From 05e0406a74783a63e467480e59ac244b376216c7 Mon Sep 17 00:00:00 2001 From: kev Date: Sat, 29 Oct 2016 15:20:25 +0800 Subject: [PATCH] Added ELK (UNTESTED) --- README.md | 1 + elk/README.md | 6 ++++++ elk/conf/01-lumberjack-input.conf | 6 ++++++ elk/conf/02-beats-input.conf | 6 ++++++ elk/conf/10-syslog.conf | 13 ++++++++++++ elk/conf/11-nginx.conf | 7 +++++++ elk/conf/30-output.conf | 9 +++++++++ elk/docker-compose.yml | 33 +++++++++++++++++++++++++++++++ elk/elasticsearch.yml | 2 ++ 9 files changed, 83 insertions(+) create mode 100644 elk/README.md create mode 100644 elk/conf/01-lumberjack-input.conf create mode 100644 elk/conf/02-beats-input.conf create mode 100644 elk/conf/10-syslog.conf create mode 100644 elk/conf/11-nginx.conf create mode 100644 elk/conf/30-output.conf create mode 100644 elk/docker-compose.yml create mode 100644 elk/elasticsearch.yml diff --git a/README.md b/README.md index 03d1f60..f7b7816 100644 --- a/README.md +++ b/README.md @@ -212,6 +212,7 @@ A collection of delicious docker recipes. - [x] certbot - [x] drone/drone - [x] drupal +- [x] elk - [x] ghost - [x] gitlab/gitlab-ce - [ ] gliderlabs/logspout diff --git a/elk/README.md b/elk/README.md new file mode 100644 index 0000000..5de564f --- /dev/null +++ b/elk/README.md @@ -0,0 +1,6 @@ +ELK +=== + +- Elasticsearch +- Logstash +- Kibana diff --git a/elk/conf/01-lumberjack-input.conf b/elk/conf/01-lumberjack-input.conf new file mode 100644 index 0000000..e4da550 --- /dev/null +++ b/elk/conf/01-lumberjack-input.conf @@ -0,0 +1,6 @@ +input { + lumberjack { + port => 5000 + type => "logs" + } +} diff --git a/elk/conf/02-beats-input.conf b/elk/conf/02-beats-input.conf new file mode 100644 index 0000000..a00d3f5 --- /dev/null +++ b/elk/conf/02-beats-input.conf @@ -0,0 +1,6 @@ +input { + beats { + port => 5044 + ssl => false + } +} diff --git a/elk/conf/10-syslog.conf b/elk/conf/10-syslog.conf new file mode 100644 index 0000000..acce463 --- /dev/null +++ b/elk/conf/10-syslog.conf @@ -0,0 +1,13 @@ +filter { + if [type] == "syslog" { + grok { + match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } + add_field => [ "received_at", "%{@timestamp}" ] + add_field => [ "received_from", "%{host}" ] + } + syslog_pri { } + date { + match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] + } + } +} diff --git a/elk/conf/11-nginx.conf b/elk/conf/11-nginx.conf new file mode 100644 index 0000000..d4a45db --- /dev/null +++ b/elk/conf/11-nginx.conf @@ -0,0 +1,7 @@ +filter { + if [type] == "nginx-access" { + grok { + match => { "message" => "%{NGINXACCESS}" } + } + } +} diff --git a/elk/conf/30-output.conf b/elk/conf/30-output.conf new file mode 100644 index 0000000..07c9faf --- /dev/null +++ b/elk/conf/30-output.conf @@ -0,0 +1,9 @@ +output { + elasticsearch { + hosts => ["elasticsearch"] + sniffing => true + manage_template => false + index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" + document_type => "%{[@metadata][type]}" + } +} diff --git a/elk/docker-compose.yml b/elk/docker-compose.yml new file mode 100644 index 0000000..56eaae5 --- /dev/null +++ b/elk/docker-compose.yml @@ -0,0 +1,33 @@ +version: '2' +services: + elasticsearch: + image: elasticsearch:5.0 + ports: + - '9200:9200' + - '9300:9300' + volumes: + - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml + - ./data:/usr/share/elasticsearch/data + mem_limit: 4g + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + cap_add: + - IPC_LOCK + logstash: + image: logstash:5.0 + ports: + - '5000:5000' + - '5044:5044' + volumes: + - ./conf:/etc/logstash/conf.d + kibana: + image: kibana:5.0 + ports: + - '5601:5601' + environment: + - ELASTICSEARCH_URL=http://elasticsearch:9200 diff --git a/elk/elasticsearch.yml b/elk/elasticsearch.yml new file mode 100644 index 0000000..4e561a2 --- /dev/null +++ b/elk/elasticsearch.yml @@ -0,0 +1,2 @@ +network.host: 0.0.0.0 +bootstrap.mlockall: true