lux4rd0 / grafana-loki-syslog-aio Goto Github PK

View Code? Open in Web Editor NEW

163.0 7.0 51.0 704 KB

Grafana Loki Syslog All In One Syslog Deployable Stack

Home Page: https://labs.lux4rd0.com/2021/01/oldskool-syslog-meets-newskool-loki/

License: Apache License 2.0

Dockerfile 13.82% Shell 86.18%

grafana loki syslog-ng promtail prometheus node-exporter minio syslog cadvisor docker

grafana-loki-syslog-aio's Introduction

grafana-loki-syslog-aio

About The Project

This Loki Syslog All-In-One example is geared to help you get up and running quickly with a Syslog ingestor and visualization of logs. It uses Grafana Loki and Promtail as a receiver for forwarded syslog-ng logs. I wrote an introductory blog post about how this AIO project came about as well (pesky intermittent network issues!!)

Note that this All In One is geared towards getting network traffic from legacy syslog (RFC3164 UDP port 514) into Loki via syslog-ng and Promtail.

Essentially:

RFC3164 Network/Compute Devices -> syslog-ng (UDP port 514) -> Promtail (port 1514) -> Loki (port 3100) <- Grafana (port 3000)

Getting Started

The project is built around a pre-configured Docker stack of the following:

The stack has been extended to include pre-configured monitoring with:

A simple Syslog generator is included based on Vicente Zepeda Mas's random-logger project.

Prerequisites

Using

This project is built and tested on Linux CentOS 7. To get started, download the code from this repository and extract it into an empty directory. For example:

wget https://github.com/lux4rd0/grafana-loki-syslog-aio/archive/main.zip
unzip main.zip
cd grafana-loki-syslog-aio-main

From that directory, run the docker-compose command:

Full Example Stack: Grafana, Loki with s3/MinIO, Promtail, syslog-ng, Prometheus, cAdvisor, node-exporter

docker-compose -f ./docker-compose.yml up -d

This will start to download all of the needed application containers and start them up.

(Optional docker-compose configurations are listed under Options below)

Grafana Dashboards

Once all of the docker containers are started up, point your Web browser to the Grafana page, typically http://hostname:3000/ - with hostname being the name of the server you ran the docker-compose up -d command on. The "Loki Syslog AIO - Overview" dashboard is defaulted without having to log in.

Note: this docker-compose stack is designed to be as easy as possible to deploy and go. Logins have been disabled, and the default user has an admin role. This can be changed to an Editor or Viewer role by changing the Grafana environmental variable in the docker-compose.yml file to:

GF_AUTH_ANONYMOUS_ORG_ROLE: Viewer

Getting Started With Loki

Here are some additional resources you might find helpful if you're just getting started with Loki:

Stack Options:

A few other docker-compose files are also available:

Full Example Stack with Syslog Generator: Grafana, Loki with s3/MinIO, Promtail, syslog-ng, Prometheus, cAdvisor, node-exporter, Syslog Generator

docker-compose -f ./docker-compose-with-generator.yml up -d

Example Stack without monitoring or Syslog generator: Grafana, Loki with s3/MinIO, Promtail, syslog-ng

docker-compose -f ./docker-compose-without-monitoring.yml up -d

Example Stack without MinIO, monitoring, or Syslog generator: Grafana, Loki with the filesystem, Promtail, syslog-ng

docker-compose -f ./docker-compose-filesystem.yml up -d

The Syslog Generator configuration will need access to the Internet to do a local docker build from the configurations location in ./generator. It'll provide some named hosts and random INFO, WARN, DEBUG, ERROR logs sent over to syslog-ng/Loki.

Configuration Review:

The default Loki storage configuration docker-compose.yml uses S3 storage with MinIO. If you want to use the filesystem instead, use the different docker-compose configurations listed above or change the configuration directly. An example would be:

volumes:
- ./config/loki-config-filesystem.ym:/etc/loki/loki-config.yml:ro

Changing MinIO Keys

The MinIO configurations default the Access Key and Secret Key at startup. If you want to change them, you'll need to update two files:

./docker-compose.yml

  MINIO_ACCESS_KEY: minio123
  MINIO_SECRET_KEY: minio456

./config/loki-config-s3.yml

 aws:
  s3: s3://minio123:minio456@minio.:9000/loki

Changed Default Configurations In syslog-ng and Promtail

To set this example All In One project up, the following configurations have been added to the docker-compose.yml. If you already have syslog-ng running on your deployment server - make similar changes below and comment out the docker container stanza.

