rsyslog 未連接到 docker 中的 elasticsearch

Question

我正在嘗試使用 rsyslog 捕獲通過網絡發送的 syslog 消息，然后讓 rsyslog 捕獲、轉換這些消息並將這些消息發送到 elasticsearch。

我在https://www.reddit.com/r/devops/comments/9g1nts/rsyslog_elasticsearch_logging/上找到了一篇關於配置的好文章

問題是 rsyslog 在啟動時不斷彈出一個錯誤，它無法通過端口 9200 連接到同一台機器上的 Elasticsearch。我得到的錯誤是無法連接到本地主機端口 9200：連接被拒絕

2020-03-20T12:57:51.610444+00:00 53fd9e2560d9 rsyslogd: [origin software="rsyslogd" swVersion="8.36.0" x-pid="1" x-info="http://www.rsyslog.com"] start

rsyslogd: omelasticsearch: we are suspending ourselfs due to server failure 7: Failed to connect to localhost port 9200: Connection refused [v8.36.0 try http://www.rsyslog.com/e/2007 ]

任何人都可以幫忙嗎？

一切都在一台機器上的 docker 中運行。 我使用下面的 docker compose 文件來啟動堆棧。

version: "3"

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.6.1
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
    ports:
      - 9200:9200
    networks:
      - logging-network

  kibana:
    image: docker.elastic.co/kibana/kibana:7.6.1
    depends_on:
      - logstash
    ports:
      - 5601:5601
    networks:
      - logging-network

  rsyslog:
    image: rsyslog/syslog_appliance_alpine:8.36.0-3.7
    environment:
      - TZ=UTC
      - xpack.security.enabled=false
    ports:
      - 514:514/tcp
      - 514:514/udp
    volumes:
      - ./rsyslog.conf:/etc/rsyslog.conf:ro
      - rsyslog-work:/work
      - rsyslog-logs:/logs

volumes:
  rsyslog-work:
  rsyslog-logs:

networks:
  logging-network:
    driver: bridge

rsyslog.conf 文件如下：

global(processInternalMessages="on")

#module(load="imtcp" StreamDriver.AuthMode="anon" StreamDriver.Mode="1")
module(load="impstats") # config.enabled=`echo $ENABLE_STATISTICS`)
module(load="imrelp")
module(load="imptcp")
module(load="imudp" TimeRequery="500")

module(load="omstdout")
module(load="omelasticsearch")

module(load="mmjsonparse")
module(load="mmutf8fix")


input(type="imptcp" port="514")
input(type="imudp" port="514")
input(type="imrelp" port="1601")

# includes done explicitely
include(file="/etc/rsyslog.conf.d/log_to_logsene.conf" config.enabled=`echo $ENABLE_LOGSENE`)
include(file="/etc/rsyslog.conf.d/log_to_files.conf" config.enabled=`echo $ENABLE_LOGFILES`)



#try to parse a structured log
action(type="mmjsonparse")

# this is for index names to be like: rsyslog-YYYY.MM.DD
template(name="rsyslog-index" type="string" string="rsyslog-%$YEAR%.%$MONTH%.%$DAY%")

# this is for formatting our syslog in JSON with @timestamp
template(name="json-syslog" type="list") {
    constant(value="{")
      constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
      constant(value="\",\"host\":\"")        property(name="hostname")
      constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
      constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
      constant(value="\",\"program\":\"")     property(name="programname")
      constant(value="\",\"tag\":\"")         property(name="syslogtag" format="json")
      constant(value="\",")                   property(name="$!all-json" position.from="2")
    # closing brace is in all-json
}

# this is where we actually send the logs to Elasticsearch (localhost:9200 by default)
action(type="omelasticsearch" template="json-syslog" searchIndex="rsyslog-index" dynSearchIndex="on")



#################### default ruleset begins ####################

# we emit our own messages to docker console:
syslog.* :omstdout:

include(file="/config/droprules.conf" mode="optional")  # this permits the user to easily drop unwanted messages

action(name="main_utf8fix" type="mmutf8fix" replacementChar="?")

include(text=`echo $CNF_CALL_LOG_TO_LOGFILES`)
include(text=`echo $CNF_CALL_LOG_TO_LOGSENE`)

Answer 1

首先，您需要在同一個 docker 網絡上運行所有容器，在這種情況下不是。 其次，在同一網絡上運行容器后，登錄到 rsyslog 容器並檢查 9200 是否可用。