Getting Logs from Docker Containers #918
Comments
|
Currently not on our closer roadmap. Here is quite an old thread about a similar topic: https://github.com/elastic/libbeat/issues/37 There is also dockerbeat out there, but so far I think they focus on the metrics: https://github.com/Ingensi/dockerbeat |
|
FYI, moby/moby#14949 |
|
moby/moby#18604 - external plugins for logging |
andrewkroh
added
enhancement
discuss
|
Any update or other developments on this? |
|
@jmreicha It is definitively an ongoing discussion. A log driver is only one of the options. You can already fetch now docker logs by mounting them into a filebeat container. The bigger challenge is how to handle the docker meta data related to the logs. |
|
@ruflin good to know. Having some issues with docker's Gelf driver currently. Am wondering if there is some equivalent setup that I can do with e.g. filebeat. Beware moby/moby#17904 if you are using the Gelf driver. Basically, docker caches the ip for your gelf endpoint forever. Which basically mean your logs go to /dev/null as soon as your logstash nodes roll over, which tends to happen in you have e.g. auto scaling groups and route 53 based resolution. |
|
@jillesvangurp Lets move the discussion about the how to https://discuss.elastic.co/c/beats/filebeat Happy to comment there. |
|
Interesting read moby/moby#28403 @ruflin I can't find the discussion thread on discuss, where is it? |
|
@gquintana Not sure if @jillesvangurp ever created it ... |
|
So right now docker 17.05 already have support for plugin loggers, can someone with coding skills pick the beat/filebeat code and extend it to be a docker plugin. Being able to send to logstash or kafka and merge multilines is something that most people want, but also confirm that you can merge "Partial" messages (docker now break bigger lines in 16k blocks, so the logger need to reconstruct then back) right now i only know 2 logger plugins that can serve as example: |
|
I want to have a look to that, as you have probably seen we have been working on improving our support for Docker and Kubernetes and I want to keep pushing, thanks for the pointers |
|
We've just started work on a Redis log driver based on the new Docker log plugin support (https://github.com/pressrelations/docker-redis-log-driver). So far it supports appending logs to a Redis list, but it's still very immature. Would that be helpful to you? |
|
We recently merged #4495, and it will go into 6.0. Of course it doesn't implement docker plugin but it's able to match logs source path and enrich them with docker metadata, settings for that would look like this: I would like to get feedback on this, so feel free to comment or open new issues! |
|
@exekias i have read in some docker or filebeat github issue that using the /var/lib/docker/containers//-json.log directly for getting the logs is not recommended, docker reports that that file is "internal" use only and one should use the docker log driver or plugin. I do not recall exactly what was the problem, but maybe it is better to check with the docker devs Also, this was added to what beat? dockerbeat? metricbeat? filebeat? |
|
@exekias so one problem with using a file prospector is the delay in finding new files, for short lived containers. we have this issue in our current environment, whereby we used docker-logstash-forwarder to handle detecting new containers and removing old containers respectively. Even if it is configured to search for new files every 1 second, there is still potential for missing data here. And the worst part is those really short lived containers that may get immediately removed are the ones that you may want logs for the most, as they are likely to be startup errors of some form (eg. some application couldn't connect to some dependent resource, and self destructed). The only real solution I could come up with here is to use one of the docker log plugins (eg. journald + journalbeat, or skip filebeat entirely and use docker-redis-log-driver to populate a redis list, which logstash can slurp up and handle post-processing accordingly (in a horizontally scalable manner)). Both of these mechanisms involve the Docker daemon doing a push of all generated logs to the log plugin, regardless of how short lived it was. Depending on the log ingest pipeline in your infrastructure, I am sure other Docker log plugins could also be utilized to achieve a similar result. |
|
Docker log plugins sounds like the future proof way but it will probably take a few releases to stabilize and get widely used so this sounds like a decent interim solution despite the concerns around short lived containers. One practical concern with the filebeat approach of harvesting the json logs on the host is that it requires access to the host machine. This is not necessarily the case for a lot of hosted or managed docker solutions. Another thing to consider might be adding docker swarm related metadata (e.g. service name). |
|
@danielmotaleite it's not recommended but still what many projects do, docker logging plugin only works in latest versions, this adds broader compatibility (and doesn't mean we won't work on that in the future). @CpuID I'm curious about the short lived containers issue, log files remain in place after they have died, from my experience and tests I didn't miss logs, perhaps metadata is the issue? filebeat would still send the log anyway, I can modify beats to keep docker metadata for a while after the container is gone but it would be nice to reproduce the issue first :) @jillesvangurp that's my reasoning too, I think this is the feature offering broader support as for now, I plan to keep pushing on docker so we can expect several ways of doing this in the future. About the local files access, I've tested this locally, in GCP and AWS, it works in all of them, but I would be interested to know if you find any service where log files access is not possible |
|
@exekias It's not so much the file/ssh access as access to the automated scripts that create the hosts that run the docker containers, which you would need to modify to add filebeat on the host. If you use e.g. amazon beanstalk or the managed kubernetes setup on google cloud, this is an issue because you typically use it as is. Long term an ideal solution would be some way to access the log from a docker container via the docker api. So, you would simply deploy a container to a docker host that then starts gathering logs the other containers on that host. I'm not sure if that's in scope for the plugin stuff that docker is working on currently. There are also some interesting security concerns around this. |
|
Ah I get your point now, yes, I would normally recommend to launch filebeat inside a container and mount Docker API is another option too, definitely something to take a look to |
@exekias I haven't touched our implementation for this issue (and last I checked it still persists) in about 12mths now, but when I refactor this part of our ingest pipeline I'll try and get more details to pass on :) I do remember looking for logs for short lived containers in our ELK stack, and couldn't find them. |
|
I have a rough idea on collecting container log by using a filebeat container. @exekias By mounting /var/run/docker.sock into the filebeat container, it is possible to capture all the containers which are running, creating or disappearing on the host by calling docker API. So that we can locate which logs should be collected automatically and resolving container_id to container_name which should be added to the data filed. In some circumstances, we run some containers as one service(e.g. a swarm mode service with 3 replicas). So it is reasonable to merge several containers's log into one log view. On the other hand, for elk stack, that is pushing some containers's logs into one index. So it will be necessary to specify one tag for these containers to tell if should merging their logs. A simple way for filebeat is to capture all the containers' labels (such as output {
elasticsearch {
hosts => "http://eshost:9200"
index => "%{com.docker.swarm.service.name}-%{+YYYY.MM}"
}
}As described above. It is no need to specify a yml file to config the filebeat. The configs should be handled and reloaded automatically. The only thing is to tell which place should the log data goes to. We can config this by setting --evn flag for the filebeat container. The only thing I concern is that if |
|
Docker has said they do not want other services reading the json-log files. I asked to be able to configure the permissions on the files at moby/moby#17763 , which was quickly rejected with:
and
That said, multiline parsing is critical. |
|
https://docs.docker.com/engine/extend/plugins_logging It looks the way forward is custom plugins; a beats plugin would be nice. |
|
I am glade to tell that this function has already been integrated with filebeat 6.0 . And It works nicely for me. I had reported a bug on filebeat 6.0 beta and it was resolved recently. A simple example was given on this bug report. Someone who want to try this new feature could view on it. Multiline logs such as java stack trace can be joind into one event which docker gelf log-driver cannot. But I still don't find a way to tell filebeat which container's log should not be collected. It collect all the container's log on the host machine. This may cause heavy network traffic and do harm to network performace I think. |
|
@jhmartin while using json-file is not recommended, it's the default logging driver in many cases so we want to support it, we will probably add support for alternative drivers in the future. @jillesvangurp thanks, we are aware of this and may support it in the future, but we have to take into account that it's pretty recent, so old version of docker wouldn't work. @dengqingpei1990 I'm glad you got it working!, we plan to support better ways to select what containers to watch. For the moment I would recommend using drop_event processor to whitelist/blacklist by dokcer image (for instance). |
If the container is removed using @exekias are you able to clarify the difference between using Is my assumption that the I suspect both approaches are still going to have the race condition situation of short lived containers being missed, but I plan to verify that in the coming days (refactoring our edge log ingests currently). I still have a feeling the Docker log plugin will be the only way to ensure no missed logs, as there will be an explicit push event from the Docker daemon for each log line, I suspect some may end up being fired off after a short lived container has died but they would still be fired. |
Your assumption is correct, in general autodiscover will detect new logs sooner as it gets notified by Docker itself.
Please let us know about the outcome of this research 😄, In general, I agree with the logging driver, it has its own challenges too, for instance: surviving restarts or blocked output. I see spooling to disk as a requirement to do this right. |
|
@exekias from https://docs.docker.com/engine/extend/plugins_logging/#logdriverstoplogging
Looking through the implementation doc in full, it seems the approach taken by Filebeat Autodiscover vs Docker Logging Plugins are very similar, effectively:
The biggest difference is that a logging plugin controls when dockerd deletes the log file in question. So if a |
The interesting thing to consider: if the container was started and stopped before filebeat opened the log inode, it wouldn't be available. But if it did manage to open it prior to deletion (with the current implementation) it should retain access to it to read the remaining logs (delete files normally remain available until the inodes are closed in my experience). Then it would be up to filebeat to detect "the file was deleted, stop harvesting". So 1 out of 2 of the use cases should be fine, the remaining one being the main concern. Ah gotta love 80/20 (or 90/10) implementation requirements :) |
|
As a followup to #918 (comment) just did a quick test without autodiscover - using: And spawned a container with the following: FROM alpine:3.6
RUN apk add --no-cache bash
COPY ./test.sh /test.sh
CMD [ "/test.sh" ]#!/bin/bash
echo "$(date) : start"
sleep 2
echo "$(date) : end"And watched the The first time it harvested, the second time it didn't. First time: The second time, no output that a harvester was started/stopped at all. Will proceed to try getting autodiscover working (working through the config examples), and see what that yields for comparison. I would expect more reliable due to receiving Docker events, time will tell :) |
|
OK tested autodiscover, seems to be more reliable (as expected). Note there is a 2 second sleep in this test image right now, I'll test without that in a second. Almost instantaneous harvesting of new containers which is a positive. And the test results of running 3 containers in succession, a few seconds apart (I added the extra 's between |
|
Autodiscover looks very promising :) 10 runs, 2 second sleep between (for filebeat log identification purposes mostly): And 10/10 harvesters :) |
|
I'm running docker containers on hosts which have already configured Having a way to get the output like with |
|
Any update on this? We're in September 2018... |
|
IIRC, since filebeat 6.1 (or was 6.0?) you can configure it to automatically discover and process the docker logs: Notice this is not a docker log plugin, but it works fine and should detect short lived containers and read their logs. It also add some docker metadata to the events a beat docker log plugin would be good, but this is working for me |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
botelastic
bot
added
Stalled
needs_team
|
This issue doesn't have a |
Any road map for supporting docker log driver?
The text was updated successfully, but these errors were encountered: