Docker 集群日志收集:Syslog+Rsyslog+ELK

4,018 阅读2分钟
原文链接: zhuanlan.zhihu.com
Rancher线下活动,有同学问到Docker日志如何收集,这里就再补一下作业

一,方案:

  • elk(elasticsearch + logstash + kibana)
  • rsyslog
  • docker log-dirver: syslog

二,配置

elk:

# workspace

mkdir -p ~/workspace/elk
cd ~/workspace/elk
git clone https://github.com/deviantony/docker-elk.git ./

# config

## logstash
## logstash/config/logstash.conf

input {
        tcp {
                port => 5000
                # type => "rsyslog"
                codec => "json"
        }
}

output {
        elasticsearch {
                hosts => "elasticsearch:9200"
        }
}

## compose
## docker-compose.yml

version: '2'
services:
  elasticsearch:
    build: elasticsearch/
    # es端口禁止了,只允许内网访问
    # ports:
      # - "9200:9200"
      # - "9300:9300"
    environment:
      ES_JAVA_OPTS: "-Xms1g -Xmx1g"
    volumes:
      - ./data/elasticsearch/data:/usr/share/elasticsearch/data
    networks:
      - docker_elk
  logstash:
    build: logstash/
    command: -f /etc/logstash/conf.d/
    volumes:
      - ./logstash/config:/etc/logstash/conf.d
    ports:
      - "5000:5000"
    networks:
      - docker_elk
    depends_on:
      - elasticsearch
  kibana:
    build: kibana/
    volumes:
      - ./kibana/config/:/etc/kibana/
    ports:
      - "5601:5601"
    networks:
      - docker_elk
    depends_on:
      - elasticsearch

networks:
  docker_elk:
    driver: bridge

# run

docker-compose up -d

rsyslog:

# workspace

mkdir -p ~/workspace/rsyslog
cd ~/workspace/rsyslog/
mkdir -p rsyslog.d

# config

## json
## rsyslog.d/01-json-template.conf

template(name="json_lines"
  type="list"
  option.json="on") {
    constant(value="{")
      constant(value="\"@timestamp\":\"")       property(name="timereported" dateFormat="rfc3339")
      constant(value="\", \"@version\":\"1")
      constant(value="\",\"tag\":\"")           property(name="syslogtag")
      constant(value="\",\"message\":\"")       property(name="msg")
      constant(value="\",\"severity\":\"")      property(name="syslogseverity-text")
      constant(value="\",\"facility\":\"")      property(name="syslogfacility-text")
      constant(value="\",\"hostname\":\"")      property(name="hostname")
      constant(value="\", \"procid\":\"")       property(name="procid")
      constant(value="\", \"programname\":\"")  property(name="programname")
    constant(value="\"}\n")
}

## logstash
## rsyslog.d/60-logstash.conf
## 替换IP/PORT为真实地址

# :programname, contains, "docker"
*.* @@${LOGSTASH_SERVER_IP}:${LOGSTASH_SERVER_PORT};json_lines

## compose
## docker-compose.yml

version: '2'
services:
  app:
    image: voxxit/rsyslog
    ports:
      - "514:514"
      - "514:514/udp"
    volumes:
      - ./rsyslog.d:/etc/rsyslog.d
    restart: always

# run

docker-compose up -d

container:

# workspace

mkdir -p ~/workspace/nginx
cd ~/workspace/nginx

# config

## compose
## docker-compose.yml

version: "2"

services:
  app:
    image: nginx:alpine # 下面截图里用了我的rtmp镜像,效果相同
    logging:
      driver: syslog
      options:
        syslog-address: "tcp://192.168.2.121:514" # 内网IP
        tag: "{{.Name}}.{{.ID}}"
    ports:
      - "8080:80"
    restart: always

# run

docker-compose up -d

三,效果

选择:"*",并去掉"index-xxxx"的勾选,点击"create"

多刷新几次nginx的访问地址,刷一些日志出来

选择过滤条件:

  • programname
  • host
  • hostname
  • timestamp

可以看到programname是live_app_1.0ece16babd6d

说明一下:

  • docker-compose.yml所在目录是live
  • services配置的第一个服务名称是app
  • 因为只有一个实例,所以后面数字是1
  • 再后面跟着的是我的container_id

红线标出来的就是container id了

四,生产环境

生产环境我们就不用手动创建了,这里用rancher进行演示

找一个应用选择upgrade配置log选项:

配置好以后点击"upgrade",等待完成,之后多访问几次

这里用了我司Web小组前端实验室的应用,可以看到已经有了记录~

五,参考


--

专栏不定期更新容器实践过程中的一些经历,欢迎关注~