GrayLog + Logspout + Docker 实现分布式日志聚合

---

前提条件：你的服务器上已经安装了Docker和Docker Compose

一、安装GrayLog（Docker方式）

version: '2'
services:
  mongodb:
    image: mongo:3
    volumes:
      # Persisting data
      - ./data/mongo:/data/db
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:5.6.3
    volumes:
      # Persisting data
      - ./data/elasticsearch:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
  graylog:
    image: graylog/graylog:2.4.0-1
    volumes:
      # Persisting data
      - ./data/graylog:/usr/share/graylog/data/journal
      # Mount local configuration directory into Docker container
      - ./config:/usr/share/graylog/data/config
    environment:
      # CHANGE ME!
      - GRAYLOG_PASSWORD_SECRET=somepasswordpepper
      # Password: admin
      - GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
      # 这里必须修改为你机器的外网地址
      - GRAYLOG_WEB_ENDPOINT_URI=http://127.0.0.1:9000/api
    links:
      - mongodb:mongo
      - elasticsearch
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 514:514
      # Syslog UDP
      - 514:514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp

二、自定义GrayLog配置文件

在与上面docker-compose.yml文件同级目录下执行如下命令下载官方配置文件

mkdir -p config
cd config
wget https://raw.githubusercontent.com/Graylog2/graylog-docker/2.4/config/graylog.conf
wget https://raw.githubusercontent.com/Graylog2/graylog-docker/2.4/config/log4j2.xml

（可选）如果需要修改GrayLog时区和搜索高亮显示，则需要修改graylog.conf如下配置：

# 设置时区
root_timezone = Asia/Shanghai
# 开启高亮显示
allow_highlighting = true

三、配置GrayLog日志接收器

浏览器访问：http://127.0.0.1:9000（默认账号是admin/admin），依次打开：System/Inputs

四、使用Logspout将Docker输出发送到GrayLog

version: '3'
services:
  #服务名称
  logspout:
    #服务使用的镜像
    image: micahhausler/logspout:gelf
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    #需要改成你的GrayLog服务器所在的地址
    command:
      gelf://127.0.0.1:12201
    #服务端口号
    ports:
    - "8000:80"
  bounter-docker:
    image: 127.0.0.1:5000/bounter/bounter-docker
    #修改容器时区，使它与宿主机保持一致
    volumes:
      - "/etc/timezone:/etc/timezone"
      - "/etc/localtime:/etc/localtime"
    ports:
    - "8080:8080"

五、查看日志

是不是觉得挺简单啊，那就赶快自己动手试试吧！