[英]Google Cloud Container Optimized OS host logs to stackdriver
TL;DR TL; 博士
What is the best practice to send container optimized os host logs (ssh and executed shell commands) to Stackdriver?将容器优化的操作系统主机日志(ssh 和执行的 shell 命令)发送到 Stackdriver 的最佳实践是什么?
Background:背景:
I'm using Googles Container Optimized OS which works great.我正在使用 Googles Container Optimized OS,它运行良好。 It's super easy to send the container logs to Stackdriver, but how do I send host logs to Stackdriver?将容器日志发送到 Stackdriver 非常容易,但如何将主机日志发送到 Stackdriver?
It's for auditing purposes, I need to log all SSH connections (accepted or denied) and all commands executed via shell.出于审计目的,我需要记录所有 SSH 连接(接受或拒绝)以及通过 shell 执行的所有命令。 Previously I would simply send the rsyslogd (auth,authpriv) to stackdriver via the stackdriver host logger package.以前我只是通过 stackdriver 主机记录器包将 rsyslogd (auth,authpriv) 发送到 stackdriver。
This is for Container Optimized OS VM:s running in a managed instance group (mig), not in Google Kubernetes Engine.这适用于在托管实例组 (mig) 中运行的 Container Optimized OS VM:s,而不是在 Google Kubernetes Engine 中。
It might be super obvious, but I can't seem to find any documentation on it.这可能非常明显,但我似乎找不到任何关于它的文档。
On high level, that is what you need to do for any GCP COS instance to ship the OS audit logs to Google stackdriver:在高层次上,这就是您需要为任何 GCP COS 实例将操作系统审计日志发送到 Google stackdriver 所做的:
First, you need to enable audit logs on COS using the following command: systemctl start cloud-audit-setup That would allow the audit logs to generated and captured in the compute instance journal, you can use journalctl command to see the outcome首先,您需要使用以下命令在 COS 上启用审计日志: systemctl start cloud-audit-setup 这将允许在计算实例日志中生成和捕获审计日志,您可以使用journalctl命令查看结果
Second, you need to have Google Stackdriver agent installed on the instance and configured to ship audit logs from instance journal to stack driver.其次,您需要在实例上安装 Google Stackdriver 代理并配置为将审核日志从实例日志传送到堆栈驱动程序。 This can be achieved by having a docker container running fluentd-gcp google container image.这可以通过让 docker 容器运行 fluentd-gcp google 容器映像来实现。
I am sharing the below cloud-init to do the whole job for you.我正在分享下面的 cloud-init 来为你完成整个工作。 All what you need to do is to have an instance metadata with key "user-data" and value is the below script:您需要做的就是拥有一个带有键“user-data”的实例元数据,值是以下脚本:
#cloud-config
users:
- name: logger
uid: 2001
groups: docker
write_files:
- path: /etc/google-fluentd/fluentd.conf
permissions: 0644
owner: root
content: |
# This config comes from a heavily trimmed version of the
# container-engine-customize-fluentd project. The upstream config is here:
# https://github.com/GoogleCloudPlatform/container-engine-customize-fluentd/blob/6a46d72b29f3d8e8e495713bc3382ce28caf744e/kubernetes/fluentd-
configmap.yaml
<source>
type systemd
path /var/log/journal
pos_file /var/log/gcp-journald.pos
filters [{ "SYSLOG_IDENTIFIER": "audit" }]
tag node-journal
read_from_head true
</source>
<match **>
@type copy
<store>
@type google_cloud
# Set the buffer type to file to improve the reliability
# and reduce the memory consumption
buffer_type file
buffer_path /var/log/google-fluentd/cos-system.buffer
# Set queue_full action to block because we want to pause gracefully
# in case of the off-the-limits load instead of throwing an exception
buffer_queue_full_action block
# Set the chunk limit conservatively to avoid exceeding the GCL limit
# of 10MiB per write request.
buffer_chunk_limit 2M
# Cap the combined memory usage of this buffer and the one below to
# 2MiB/chunk * (6 + 2) chunks = 16 MiB
buffer_queue_limit 6
# Never wait more than 5 seconds before flushing logs in the non-error
# case.
flush_interval 5s
# Never wait longer than 30 seconds between retries.
max_retry_wait 30
# Disable the limit on the number of retries (retry forever).
disable_retry_limit
# Use multiple threads for processing.
num_threads 2
</store>
</match>
- path: /etc/systemd/system/logger.service
permissions: 0644
owner: root
content: |
[Unit]
Description=logging docker container
Requires=network-online.target
After=network-online.target
[Service]
Environment="HOME=/home/logger"
ExecStartPre=/usr/share/google/dockercfg_update.sh
ExecStartPre=/bin/mkdir -p /var/log/google-fluentd/
ExecStartPre=-/usr/bin/docker rm -fv logger
ExecStart=/usr/bin/docker run --rm -u 0 \
--name=logger \
-v /var/log/:/var/log/ \
-v /var/lib/docker/containers:/var/lib/docker/containers \
-v /etc/google-fluentd/:/etc/fluent/config.d/ \
--env='FLUENTD_ARGS=-q' \
gcr.io/google-containers/fluentd-gcp:2.0.17
Restart=always
RestartSec=1
runcmd:
- systemctl daemon-reload
- systemctl start logger.service
- systemctl start cloud-audit-setup
The Google Team answered:谷歌团队回答:
To have journald logs in stackdriver, you will need to configure Fluentd to do so.要在 stackdriver 中使用 journald 日志,您需要配置 Fluentd 来执行此操作。 See these lines of fluentd configmap for some examples.有关一些示例,请参阅这些fluentd configmap 行。 Note that the "node-journal" filter in the configmap is not enabled by default on GKE.请注意,默认情况下,GKE 上未启用 configmap 中的“node-journal”过滤器。
To have audits on COS nodes, additionally, you will need to enable COS audit logging system service.要对 COS 节点进行审计,还需要启用 COS 审计日志系统服务。 On COS nodes: Run "systemctl start cloud-audit-setup".在 COS 节点上:运行“systemctl start cloud-audit-setup”。 Then you will have audit logs like SSH login in the journald log.然后您将在 journald 日志中拥有审核日志,例如 SSH 登录。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.