Added ELK (UNTESTED)

2024-06-24 07:48:38 +00:00 · 2016-10-29 15:20:25 +08:00 · 2016-10-29 15:20:25 +08:00 · 05e0406a74
commit 05e0406a74
parent dfc0f2ba3b
9 changed files with 83 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -212,6 +212,7 @@ A collection of delicious docker recipes.
 - [x] certbot
 - [x] drone/drone
 - [x] drupal
+- [x] elk
 - [x] ghost
 - [x] gitlab/gitlab-ce
 - [ ] gliderlabs/logspout
--- a/elk/README.md
+++ b/elk/README.md
@ -0,0 +1,6 @@
+ELK
+===
+
+- Elasticsearch
+- Logstash
+- Kibana
--- a/elk/conf/01-lumberjack-input.conf
+++ b/elk/conf/01-lumberjack-input.conf
@ -0,0 +1,6 @@
+input {
+  lumberjack {
+    port => 5000
+    type => "logs"
+  }
+}
--- a/elk/conf/02-beats-input.conf
+++ b/elk/conf/02-beats-input.conf
@ -0,0 +1,6 @@
+input {
+  beats {
+    port => 5044
+    ssl => false
+  }
+}
--- a/elk/conf/10-syslog.conf
+++ b/elk/conf/10-syslog.conf
@ -0,0 +1,13 @@
+filter {
+  if [type] == "syslog" {
+    grok {
+      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+      add_field => [ "received_from", "%{host}" ]
+    }
+    syslog_pri { }
+    date {
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+    }
+  }
+}
--- a/elk/conf/11-nginx.conf
+++ b/elk/conf/11-nginx.conf
@ -0,0 +1,7 @@
+filter {
+  if [type] == "nginx-access" {
+    grok {
+      match => { "message" => "%{NGINXACCESS}" }
+    }
+  }
+}
--- a/elk/conf/30-output.conf
+++ b/elk/conf/30-output.conf
@ -0,0 +1,9 @@
+output {
+  elasticsearch {
+    hosts => ["elasticsearch"]
+    sniffing => true
+    manage_template => false
+    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
+    document_type => "%{[@metadata][type]}"
+  }
+}
--- a/elk/docker-compose.yml
+++ b/elk/docker-compose.yml
@ -0,0 +1,33 @@
+version: '2'
+services:
+  elasticsearch:
+    image: elasticsearch:5.0
+    ports:
+      - '9200:9200'
+      - '9300:9300'
+    volumes:
+      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
+      - ./data:/usr/share/elasticsearch/data
+    mem_limit: 4g
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    cap_add:
+      - IPC_LOCK
+  logstash:
+    image: logstash:5.0
+    ports:
+      - '5000:5000'
+      - '5044:5044'
+    volumes:
+      - ./conf:/etc/logstash/conf.d
+  kibana:
+    image: kibana:5.0
+    ports:
+      - '5601:5601'
+    environment:
+      - ELASTICSEARCH_URL=http://elasticsearch:9200
--- a/elk/elasticsearch.yml
+++ b/elk/elasticsearch.yml
@ -0,0 +1,2 @@
+network.host: 0.0.0.0
+bootstrap.mlockall: true