Skip to content

Instantly share code, notes, and snippets.

@book000

book000/compose.yaml

Last active July 17, 2023 11:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save book000/9471df754b741c712eb9be8f6af5c18f to your computer and use it in GitHub Desktop.
Save book000/9471df754b741c712eb9be8f6af5c18f to your computer and use it in GitHub Desktop.
Download ZIP
Dockerfile / Docker Compose file for logspout & logstash, config files
Raw
compose.yaml
services:
logspout:
image: gliderlabs/logspout:v3.2.14
command: syslog://logstash:5000
environment:
- RETRY_COUNT=100
depends_on:
logstash:
condition: service_healthy
volumes:
- /var/run/docker.sock:/tmp/docker.sock
restart: always
logstash:
build:
context: .
dockerfile: logstash.Dockerfile
environment:
- LOGSTASH_HOSTNAME=<HOSTNAME>
- LOGSPOUT=ignore
- XPACK_WATCHER_ENABLED=false
- XPACK_MONITORING_ENABLED=false
volumes:
- ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf
healthcheck:
test: ["CMD", "nc", "-z", "0.0.0.0", "5000"]
interval: 5s
timeout: 5s
retries: 50
restart: always
Raw
logstash.conf
input {
syslog {
port => 5000
type => "docker"
}
}
filter {
grok {
match => { "message" => "%{SYSLOG5424PRI}%{NONNEGINT:ver} +(?:%{TIMESTAMP_ISO8601:ts}|-) +(?:%{HOSTNAME:service}|-) +(?:%{NOTSPACE:containerName}|-) +(?:%{NOTSPACE:proc}|-) +(?:%{WORD:msgid}|-) +(?:%{SYSLOG5424SD:sd}|-|) +%{GREEDYDATA:msg}" }
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
mutate {
remove_field => [ "message", "priority", "ts", "severity", "facility", "facility_label", "severity_label", "syslog5424_pri", "proc", "syslog_severity_code", "syslog_facility_code", "syslog_facility", "syslog_hostname", "syslog_message", "syslog_timestamp", "ver" ]
}
mutate {
remove_tag => [ "_grokparsefailure_sysloginput" ]
}
if [msg] =~ "^ *{" {
json {
source => "msg"
}
if "_jsonparsefailure" in [tags] {
drop {}
}
mutate {
remove_field => [ "msg" ]
}
}
else if ("" in [msg]) {
mutate {
rename => { "msg" => "message" }
}
}
mutate {
remove_field => [ "tags" ]
}
mutate {
add_field => { "hostname" => "${LOGSTASH_HOSTNAME}" }
}
}
output {
elasticsearch { hosts => "<IP-ADDRESS>:9200" }
stdout { codec => line }
}
Raw
logstash.Dockerfile
FROM docker.elastic.co/logstash/logstash:8.7.1
USER root
RUN apt-get update && \
apt-get install netcat -y --no-install-recommends && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
USER logstash
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment