Monitoring Logs with the Elastic Stack - Basic ELK Setup

Author: ChristopherGS

exercise_notebooks/elk_exercise/Dockerfile

@@ -0,0 +1,23 @@
+FROM python:3.7-alpine
+WORKDIR /application
+
+COPY ./requirements.txt requirements.txt
+RUN apk add --no-cache \
+		gcc \
+		libc-dev \
+		linux-headers \
+		bash; \
+	pip install -r requirements.txt;
+
+COPY . /application
+
+
+EXPOSE 5000
+VOLUME /application
+CMD gunicorn --bind 0.0.0.0:5000 \
+             --workers=1 \
+             --log-config gunicorn_logging.conf \
+             --log-level=DEBUG \
+             --access-logfile=- \
+             --error-logfile=- \
+             application:application

exercise_notebooks/elk_exercise/app/__init__.py

@@ -0,0 +1,18 @@
+import logging
+
+from flask import Flask
+
+gunicorn_error_logger = logging.getLogger('gunicorn.error')
+gunicorn_error_logger.setLevel(logging.DEBUG)
+
+
+def index():
+    gunicorn_error_logger.info('hello')
+    return 'home'
+
+
+def create_app():
+    main_app = Flask(__name__)
+    main_app.add_url_rule('/', 'index', index)
+
+    return main_app

exercise_notebooks/elk_exercise/app/flask_app.py

@@ -0,0 +1,7 @@
+from app.flask_app import create_app
+
+
+application = create_app()
+
+if __name__ == '__main__':
+    application.run()

exercise_notebooks/elk_exercise/application.py

@@ -0,0 +1,91 @@
+version: '3.2'
+
+services:
+  # The environment variable "ELK_VERSION" is used throughout this file to
+  # specify the version of the images to run. The default is set in the
+  # '.env' file in this folder. It can be overridden with any normal
+  # technique for setting environment variables, for example:
+  #
+  #  ELK_VERSION=6.0.0-beta1 docker-compose up
+  #
+  # REF: https://docs.docker.com/compose/compose-file/#variable-substitution
+  webapp:
+    build: .
+    container_name: webapp
+    expose:
+      - 5000
+    ports:
+      - 5000:5000
+    links:
+      - logstash
+    networks:
+      - elk
+    depends_on:
+      - logstash
+      - kibana
+      - elasticsearch
+    volumes:
+      - ./:/application
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:${ELK_VERSION}
+    volumes:
+      - type: bind
+        source: ./elasticsearch/config/elasticsearch.yml
+        target: /usr/share/elasticsearch/config/elasticsearch.yml
+        read_only: true
+      - type: volume
+        source: elasticsearch
+        target: /usr/share/elasticsearch/data
+    ports:
+      - "9200:9200"
+      - "9300:9300"
+    environment:
+      ES_JAVA_OPTS: "-Xmx256m -Xms256m"
+      ELASTIC_PASSWORD: changeme
+      # Use single node discovery in order to disable production mode and avoid bootstrap checks
+      # see https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
+      discovery.type: single-node
+    networks:
+      - elk
+
+  logstash:
+    image: docker.elastic.co/logstash/logstash:${ELK_VERSION}
+    volumes:
+      - type: bind
+        source: ./logstash/config/logstash.yml
+        target: /usr/share/logstash/config/logstash.yml
+        read_only: true
+      - type: bind
+        source: ./logstash/pipeline
+        target: /usr/share/logstash/pipeline
+        read_only: true
+    ports:
+      - "5001:5001"
+      - "9600:9600"
+    environment:
+      LS_JAVA_OPTS: "-Xmx256m -Xms256m"
+    networks:
+      - elk
+    depends_on:
+      - elasticsearch
+
+  kibana:
+    image: docker.elastic.co/kibana/kibana:${ELK_VERSION}
+    volumes:
+      - type: bind
+        source: ./kibana/config/kibana.yml
+        target: /usr/share/kibana/config/kibana.yml
+        read_only: true
+    ports:
+      - "5601:5601"
+    networks:
+      - elk
+    depends_on:
+      - elasticsearch
+
+networks:
+  elk:
+    driver: bridge
+
+volumes:
+  elasticsearch:

exercise_notebooks/elk_exercise/docker-compose.yml

@@ -0,0 +1,11 @@
+---
+## Default Elasticsearch configuration from Elasticsearch base image.
+## https://github.com/elastic/elasticsearch/blob/master/distribution/docker/src/docker/config/elasticsearch.yml
+cluster.name: "docker-cluster"
+network.host: 0.0.0.0
+
+## X-Pack settings
+## see https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-xpack.html
+xpack.license.self_generated.type: basic
+xpack.security.enabled: true
+xpack.monitoring.collection.enabled: true

exercise_notebooks/elk_exercise/elasticsearch/config/elasticsearch.yml

@@ -0,0 +1,46 @@
+[loggers]
+keys=root, logstash.error, logstash.access
+
+[handlers]
+keys=console, logstash
+
+[formatters]
+keys=generic, access, json
+
+[logger_root]
+level=INFO
+handlers=console
+
+[logger_logstash.error]
+level=INFO
+handlers=logstash
+propagate=1
+qualname=gunicorn.error
+
+[logger_logstash.access]
+level=INFO
+handlers=logstash
+propagate=0
+qualname=gunicorn.access
+
+[handler_console]
+class=StreamHandler
+formatter=generic
+args=(sys.stdout, )
+
+[handler_logstash]
+class=logstash.TCPLogstashHandler
+formatter=json
+args=('logstash', 5001)
+
+[formatter_generic]
+format=%(asctime)s [%(process)d] [%(levelname)s] %(message)s
+datefmt=%Y-%m-%d %H:%M:%S
+class=logging.Formatter
+
+[formatter_access]
+format=%(message)s
+class=logging.Formatter
+
+[formatter_json]
+class=pythonjsonlogger.jsonlogger.JsonFormatter

exercise_notebooks/elk_exercise/gunicorn_logging.conf

@@ -0,0 +1,13 @@
+---
+## Default Kibana configuration from Kibana base image.
+## https://github.com/elastic/kibana/blob/master/src/dev/build/tasks/os_packages/docker_generator/templates/kibana_yml.template.js
+#
+server.name: kibana
+server.host: "0"
+elasticsearch.hosts: [ "http://elasticsearch:9200" ]
+xpack.monitoring.ui.container.elasticsearch.enabled: true
+
+## X-Pack security credentials
+#
+elasticsearch.username: elastic
+elasticsearch.password: changeme

exercise_notebooks/elk_exercise/kibana/config/kibana.yml

@@ -0,0 +1,12 @@
+---
+## Default Logstash configuration from Logstash base image.
+## https://github.com/elastic/logstash/blob/master/docker/data/logstash/config/logstash-full.yml
+#
+http.host: "0.0.0.0"
+xpack.monitoring.elasticsearch.hosts: [ "http://elasticsearch:9200" ]
+
+## X-Pack security credentials
+#
+xpack.monitoring.enabled: true
+xpack.monitoring.elasticsearch.username: elastic
+xpack.monitoring.elasticsearch.password: changeme

exercise_notebooks/elk_exercise/logstash/config/logstash.yml

@@ -0,0 +1,17 @@
+input {
+	tcp {
+		port => 5001
+		tags => ["webapp_logs"]
+		type => "webapp_logs"
+		codec => json
+	}
+}
+
+output {
+	elasticsearch {
+		hosts => "elasticsearch:9200"
+		user => "elastic"
+		password => "changeme"
+ 		index => "webapp_logs-%{+YYYY.MM.dd}"
+ 		}
+}

exercise_notebooks/elk_exercise/logstash/pipeline/logstash.conf

@@ -0,0 +1,5 @@
+Flask>=1.1.1,<1.2.0
+python3-logstash>=0.4.80,<0.5.0
+python-json-logger>=0.1.11,<0.2.0
+gunicorn>=20.0.4,<20.1.0
+