SYSLOG-NG CONFIGURATION (docker container listens on port 514)

# syslog-ng.conf

source s_local {
    internal();
};

source s_network {
    default-network-drivers(
    );
};

destination d_loki {
    syslog("promtail" transport("tcp") port("1514"));
};

log {
        source(s_local);
        source(s_network);
        destination(d_loki);
};

Note: the above "promtail" configuration for destination d_loki is the hostname where Promtail is running. Is this example, it happens to be the Promtail docker container name that I configured for the All-In-One example.

PROMTAIL CONFIGURATION (docker container listens on port 1514)

# promtail-config.yml

server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /tmp/positions.yaml

clients:
  - url: http://loki:3100/loki/api/v1/push

scrape_configs:

- job_name: syslog
  syslog:
    listen_address: 0.0.0.0:1514
    idle_timeout: 60s
    label_structured_data: yes
    labels:
      job: "syslog"
  relabel_configs:
    - source_labels: ['__syslog_message_hostname']
      target_label: 'host'

Contributing

Contributions make the open source community such a fantastic place to learn, inspire, and create. Any contributions you make are greatly appreciated.

Fork the Project
Create your Feature Branch (git checkout -b feature/AmazingFeature)
Commit your Changes (git commit -m 'Add some AmazingFeature')
Push to the Branch (git push origin feature/AmazingFeature)
Open a Pull Request

Contact

Dave Schmid - @lux4rd0 - [email protected]

Project Link: https://github.com/lux4rd0/grafana-loki-syslog-aio

Acknowledgements

Grafana Labs - https://grafana.com/
Grafana Loki - https://grafana.com/oss/loki/
Grafana - https://grafana.com/oss/grafana/
syslog-ng - https://www.syslog-ng.com/
Random Logger - https://github.com/chentex/random-logger
Grafana Dashboard Community (Performance Overviews) - https://grafana.com/grafana/dashboards

grafana-loki-syslog-aio's People

Contributors

Stargazers

Watchers

grafana-loki-syslog-aio's Issues

adding a source to the existing syslog-ng.conf

I am a super newbie when it comes to syslog-ng but I am here asking for help. I think what i need help with is understanding how I can modify the existing syslog-ng.conf -the default one provided by the stack - to have it receive from a truenas installation and also send logs to Splunk. I would appreciate any input, thanks

Cannot Create Alerts

Is there a reason the "New Alert" button does not show up after a fresh build. I cannot create alerts because of this.

what license the repository has

[Error] TypeError: HTTPConnection.request() got an unexpected keyword argument 'chunked'

Distributor ID: Ubuntu
Description: Ubuntu 24.04 LTS
Release: 24.04
Codename: noble
Docker: 26.1.1, build 4cf5afa
Docker-Compose: 1.29.2, build unknown

Error:

:~/grafana-loki-syslog-aio-main$ sudo docker-compose -f ./docker-compose.yml up -d
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 214, in _retrieve_server_version
    return self.version(api_version=False)["ApiVersion"]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/docker/api/daemon.py", line 181, in version
    return self._result(self._get(url), json=True)
                        ^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/docker/utils/decorators.py", line 46, in inner
    return f(self, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 237, in _get
    return self.get(url, **self._set_request_timeout(kwargs))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 602, in get
    return self.request("GET", url, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 486, in send
    resp = conn.urlopen(
           ^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 791, in urlopen
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 497, in _make_request
    conn.request(
TypeError: HTTPConnection.request() got an unexpected keyword argument 'chunked'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/docker-compose", line 33, in <module>
    sys.exit(load_entry_point('docker-compose==1.29.2', 'console_scripts', 'docker-compose')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/compose/cli/main.py", line 81, in main
    command_func()
  File "/usr/lib/python3/dist-packages/compose/cli/main.py", line 200, in perform_command
    project = project_from_options('.', options)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/compose/cli/command.py", line 60, in project_from_options
    return get_project(
           ^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/compose/cli/command.py", line 152, in get_project
    client = get_client(
             ^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/compose/cli/docker_client.py", line 41, in get_client
    client = docker_client(
             ^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/compose/cli/docker_client.py", line 170, in docker_client
    client = APIClient(use_ssh_client=not use_paramiko_ssh, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 197, in __init__
    self._version = self._retrieve_server_version()
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 221, in _retrieve_server_version
    raise DockerException(
docker.errors.DockerException: Error while fetching server API version: HTTPConnection.request() got an unexpected keyword argument 'chunked'

