0
在過去的三天中,我一直試圖從我在Docker中的容器中收集所有日誌,並將它們發送到Logstash。我一直在使用ELK堆棧(Elasticsearch,Logstash和Kibana),我使用Logspout作爲此日誌的路由器。如何將apache日誌從一個容器發送到另一個容器中的logstash?
ELK Stack的所有三個實例都在不同的容器中運行。我遵循this setup。
我現在Logstash配置文件看起來像這樣:
input {
tcp {
port => 5000
type => syslog
}
udp {
port => 5000
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOG5424PRI}%{NONNEGINT:ver} +(?:%{TIMESTAMP_ISO8601:ts}|-) +(?:%{HOSTNAME:containerid}|-) +(?:%{NOTSPACE:containername}|-) +(?:%{NOTSPACE:proc}|-) +(?:%{WORD:msgid}|-) +(?:%{SYSLOG5424SD:sd}|-|) +%{GREEDYDATA:msg}" }
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
if !("_grokparsefailure" in [tags]) {
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
replace => [ "@message", "%{syslog_message}" ]
}
}
mutate {
remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
}
}
}
output {
elasticsearch { host => "elasticsearch" }
stdout { codec => rubydebug }
}
我現在的問題是,我登錄幾乎每一個事件,除了從我的Apache2容器調用laravel2錯誤和訪問日誌必要的。它記錄容器中的一些事件,但不是所有事情。如果我通過更改index.php文件產生錯誤,它將無法在elasticsearch中正確記錄。
我需要什麼類型的配置才能獲得這個apache日誌(訪問和錯誤)?我已經看到了一些解決方案,但他們有一個文件,我不能做,因爲我在不同的容器中運行的東西。
編輯:
我的新logstash.sample.conf文件:
input {
tcp {
port => 5000
type => syslog
}
udp {
port => 5000
type => syslog
}
beats {
# The port to listen on for filebeat connections.
port => 5044
# The IP address to listen for filebeat connections.
host => "0.0.0.0"
type => apachelog
}
}
filter {
if [type] == "apachelog" {
grok {
match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{NUMBER:[apache2][access][body_sent][bytes]}(\"%{DATA:[apache2][access][referrer]}\")?(\"%{DATA:[apache2][access][agent]}\")?",
"%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \\[%{HTTPDATE:[apache2][access][time]}\\] \"-\" %{NUMBER:[apache2][access][response_code]} -" ] }
remove_field => "message"
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[apache2][access][time]"
}
useragent {
source => "[apache2][access][agent]"
target => "[apache2][access][user_agent]"
remove_field => "[apache2][access][agent]"
}
geoip {
source => "[apache2][access][remote_ip]"
target => "[apache2][access][geoip]"
}
}
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOG5424PRI}%{NONNEGINT:ver} +(?:%{TIMESTAMP_ISO8601:ts}|-) +(?:%{HOSTNAME:containerid}|-) +(?:%{NOTSPACE:containername}|-) +(?:%{NOTSPACE:proc}|-) +(?:%{WORD:msgid}|-) +(?:%{SYSLOG5424SD:sd}|-|) +%{GREEDYDATA:msg}" }
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
if !("_grokparsefailure" in [tags]) {
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
replace => [ "@message", "%{syslog_message}" ]
}
}
mutate {
remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
}
}
}
output {
elasticsearch {
host => "elasticsearch"
}
stdout { codec => rubydebug }
}
而且我filebeat.full.yml文件:
#----------------------------- Logstash output ---------------------------------
#output.logstash:
# Boolean flag to enable or disable the output module.
enabled: true
# The Logstash hosts
hosts: ["localhost:5044"]
並四捨五入這一點,我filebeat .yml文件:
filebeat.prospectors:
- input_type: log
paths:
- /var/log/apache2/access.log*
- /var/log/apache2/other_vhosts_access.log*
exclude_files: [".gz$"]
output.logstash:
hosts: ["localhost:5044"]
processors:
- add_cloud_metadata:
output.elasticsearch:
hosts: ['elasticsearch:9200']
username: elastic
password: changeme
我是否必須爲apache創建新的docker映像才能共享卷? –
不用於共享卷,但取決於你想如何做,你可能需要創建一個自定義圖像來調整Apache的配置文件 – whites11
我仍然有點在綠色Docker中,我不知道該怎麼做,但我會嘗試,謝謝。 –