systemd - Structured logging to journald from within a docker container -


what best way write structured logs journald within docker container?

for example, have application writes using sd_journal_send rather change app, have tried passing through

-v /var/log/systemd/journal:/var/log/systemd/journal

it works on ubuntu 16.04 desktop, not on coreos instances app runs (which use ubuntu 16.04 base image). don't quite understand why. perhaps there better way send journal?

what limitations docker journald output logging option have? didn't appear supported apps writing more message field.

--

so have found need -v /dev/log:/dev/log

but there problem in there no association service file starts docker container. manually adding unit: servicename.service didn't solve it. , when looking @ , shipping logs service, it's associated exe not container or service. encountered these problems , how have solved them?

-- ok let me expand bit.

a c program can write systemd journal this:

#include <systemd/sd-journal.h> #include <unistd.h> #include <stdlib.h>  int main(int argc, char *argv[]) {         sd_journal_send("message=hello world!",                         "message_id=52fb62f99e2c49d89cfbf9d6de5e3555",                         "priority=5",                         "home=%s", getenv("home"),                         "term=%s", getenv("term"),                         "page_size=%li", sysconf(_sc_pagesize),                         "n_cpus=%li", sysconf(_sc_nprocessors_onln),                         null);         return 0; } 

this writes journal , adds custom fields home, term, page_size etc. when use journalbeat ship them elk stack, fields end nicely in elasticsearch , can search on them directly.

however, seems docker, takes stdout of apps, , feeds journald few fields adds itself. e.g. container_id.

when using programs inside docker container , running them service file creates slight problem.

1) have pass through directories , device files write sd_journal_send.

2) if start container systemd .service file , expect use journalctl -u servicename , see messages, log messages aren't seen because went journal different route , don't associated service ran them.

3) can add arbitary fields/tags using docker's journald logging driver, fixed, 1 time additions appear on every message sent , unchanging. not dynamic fields want c code above.

essentially, journald log driver insuffient in case.

any suggestions on how both link service name journalctl -u shows log messages sd_journal_send? fix then.

-- i've found solution. i'll put answer below in case others interested in how i've solved it.

the eventual solution turned out simple.

i switched writing messages pure json. journalctl -u works , shows message field containing json data.

i used journalbeat send logstash.

to logstash.conf added:

filter {   json {     source => "message"   } } 

what expands json data message field separate fields @ top level before sending them elasticsearch.

details json filter logstash can found here


Comments

Popular posts from this blog

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

python Tkinter Capturing keyboard events save as one single string -

sql server - Why does Linq-to-SQL add unnecessary COUNT()? -