tested on debian12
file-d wants valid ssl certs from the data nodes – you might use your own CA, tho
grab latest binary
ver=0.61.0
wget https://github.com/ozontech/file.d/releases/download/v$ver/file.d_${ver}_linux_amd64.deb
dpkg -i file.d_${ver}_linux_amd64.deb
apt-get -f install
you will need to root CA certificate from one of the data nodes
from your workstation
scp opensearch0:/etc/opensearch/root-ca.pem ./ chmod 444 root-ca.pem scp root-ca.pem file-d:/etc/file.d/
back to the file-d node
make sure the datanode resolves according to the ssl SAN
vi /etc/hosts 10.1.0.30 node-0.example.com ping -c1 node-0.example.com nmap -p 9200 node-0.example.com
welcome pipeline outputs to elastic/osearch
# how many workers? grep ^proc /proc/cpuinfo | tail -1 cd /etc/file.d/ cp -pi config.yaml config.yaml.dist vi config.yaml
e.g. watch containers
pipelines:
docker_pipeline:
input:
type: file
paths:
include:
# /var/lib/docker/containers/51a3e.../51a3e...-json.log
- '/var/lib/docker/containers/*/*-json.log'
offsets_file: /tmp/file-d-offsets.yaml
offsets_op: tail
actions:
- type: set_time
field: "@timestamp"
send to console for testing
output:
type: stdout
–or– send to elk/osearch already
output:
type: elasticsearch
endpoints: ["https://node-0.example.com:9200"]
ca_cert: /etc/file.d/root-ca.pem
index_format: "nginx-test-access"
username: admin
password: PASSWORD
connection_timeout: 1s
workers_count: 3
batch_op_type: create
fatal_on_failed_insert: true
something nginx specific
actions:
- type: remove_fields
fields: [time_iso8601]
acceptance
file.d --config=/etc/file.d/config.yaml
echo '{ "testfield": "test ok" }' >> /tmp/welcome.json
install nginx and setup json escapes
apt install nginx curl
cd /etc/nginx/
cp -pi nginx.conf nginx.conf.dist
vi nginx.conf
http {
# https://pub.nethence.com/www/nginx
log_format json escape=json '{'
...
'}';
cd sites-available/
cp default default.dist
vi default
server {
access_log /var/log/nginx/access.json json;
nginx pipeline (same output as above)
nginx_access:
input:
type: file
persistence_mode: async
watching_dir: /var/log/nginx/
filename_pattern: "*.json"
offsets_file: /tmp/offsets-nginx.yaml
offsets_op: continue
actions:
- type: set_time
field: "@timestamp"
- type: remove_fields
fields: [time_iso8601]
- type: rename
override: false
host: vhost
- type: modify
sensor: file.d@file-d
chmod 600 config*
file.d --config=/etc/file.d/config.yaml
curl -sI localhost | head -1
systemctl restart file.d systemctl status file.d systemctl enable file.d
if you want to grab all the logs, tail from head
offsets_op: reset
we get freakin' stats no matter what - this doesnt work
report_interval: 0
https://github.com/ozontech/file.d/tags
https://github.com/ozontech/file.d/blob/master/docs/configuring.md https://ozontech.github.io/file.d/#/docs/configuring
https://github.com/ozontech/file.d/blob/master/docs/examples.md
https://ozontech.github.io/file.d/#/plugin/output/elasticsearch/README
https://ozontech.github.io/file.d/#/plugin/action/set_time/README
https://ozontech.github.io/file.d/#/plugin/action/remove_fields/README