docker-logstash : Docker image with logstash 2.X + TCP/TLS gelf support

• DockerFile
• Logstash
• Logstash-output-gelf
• Logstash-input-gelf
• Logstash-codec-gelf
• Gelf-rb

Services

• logstash
• input syslog (tcp port 1514 by default or port 5514)
• input syslog (tcp with tls port 10514 by default)
• input lumberjack/logstash-forwaders (tcp with tls port 5043 by default)
• input json (tcp port 5001 by default)
• input gelf (udp port 12200 by default)

Build

$ git clone https://github.com/edefaria/docker-logstash.git
$ cd docker-logstash
$ docker build -t docker-logstash .

RUN

docker run -p 1514:1514 -p 5043:5043 -p 5001:5001 -p 10514:10514 -p 12200:12200/udp -e TIMEZONE=Europe/Paris --name docker-logstash docker-logstash

Usage

INPUT Possible :

Port 1514 is required if you use syslog.
Port 10514 is required if you use syslog with tls on tcp.
Port 5043 is required if you use logstash-forwader/lumberjack.
Port 12200/udp is required if you use gelf (UDP only).
Port 5001 is required if you use json on TCP.

To customise the configuration you can mount the configuration folder with a volume. Add docker args: "-v /etc/logstash/conf.d/:/etc/logstash/conf.d/". If you do that, please set environment variable KEEP_CONFIG=true for keeping at startup your current configuration.

Environment variable:

DEBUG=1 => launch logstash in DEBUG mode
TIMEZONE=Europe/Paris => time zone of the docker, please set to the same timezone as your syslog server
GELF_OUTPUT_HOST => Host for gelf output
GELF_OUTPUT_PORT => Port for gelf output
GELF_OUTPUT_PROTOCOL => Protocol (TCP/UDP) for gelf output
GELF_OUTPUT_TLS => TLS (true/false) for gelf output
GELF_STATIC_FIELDS => list of context values to add to your stream like "app:test2,foo:bar2"

Redirect to logstash

• rsyslog

Edit: /etc/rsyslog.d/60-forward.conf

$template raw,"<%pri%>%timestamp:::date-rfc3339% %hostname% %syslogtag%%msg%\n"
*.* @@$HOSTNAME:1514;raw

• rsyslog-gnutls

Edit: /etc/rsyslog.d/60-forward.conf

$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %STRUCTURED-DATA% %msg%\n"
*.* @@(o)$HOSTNAME:10514;GRAYLOGRFC5424

• syslog-ng

Edit: /etc/syslog-ng/conf.d/22-forward.conf

destination remote_log_server { tcp("$HOSTNAME" port(1514)); };
log { source(src); destination(remote_log_server); };

• logstash-forwaders

Edit: /path_installation_of_logstash-forwarder/logstash-forwarder.conf

{
  "network": {
    "servers": [ "$HOSTNAME:5043" ],
    "ssl key": "/etc/pki/tls/private/logstash-forwarder.key",
    "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt",
    "ssl certificate": "/etc/pki/tls/certs/logstash-forwarder.crt",
    "timeout": 15
  },

  "files": [
    {
      "paths": [ "/var/log/syslog" ],
      "fields": { "type": "syslog" }
    }
  ]
}

• logstash with gelf (UPD)

Edit: /etc/logstash.conf

output {
  gelf {
    hosts => [ "$HOSTNAME" ]
    port => 12200
  }
}

Edit logstash configuration

By default "logstash.conf" is generated with:

• filter "foo" on all input to add a specific field to your stream
• output gelf modified by docker environment variable.

Initial configuration: logstash.conf

input {
  tcp {
    port => 5001
    type => foo
  }
  syslog {
    port => 1514
    type => foo
  }
  gelf {
    port =>12200
    type => foo
  }
  lumberjack {
   port => 5043
   type => foo
   ssl_certificate => "/opt/logstash-forwarder/logstash-forwarder.crt"
   ssl_key => "/opt/logstash-forwarder/logstash-forwarder.key"
  }
}

filter {
  if [type] == "foo" {
    mutate {
      #add_field => [ "foo", "bar" ]
    }
  }
}

output {
  gelf {
    host => "localhost"
    port => 12202
    protocol => "tcp"
    tls => "true"
  }
  stdout {}
}

TLS note

".crt" file and ".key" file must be the same for client (output program like lumberjack) and server (input service like lumberjack inside the docker image). By default the image has these 2 files "logstash.crt" and "logstash.key" at the root of DockerFile. Please replace these files by your certificate before building your docker image to add it into the image.