docker - rsyslog未连接到docker中的elasticsearch

Question

我正在尝试使用 rsyslog 捕获通过网络发送的 syslog 消息，然后让 rsyslog 捕获、转换并将这些消息发送到 elasticsearch。

我在 https://www.reddit.com/r/devops/comments/9g1nts/rsyslog_elasticsearch_logging/ 上找到了一篇关于配置的好文章

问题是 rsyslog 在启动时不断弹出一个错误，它无法连接到端口 9200 上同一台机器上的 Elasticsearch。我得到的错误是
无法连接到 localhost 端口 9200:连接被拒绝

2020-03-20T12:57:51.610444+00:00 53fd9e2560d9 rsyslogd: [origin software="rsyslogd" swVersion="8.36.0" x-pid="1" x-info="http://www.rsyslog.com"] start

rsyslogd: omelasticsearch: we are suspending ourselfs due to server failure 7: Failed to connect to localhost port 9200: Connection refused [v8.36.0 try http://www.rsyslog.com/e/2007 ]

任何人都可以在这方面提供帮助吗？

一切都在一台机器上的 docker 中运行。我使用下面的 docker compose 文件来启动堆栈。

version: "3"

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.6.1
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
    ports:
      - 9200:9200
    networks:
      - logging-network

  kibana:
    image: docker.elastic.co/kibana/kibana:7.6.1
    depends_on:
      - logstash
    ports:
      - 5601:5601
    networks:
      - logging-network

  rsyslog:
    image: rsyslog/syslog_appliance_alpine:8.36.0-3.7
    environment:
      - TZ=UTC
      - xpack.security.enabled=false
    ports:
      - 514:514/tcp
      - 514:514/udp
    volumes:
      - ./rsyslog.conf:/etc/rsyslog.conf:ro
      - rsyslog-work:/work
      - rsyslog-logs:/logs

volumes:
  rsyslog-work:
  rsyslog-logs:

networks:
  logging-network:
    driver: bridge

rsyslog.conf 文件如下:

global(processInternalMessages="on")

#module(load="imtcp" StreamDriver.AuthMode="anon" StreamDriver.Mode="1")
module(load="impstats") # config.enabled=`echo $ENABLE_STATISTICS`)
module(load="imrelp")
module(load="imptcp")
module(load="imudp" TimeRequery="500")

module(load="omstdout")
module(load="omelasticsearch")

module(load="mmjsonparse")
module(load="mmutf8fix")


input(type="imptcp" port="514")
input(type="imudp" port="514")
input(type="imrelp" port="1601")

# includes done explicitely
include(file="/etc/rsyslog.conf.d/log_to_logsene.conf" config.enabled=`echo $ENABLE_LOGSENE`)
include(file="/etc/rsyslog.conf.d/log_to_files.conf" config.enabled=`echo $ENABLE_LOGFILES`)



#try to parse a structured log
action(type="mmjsonparse")

# this is for index names to be like: rsyslog-YYYY.MM.DD
template(name="rsyslog-index" type="string" string="rsyslog-%$YEAR%.%$MONTH%.%$DAY%")

# this is for formatting our syslog in JSON with @timestamp
template(name="json-syslog" type="list") {
    constant(value="{")
      constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
      constant(value="\",\"host\":\"")        property(name="hostname")
      constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
      constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
      constant(value="\",\"program\":\"")     property(name="programname")
      constant(value="\",\"tag\":\"")         property(name="syslogtag" format="json")
      constant(value="\",")                   property(name="$!all-json" position.from="2")
    # closing brace is in all-json
}

# this is where we actually send the logs to Elasticsearch (localhost:9200 by default)
action(type="omelasticsearch" template="json-syslog" searchIndex="rsyslog-index" dynSearchIndex="on")



#################### default ruleset begins ####################

# we emit our own messages to docker console:
syslog.* :omstdout:

include(file="/config/droprules.conf" mode="optional")  # this permits the user to easily drop unwanted messages

action(name="main_utf8fix" type="mmutf8fix" replacementChar="?")

include(text=`echo $CNF_CALL_LOG_TO_LOGFILES`)
include(text=`echo $CNF_CALL_LOG_TO_LOGSENE`)

Answer 1

首先，您需要在同一个 docker 网络上运行所有容器，在这种情况下不是。其次，在同一网络上运行容器后，登录到 rsyslog 容器并检查 9200 是否可用。