Replies: 1 comment
-
Did you find a solution to this? It's unclear how to get "clean" logs out of the container. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I'm trying to plug the logs from nginx-proxy into elastic, using filebeat's nginx module. This partly seems to be working, but not entirely. stderr logs are not properly grok'd and appear to be in the stdout stream.
Comparing with the standard/vanilla nginx container, there does seem to be some differences.
See these raw logs, obtained from portainer...
(nginx-proxy)
nginx.1 | kibana.home.REDACTED.me 172.27.0.1 - - [06/Aug/2021:13:41:28 +0100] "POST /api/ui_counters/_report HTTP/2.0" 200 15 "https://kibana.home.REDACTED.me/app/discover" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36" "172.29.0.20:5601"
(nginx official)
172.29.0.2 - - [06/Aug/2021:12:50:39 +0100] "GET / HTTP/1.1" 200 4206 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36" "172.27.0.1"
Now, this seems to be mostly fine for the purpose of access logs, although filebeat/elastic sets "destination.domain" to a slightly screwy value of "[0mkibana.home.REDACTED.me"
But when it comes to error logs, they seem to be outputting to the stdout stream, and therefore the grok that the filebeat module employs is the wrong one.
Here is an example error generated by the filebeat nginx module processing (and of course containing the original log line)...
Provided Grok expressions do not match field value: [\u001B[0;33;1mnginx.1 \| \u001B[0;31;1m2021/08/06 13:48:14 [warn] 61#61: *22 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000000006, client: 172.27.0.1, server: kibana.home.REDACTED.me, request: \"POST /internal/bsearch HTTP/2.0\", host: \"kibana.home.REDACTED.me\", referrer: \"https://kibana.home.REDACTED.me/app/discover\"]
And some of the other fields being incorrectly set for this log event...
stream: stdout
fileset.name: access
event.dataset: nginx.access
In terms of how this is setup in filebeat, I am using autodiscovery and container labels. I have the following labels set for the nginx-proxy container...
and filebeat.yml contains the following...
This setup works perfectly with an out-of-the-box vanilla nginx container. Does anyone know a way of working around these issues with the nginx-proxy image?
Beta Was this translation helpful? Give feedback.
All reactions