Elasticsearch, Logstash and Kibana (E.L.K.) on Docker – Part 1 Logstash

When I set up my new server back in May, I decided to try out Elasticsearch, Logstash and Kibana (E.L.K.) on it against the Aggregator (my PVOutput aggregating and uploading application) logs. It took me most of a day to get it installed, but because I followed a guide somewhere on the internet I can’t remember how it was all configured..!

I was searching Docker Hub the other day and thought… “I wonder if they have Docker images for E.L.K.?”

Luckily for me, they have taken the time to create Docker instances and it’s a good excuse to uninstall E.L.K. on my server and re-do it using Docker images!

I started off by trying out the basic Logstash example given on Docker Hub which worked fine and the decided to try to get the image to receive my log files via the Log4j SocketAppender.  No matter how I tried to get the existing Aggregator application to send the logs (SocketAppender or even via Docker volume), I could not get it to work…

So back to the drawing board!  Time to get a simple Java application up and running to try things out with… and that’s how the Spring Boot Web Example was born.

I started out with a basic Logstash config which had previously worked, using the log4j input, but found out later that Log4j and Log4j2 have incompatibilities and an addon would be needed if that input is used.

logstash.conf (1st attempt)

input {
  log4j {
    port => 9999
  }
}
filter {

}
output {
  stdout {}
}

But I don’t want to install another plugin… so I tried out various other “methods” (a.k.a. trial and error…)  and eventually found that if you use the input type tcp, you can send data to it using the Log4j2 SocketAppender, providing the Layout isn’t SerializedLayout.

logstash.conf (2nd attempt with tcp input and json codec)

input {
  tcp {
    port => 9999
    codec => json
  }
}

filter {
}

output {
  stdout {}
}

The above logstash.conf was combined with the SocketAppender and JSONLayout combo in the log4j2.xml config file

<Socket name="socket" host="pompeii" port="13456" reconnectionDelayMillis="5000">
    <JSONLayout complete="true" compact="false" eventEol="true" />
</Socket>

But I still couldn’t get it to produce the results I was after until it dawned on me that perhaps I should change the problem around… If I just throw standard log strings at it, maybe I can break them up or format them into something that’s easier for Logstash to consume!

So I then ended up with the tcp input and line codec and decided that if I send key value paired log messages at logstash, I could use the kv filter. I’ve now ended up with…

input {
  tcp {
    port => 9999
    codec => line
  }
}

filter {
  kv {
    source => "message"
    recursive => "true"
  }
}

output {
  stdout {codec => rubydebug}
}

And changed the log4j2.xml config to use a pattern layout that works better with the kv filter

log4j2.xml (the full file can be found in the spring-boot-example in the log4j2.xml.tcp file)

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="warn" strict="true" monitorInterval="30">
    <Properties>
        ...
        <Property name="defaultpattern">logdate=(%d{ISO8601}) thread=(%thread)) level=(%level) loggerclass=(%logger{36}) message=(%msg)%n</Property>
    </Properties>
    <Filter type="ThresholdFilter" level="trace"/>
	<Appenders>
            ...
            <Socket name="socket" host="pompeii" port="13456" reconnectionDelayMillis="5000">
                <Layout type="PatternLayout" pattern="${defaultpattern}" />
            </Socket>
        </Appenders>
        <Loggers>
            <Logger name="uk.co.vsf" level="info" additivity="false">
                <AppenderRef ref="STDOUT"/>
                <AppenderRef ref="File"/>
                <AppenderRef ref="socket"/>
            </Logger>
                ...
        </Loggers>
</Configuration>

The above Log4j2 config file specifies a patter that the key value (kv) filter will read easily, realising where each value ends because the values are wrapped with brackets. The logstash config file also specifies the out codec rubydebug as I found out (the hard way) that having debug on gives you an awful log of help when trying out config changes!

Putting it all together and running Logstash in Docker is probably the easiest part! To run logstash I have a run script which has the following command

docker run -p 13456:9999 -it --rm -v "$PWD":/config-dir logstash -f /config-dir/logstash.conf

It’s exposing the Logstash host container port 9999 as host port 13456 and loads in the custom logstash.conf file.

At present Logstash doesn’t send the received messages anywhere, but it will log the input to the console. So here’s an example of calling the get users by id service.

logstash-user

And the stdout from Logstash.

logstash-stdout

That’s it for now, but (hopefully) in the next part, I plan to hook Logstash up to Elasticsearch in docker!