
Vector单实例多组一对一配置示例并配置租户ID
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
| sources:
udp_source_1:
type: socket
address: "0.0.0.0:7514"
mode: udp
max_length: 10240
udp_source_2:
type: socket
address: "0.0.0.0:6514"
mode: udp
max_length: 10240
transforms:
tag_source_1:
type: remap
inputs: ["udp_source_1"]
source: |
.source = "udp7514"
tag_source_2:
type: remap
inputs: ["udp_source_2"]
source: |
.source = "udp6514"
sinks:
vlogs:
inputs:
- udp_source_1
type: elasticsearch
endpoints:
- http://syslog-victoria-logs:9428/insert/elasticsearch/
api_version: v8
compression: gzip
healthcheck:
enabled: false
query:
_msg_field: message
_time_field: timestamp
_stream_fields: host,container_name
vlogs2:
inputs:
- udp_source_2
type: elasticsearch
endpoints:
- http://syslog-victoria-logs:9428/insert/elasticsearch/
api_version: v8
compression: gzip
healthcheck:
enabled: false
query:
_msg_field: message
_time_field: timestamp
_stream_fields: host,container_name
request:
headers:
AccountID: "2"
ProjectID: "2"
|
Vector单实例多组多对多示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
| sources:
udp_source_1:
type: socket
address: "0.0.0.0:7514"
mode: udp
max_length: 10240
udp_source_2:
type: socket
address: "0.0.0.0:6514"
mode: udp
max_length: 10240
transforms:
tag_source_1:
type: remap
inputs: ["udp_source_1"]
source: |
.source = "udp7514"
tag_source_2:
type: remap
inputs: ["udp_source_2"]
source: |
.source = "udp6514"
sinks:
vlogs:
inputs:
- udp_source_1
type: elasticsearch
endpoints:
- http://syslog-victoria-logs:9428/insert/elasticsearch/
api_version: v8
compression: gzip
healthcheck:
enabled: false
query:
_msg_field: message
_time_field: timestamp
_stream_fields: host,container_name
vlogs2:
inputs:
- udp_source_1
type: elasticsearch
endpoints:
- http://songxwn.com:9428/insert/elasticsearch/
api_version: v8
compression: gzip
healthcheck:
enabled: false
query:
_msg_field: message
_time_field: timestamp
_stream_fields: host,container_name
request:
headers:
AccountID: "2"
ProjectID: "2"
|
Vector 配置基础认证和忽略证书错误。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| sources:
syslog_udp:
type: socket
address: "0.0.0.0:7514"
mode: udp
max_length: 10240
transforms:
add_fields:
type: remap
inputs: ["syslog_udp"]
source: |
.type = "udp"
sinks:
vlogs:
inputs:
- syslog_udp
type: elasticsearch
endpoints:
- https://1.1.1.1/insert/elasticsearch/
api_version: v8
compression: zstd
healthcheck:
enabled: false
tls:
verify_certificate: false
auth:
strategy: "basic"
user: "admin"
password: "password1"
query:
_msg_field: message
_time_field: timestamp
_stream_fields: host,container_name
|
运维技术交流群
发送邮件到 ➡️ [email protected]
或者关注WX公众号:网工格物
博客(最先更新)
https://songxwn.com/
