Add new blog post

2020-12-07 19:08:38 +01:00 · 2020-12-07 19:08:38 +01:00 · 92edc584ab
commit 92edc584ab
parent 0f770ea8fd
1 changed files with 210 additions and 0 deletions
--- a/content/posts/how-to-setup-elk-docker-swarm.md
+++ b/content/posts/how-to-setup-elk-docker-swarm.md
@ -0,0 +1,210 @@
 +++ 
 title = "How to setup ELK on a Docker Swarm"
 date = "2020-12-07"
 author = "Aloïs Micard"
 authorTwitter = "" #do not include @ 
 cover = ""
 tags = ["Docker Swarm", "Dev Ops"]
 keywords = ["", ""]
 description = "In this tutorial you'll see how to take advantage of the ELK stack to set up a centralized logging mechanism for your Swarm cluster"
 showFullContent = false 
 +++
 In this tutorial you'll see how to set up easily an ELK (**E**lastic, **L**ogstash, **K**ibana) stack to have a
 centralized logging solution for your Docker swarm cluster.
 # Install the stack
 Below you'll find the full stack to have a working ELK stack on your docker swarm.
 ```yaml
 version: '3'
 services:
  elasticsearch:
    image: elasticsearch:7.9.3
    environment:
      - discovery.type=single-node
      - ES_JAVA_OPTS=-Xms2g -Xmx2g
    volumes:
      - esdata:/usr/share/elasticsearch/data
  kibana:
    image: kibana:7.9.3
    depends_on:
      - elasticsearch
    ports:
      - "5601:5601"
  logstash:
    image: logstash:7.9.3
    ports:
      - "12201:12201/udp"
    depends_on:
      - elasticsearch
    deploy:
      mode: global
    volumes:
      - logstash-pipeline:/usr/share/logstash/pipeline/
 volumes:
  esdata:
    driver: local
  logstash-pipeline:
    driver: local
 ```
 I will break down the configuration part to explain what's going on:
 ---
 ```yaml
 elasticsearch:
  image: elasticsearch:7.9.3
  environment:
    - discovery.type=single-node
    - ES_JAVA_OPTS=-Xms2g -Xmx2g
  volumes:
    - esdata:/usr/share/elasticsearch/data
 ```
 First we need to create an elasticsearch container, nothing fancy:
 ```yaml
 - discovery.type=single-node
 ```
 We need to set the discovery to `single-node` to evade bootstrap checks. See [this](https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html#single-node-discovery) for more information.
 ```yaml
 - ES_JAVA_OPTS=-Xms2g -Xmx2g
 ```
 Here we need to increase the minimum memory for the container.
 ---
 ```yaml
 kibana:
  image: kibana:7.9.3
  depends_on:
    - elasticsearch
  ports:
    - "5601:5601"
 ```
 This one is simple, we are creating a kibana container to view the logs. The container expose the port `5601` in order
 for you to reach the dashboard. In a production context it will be better to expose kibana trough [Traefik](https://traefik.io/)
 with a [Basic Auth](https://doc.traefik.io/traefik/middlewares/basicauth/) middleware for example.
 The kibana container will automatically try to connect to an elasticsearch search at address `elasticsearch`. So as
 long as the elasticsearch container is named `elasticsearch`, no further configuration is required to make it work.
 ---
 ```yaml
 logstash:
  image: logstash:7.9.3
  ports:
    - "12201:12201/udp"
  depends_on:
    - elasticsearch
  deploy:
    mode: global
  volumes:
    - logstash-pipeline:/usr/share/logstash/pipeline/
 ```
 Final part, the logstash container. It's the process who will collect the containers logs to aggregate them
 and push them to ES.
 ```yaml
 ports:
  - "12201:12201/udp"
 ```
 The logstash process will expose a GELF UDP endpoint on port 12201, and the docker engine will push the logs to that
 endpoint.
 ```yaml
 deploy:
  mode: global
 ```
 We will need to have one logstash agent running per node, so that container can push logs to it.
 ```yaml
 volumes:
  - logstash-pipeline:/usr/share/logstash/pipeline/
 ```
 We will need to setup logstash to listen on that port and forward the logs to ES. This will be done by creating
 a pipeline, that we will put in this volume.
 ---
 Now we will need to bring up this stack:
 ```shell
 creekorful@host:~$ docker stack deploy logs -c logs.yaml
 ```
 # Configure logstash
 Now that we have our 3 containers up and alive, we will need to configure logstash. This is done by putting the following
 file `logstash.conf` into the `logstash-pipeline` volume.
 ```conf
 input {
   gelf {
   }
 }
 output {
 	elasticsearch {
 		hosts => "elasticsearch:9200"
 	}
 }
 ```
 This configuration will set up an `UDP` (default) GELF endpoint on port `12201` (default), and output the logs
 to elasticsearch host.
 Now we will need to kill the container so that it restart with the new configuration.
 # Configure Docker logging driver
 Now that we have our containers up and running we need to indicate to Docker to push the logs to logstash.
 This can be done by two approach:
 ## Global configuration
 We can change the Docker default logging driver to that every container created will push the logs automatically
 to the logstash container. This is done by editing the `/etc/docker/daemon.json` config file.
 ```json
 {
  "log-driver": "gelf",
  "log-opts": {
    "gelf-address": "udp://localhost:12201"
  }
 }
 ```
 Note: you can see that we are submitting the logs to `udp://localhost:12201`, this is because the logs are submitted
 trough the host network.
 ## Per stack configurations
 If you prefer to configure only logging for some of your containers, this can be done individually on each stack
 like this:
 ```yaml
 logging:
  driver: gelf
  options:
    gelf-address: "udp://localhost:12201"
 ```
 # Conclusion
 Now you should have a running logging mechanism.
 Long live Docker Swarm and Happy hacking !