Can logs in a docker container ... say logs located in /var/log/syslog get shipped to logstash without using any additional components such as lumberjack and logspout?
Just wondering because I set up an environment and tried to make it work with syslog (so syslog ships the logs from docker container to logstash) but for now it's not working .. just wondering if there's something wrong with my logic.
There's no way for messages in /var/log/syslog to magically route to logstash without something configured to forward messages. Something must send the logs to logstash. You have a few options:
Configure your app to send log messages to stdout rather than to /var/log/syslog, and run logspout to collect stdout from all the running containers and send messages to your logstash endpoint.
Run rsyslog inside your container and configure a syslog daemon such as rsyslog to send messages to your logstash endpoint
Bind mount /dev/log from the host to your container by passing -v /dev/log:/dev/log to docker run when starting your container. On the host, configure your syslog daemon to send messages to logstash.
You could use the docker syslog driver to send docker logs straight from docker containers to logstash. Just have to add some parameters when you run your container
https://docs.docker.com/engine/admin/logging/overview/#supported-logging-drivers
Related
I am using a centos 7.9 for my docker. I'm running a C++ program in my docker image which writes logging via syslog.
However, I cannot find these log anywhere when I run it in docker. On my centos machine, the logging would by default go to /var/log/messages, but on docker /var/log/messages is empty. I've tried setting the docker logging driver to syslog (in the docker run command) and I can see rsyslogd running in the docker container as well with ps -aux.
On my host machine, /var/log/syslog does not receive the logs either.
How do I get the log files to write to the /var/log/messages on the docker environment (or to my host machine, if storing them on the docker environment is not advisable)?
Thanks.
Since docker does not support systemd, it's very likelly that syslog is not running on your container
My suggestion is... start a shell at your container
make sure syslog is installed using
yum list --installed
or
rpm -qa
Them run the syslog daemon from the shell manually
after that, start a new terminal and run your code
ps: since I'm on my phone, i can't be more helpful
I'll try to edit it as soon as possible
I have my logging driver setup of journald. Does the log-level config in daemon.json file impact logs when using a logging driver or only the container logs when using docker logs <container_name> ?
For example, docker and journald have documentation showing how to set log level/priority.
Docker's default setting is info: log-level: info.
With journald I can also use -p to set the log priority to info: journalctl -p info.
If my docker logging driver is journald with log priority set to info, do I even need to worry about setting log-level to info in daemon.json file?
I think maybe you confused the following concepts: logs of docker daemon, logs of container(s) and logs print with journalctl command.
The configuration in docker.json file impact logs of docker
daemon.
The logs of container(s) would be only impacted by your application
configuration in that container.
The command journalctl -p ONLY impact the logs showing on your
screen, which means -p only do the filtering thing. No matter what
level you've indicated, err or info, the logs are there already.
Hope this would be helpful.
I need to forward docker logs to a ELK stack.
The administrator of the stack filters my log according to the type parameter of the message. Right now I use filebeat and have to set the document_type parameter so the Logstash configuration filters my messages properly.
I am now trying to avoid using Filebeat, because I am going to instantiate my EC2 machines on demand, and did not want to have to install filebeat on each of them on runtime.
I already saw that there is a syslog driver among others available. I set the syslog driver, and the messages go to Logstash, but I am not able to find how to set a value for the document_type like in filebeat. How can I send this metadata to Logstash using Syslog driver, or any other Docker native driver?
Thanks!
Can't you give your syslog output a tag like so:
docker run -d --name nginx --log-driver=syslog --log-opt syslog-address=udp://LOGSTASH_IP_ADDRESS:5000 --log-opt syslog-tag="nginx" -p 80:80 nginx
And then in your logstash rules:
filter {
if "nginx" in [tags] {
add_field => [ "type", "nginx" ]
}
}
My log4j 1x version is sending logs from a docker container to syslog server. In my rsyslog.conf I am storing these logs under /var/log/rsyslog/appname/%hostname% .
Ideally if I am sending the logs from my log4j1x docker container, rsyslog should identify the container id as %hostname% but it identifies the underlying server as hostname. This is not the case when my nginx docker container sends logs to rsyslog. It correct identifies the container id as hostname.
Can someone assist please?
I am working on Log monitoring, I have requirement of getting tomcat application server logs(example: catalina.log) running in the docker container(container is running in atomic host) and passing it to Logstash server using rsyslog.
I am able to get the docker container related logs, but not able to get the tomcat server and application logs from the docker container where tomcat is running.
Any suggestion on this is appreciated.
Thanks,
Praveen
You could mount the local host when initializing the container. You just pass -v flag for mounting to the local host.
docker run -v /tmp may/hello-world.py
This will allow you to mount the directory of the tomcat logs to the local host.
Here is the Docker Docs that talks about it.
https://docs.docker.com/engine/userguide/containers/dockervolumes/
-Bruce