best way to send docker container logs to logstash

Question

Let say I have Nginx running inside a container (docker).
The access log and error logs are sent through STDOUT, in the Dockerfile :

# forward request and error logs to docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log
RUN ln -sf /dev/stderr /var/log/nginx/error.log

Logspout seems an elegant solution to send STDOUT of your container inside logstash (configured with a syslog input)

input {
    syslog {
        type => syslog
        port => 5514
    }
}

But logspout have no idea about the format of the log sent through STDOUT (Or am I missing something ?)

So do I have to do something like :

input {
    syslog {
        type => nginx-access
        port => 5514
    }
}

But then what about nginx error log ? And what if I send php-fpm log through STDOUT too ? How does logspout manage this ?

Another solution is to run rsyslog indose the container and send the collected logs to the input of logstatsh ...

As you can see it is not really clear for me ... I would like to be able to send nginx and php-fpm logs to logstash so they can be interpreted as what they are ... but I don't find a "good practice" ...

Can you help me please

Answer 1

You can do this, now, with a bit of Italian-style plumbing.

In newer versions of Docker, there is a GELF output driver, which you can configure to send the logs. Since logstash has a GELF input plugin, you can configure logstash to receive those same log messages, and do something useful with them.

Another option, if you'd prefer to avoid the GELF translation round-trip, is to use logspout-logstash, a logstash output plugin for logspout, which reads log entries as they come out of Docker.

Addendum: I've been active in this space since this answer was originally written, and have built mobystash as a more modern and manageable replacement for logspout-logstash, as well as syslogstash for taking syslog messages direct from the /dev/log socket and putting them in logstash.

Answer 2

I just noticed that recent versions of nginx can be configured to log to network syslog daemons.

Logging to syslog is available since version 1.7.1.

Using this you can configure a syslog input filter on a dedicated UDP port in logstash and you are off to the races.

Unfortunately, v1.7.1 is a long way off in official repos. You'll need a log shipper somewhere.

1. In the nginx container.
2. In a parallel container using '--volumes-from' to access the nginx container.
3. On the docker host with volumes bound to the host filesystem.

You have many log shippers to pick from and a free chapter of The Logstash Book dedicated to the subject.