Last active
July 17, 2023 11:56
-
-
Save book000/9471df754b741c712eb9be8f6af5c18f to your computer and use it in GitHub Desktop.
Dockerfile / Docker Compose file for logspout & logstash, config files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
services: | |
logspout: | |
image: gliderlabs/logspout:v3.2.14 | |
command: syslog://logstash:5000 | |
environment: | |
- RETRY_COUNT=100 | |
depends_on: | |
logstash: | |
condition: service_healthy | |
volumes: | |
- /var/run/docker.sock:/tmp/docker.sock | |
restart: always | |
logstash: | |
build: | |
context: . | |
dockerfile: logstash.Dockerfile | |
environment: | |
- LOGSTASH_HOSTNAME=<HOSTNAME> | |
- LOGSPOUT=ignore | |
- XPACK_WATCHER_ENABLED=false | |
- XPACK_MONITORING_ENABLED=false | |
volumes: | |
- ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf | |
healthcheck: | |
test: ["CMD", "nc", "-z", "0.0.0.0", "5000"] | |
interval: 5s | |
timeout: 5s | |
retries: 50 | |
restart: always |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
syslog { | |
port => 5000 | |
type => "docker" | |
} | |
} | |
filter { | |
grok { | |
match => { "message" => "%{SYSLOG5424PRI}%{NONNEGINT:ver} +(?:%{TIMESTAMP_ISO8601:ts}|-) +(?:%{HOSTNAME:service}|-) +(?:%{NOTSPACE:containerName}|-) +(?:%{NOTSPACE:proc}|-) +(?:%{WORD:msgid}|-) +(?:%{SYSLOG5424SD:sd}|-|) +%{GREEDYDATA:msg}" } | |
} | |
syslog_pri { } | |
date { | |
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] | |
} | |
mutate { | |
remove_field => [ "message", "priority", "ts", "severity", "facility", "facility_label", "severity_label", "syslog5424_pri", "proc", "syslog_severity_code", "syslog_facility_code", "syslog_facility", "syslog_hostname", "syslog_message", "syslog_timestamp", "ver" ] | |
} | |
mutate { | |
remove_tag => [ "_grokparsefailure_sysloginput" ] | |
} | |
if [msg] =~ "^ *{" { | |
json { | |
source => "msg" | |
} | |
if "_jsonparsefailure" in [tags] { | |
drop {} | |
} | |
mutate { | |
remove_field => [ "msg" ] | |
} | |
} | |
else if ("" in [msg]) { | |
mutate { | |
rename => { "msg" => "message" } | |
} | |
} | |
mutate { | |
remove_field => [ "tags" ] | |
} | |
mutate { | |
add_field => { "hostname" => "${LOGSTASH_HOSTNAME}" } | |
} | |
} | |
output { | |
elasticsearch { hosts => "<IP-ADDRESS>:9200" } | |
stdout { codec => line } | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM docker.elastic.co/logstash/logstash:8.7.1 | |
USER root | |
RUN apt-get update && \ | |
apt-get install netcat -y --no-install-recommends && \ | |
apt-get clean && \ | |
rm -rf /var/lib/apt/lists/* | |
USER logstash |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment