Docker Container
I decided to use use a container from Allan Simon from the following git repo
https://github.com/allan-simon/docker-rsyslog-elasticsearch
Get the code
Code Block |
---|
$ git clone https://github.com/allan-simon/docker-rsyslog-elasticsearch |
Revise the base container to use ubuntu:20.04
Code Block | ||
---|---|---|
| ||
FROM ubuntu:20.04
# Install rsyslog and rsyslog-elasticsearch extensions. All in one
# go to reduce amount of layers.
RUN |
Configure RSyslog to Export to Elasticsearch
$ vi /etc/rsyslog.conf
Code Block |
---|
# /etc/rsyslog.conf Configuration file for rsyslog. # # apt-get -y update && \ apt-get upgrade For more information see #-y --no-install-recommends && \ apt-get install -y --no-install-recommends \ /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf ################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging module(load="imklog") # provides kernel logging support #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") # Enable non-kernel facility klog messages $KLogPermitNonKernelFacility on ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages $RepeatedMsgReduction on # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog # # Where to place spool and state files # $WorkDirectory /var/spool/rsyslog # # Include all config files insoftware-properties-common && \ apt-get -y update && \ apt-get -q -y --no-install-recommends install \ rsyslog rsyslog-elasticsearch cron logrotate && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* && \ chown syslog /var/log COPY entrypoint.sh / COPY rsyslog.conf /etc/ COPY rsyslog_elasticsearch.conf /etc/rsyslog.d/ # #$IncludeConfig /etc/rsyslog.d/*.conf *.* /var/log/messages |
Restart Rsyslog
$ service rsyslog restart
Test
tail -f /var/log/messages
From another command prompt
logger "hi"
Utilities
COPY rsyslog-rotate /usr/lib/rsyslog/rsyslog-rotate
ENTRYPOINT ["/entrypoint.sh"]
CMD ["-n"]
|
Build
Code Block |
---|
$ docker build -t jmehan/rsyslog . |
Deploy
Code Block | ||||
---|---|---|---|---|
| ||||
CONTAINER=rsyslog
IMAGE=jmehan/rsyslog
DIR=`pwd -P`
docker stop $CONTAINER
docker rm $CONTAINER
DIR=`pwd -P`
docker run --name $CONTAINER \
--restart=always \
-p 514:514/udp \
-p 514:514 \
-e ESLOG_HOST=192.168.1.50 \
-e ESLOG_ES_PORT=9200 \
-e ESLOG_ES_USE_HTTPS=off \
-d $IMAGE
docker logs -f $CONTAINER
|
Utilities
Send logs to RSyslog
...
Code Block |
---|
$ logger -n localhost 'log-P message514 from host'"hellow world" |
References
Reference | URL |
---|---|
Docker log driver syslog forward to Elasticsearch | https://github.com/allan-simon/docker-rsyslog-elasticsearch |
omelasticsearch: Elasticsearch Output Module | https://www.rsyslog.com/doc/v8-stable/configuration/modules/omelasticsearch.html |
...