一、在 docker-compose 文件中配置日志输出到 logstash
version: '2'
services:
alpine:
image: alpine:latest
hostname: alpine
command: tail -f /etc/passwd
# 以下为配置日志输出模式
logging:
driver: syslog
options:
# logstash syslog 的监听地址
syslog-address: "tcp://192.168.4.32:50000"
# 配置 tag 的目的是使 logstash 通过 tag 区分不同类型的容器
tag: alpine
二、 logstash 配置
input {
syslog {
port => 50000
type => "docker"
}
}
filter {
if [message] =~ "nsqlookupd "{
drop {}
}
if [type] == "docker" {
grok {
match => {
# 通过 gork 把 docke log 处理一下,把 tag 名赋值给 app
"message" => "\s+(?<app>%{WORD}?)\[%{NUMBER}\]:\s+(?<msg>.*)"
}
}
mutate {
remove_field => ["message"]
}
}
}
output {
if [app] == "alpine" {
elasticsearch {
hosts => ["ek:9200"]
index => "alpine-%{+YYYY_MM}"
}
}
if [app] == "django" {
elasticsearch {
hosts => ["ek:9200"]
index => "django-%{+YYYY_MM}"
}
}
}
处理后的结果如下
{
"app": "alpine",
"msg": '2018-11-09T08:00:01.237+0800 INFO service/recordsrv.go:116 请求状态码 {"statusCode": 200, "status": "200 OK"}'
}