一,方案:
- elk(elasticsearch + logstash + kibana)
- rsyslog
- docker log-dirver: syslog
二,配置
elk:
# workspace
mkdir -p ~/workspace/elk
cd ~/workspace/elk
git clone https://github.com/deviantony/docker-elk.git ./
# config
## logstash
## logstash/config/logstash.conf
input {
tcp {
port => 5000
# type => "rsyslog"
codec => "json"
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
}
}
## compose
## docker-compose.yml
version: '2'
services:
elasticsearch:
build: elasticsearch/
# es端口禁止了,只允许内网访问
# ports:
# - "9200:9200"
# - "9300:9300"
environment:
ES_JAVA_OPTS: "-Xms1g -Xmx1g"
volumes:
- ./data/elasticsearch/data:/usr/share/elasticsearch/data
networks:
- docker_elk
logstash:
build: logstash/
command: -f /etc/logstash/conf.d/
volumes:
- ./logstash/config:/etc/logstash/conf.d
ports:
- "5000:5000"
networks:
- docker_elk
depends_on:
- elasticsearch
kibana:
build: kibana/
volumes:
- ./kibana/config/:/etc/kibana/
ports:
- "5601:5601"
networks:
- docker_elk
depends_on:
- elasticsearch
networks:
docker_elk:
driver: bridge
# run
docker-compose up -d
rsyslog:
# workspace
mkdir -p ~/workspace/rsyslog
cd ~/workspace/rsyslog/
mkdir -p rsyslog.d
# config
## json
## rsyslog.d/01-json-template.conf
template(name="json_lines"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\", \"@version\":\"1")
constant(value="\",\"tag\":\"") property(name="syslogtag")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"hostname\":\"") property(name="hostname")
constant(value="\", \"procid\":\"") property(name="procid")
constant(value="\", \"programname\":\"") property(name="programname")
constant(value="\"}\n")
}
## logstash
## rsyslog.d/60-logstash.conf
## 替换IP/PORT为真实地址
# :programname, contains, "docker"
*.* @@${LOGSTASH_SERVER_IP}:${LOGSTASH_SERVER_PORT};json_lines
## compose
## docker-compose.yml
version: '2'
services:
app:
image: voxxit/rsyslog
ports:
- "514:514"
- "514:514/udp"
volumes:
- ./rsyslog.d:/etc/rsyslog.d
restart: always
# run
docker-compose up -d
container:
# workspace
mkdir -p ~/workspace/nginx
cd ~/workspace/nginx
# config
## compose
## docker-compose.yml
version: "2"
services:
app:
image: nginx:alpine # 下面截图里用了我的rtmp镜像,效果相同
logging:
driver: syslog
options:
syslog-address: "tcp://192.168.2.121:514" # 内网IP
tag: "{{.Name}}.{{.ID}}"
ports:
- "8080:80"
restart: always
# run
docker-compose up -d
三,效果
选择:"*",并去掉"index-xxxx"的勾选,点击"create"
多刷新几次nginx的访问地址,刷一些日志出来
选择过滤条件:
- programname
- host
- hostname
- timestamp
可以看到programname是live_app_1.0ece16babd6d
说明一下:
- docker-compose.yml所在目录是live
- services配置的第一个服务名称是app
- 因为只有一个实例,所以后面数字是1
- 再后面跟着的是我的container_id
红线标出来的就是container id了
四,生产环境
生产环境我们就不用手动创建了,这里用rancher进行演示
找一个应用选择upgrade配置log选项:
配置好以后点击"upgrade",等待完成,之后多访问几次
这里用了我司Web小组前端实验室的应用,可以看到已经有了记录~
五,参考
--
专栏不定期更新容器实践过程中的一些经历,欢迎关注~