disk full

Would like to know how to prevent the container for syslog-ng from filling up fast. Is it possible to logrotate it? thanks!

Problem running on the Mac

Mac OS: Version 11.6

I get the following error when run the command: docker-compose -f ./docker-compose.yml up -d

ERROR: for node-exporter Cannot start service node-exporter: path / is mounted on / but it is not a shared or slave mount

Host value showing docker ingress network

Hi lux4rd0

First, thanks for such a great write up and example project. I've used your compose and config files to setup promtail and syslog-ng.

I have a 3 node docker swarm and this is working well for devices that send RFC 5424 messages, but I have an issue with RFC 3164. The hostname populated in the host label is an IP from the docker ingress network. In my case, 10.0.0.3. There is no way to differentiate between hosts as all RFC 3164 messages are recorded as 10.0.0.3 in Loki.

I have tested this with pfSense, it has an option to switch between RFC standards. When set to RFC 5424 the host value in Loki is correct.

Another example is Ubiquiti EdgeSwitchOS uses RFS 3164.

Do you know how to fix this so I can properly see the source host of the logs?

no incoming data

First of thanks for taking the time to put this project together. I am sure I am missing something fairly obvious. I have a my device pointed to the IP of the VM where g-l-s-a is running and I am not seeing any data hitting being reflected in the dashboard.
my syslog-ng.conf file is as follows
axiom@ranch-a1:~/container/Grafana-Influxdb_2.x-Syslog-server/syslog$ cat syslog-ng.conf
@Version: 3.35
@include "scl.conf"

/etc/syslog-ng/syslog-ng.conf

source s_sys {
udp(ip(0.0.0.0) port(514));
};
destination telegraf_local {
syslog("telegraf" port(6514));
};
#filter f_default { level(info..emerg));
#};
log { source(s_sys); filter(f_default); destination(telegraf_local); };

any pointers would be greatly appreciated

Dashborad does not show logs in grafana 8.1.1

Launched a new instance and did not see the logs. Checking the dump showed that the logs are coming. I changed the tag to 7.5.10 for grafana and everything began to be displayed. The problem with the latest tagged container

Dashboard Browse Section Missing in Grafana UI

Hi - really like this project, thanks for your hard work.

I have an issue though - using the default docker-compose.yml, it spins up my stack great - however when I click the left panel in the grafana web ui, click the four small squares there is no browse option in the resulting menu that appears.

When I check the Amazon managed grafana dashboard at work (seperate to this project) which is on Grafana v8.4.0 it is there.

Example - this aio stack on version 8.1.2

As you can see there is no browse menu option when clicked.

Compared to my work Grafana on v 8.4.0

Do you know how to enable this option? Or is this just a case of we need a newer version of Grafana to enable this?

Thanks for your help :)

M2 Mac: ! syslog-ng The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested

Rubber ducking here:

Possibly related to #8

docker-compose -f ./docker-compose.yml up -d
...
 ! syslog-ng The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested 0.0s
Error response from daemon: path / is mounted on / but it is not a shared or slave mount

error getting credentials - err: exec: "docker-credential-desktop": executable file not found in $PATH, out:

Rubber ducking this here:

 docker-compose -f ./docker-compose.yml up -d
[+] Running 1/8
 ⠴ loki Pulling                                                                                                5.6s
 ✘ cadvisor Error                                                                                              5.6s
 ⠴ minio Pulling                                                                                               5.6s
 ⠴ node-exporter Pulling                                                                                       5.6s
 ⠴ prometheus Pulling                                                                                          5.6s
 ⠴ promtail Pulling                                                                                            5.6s
 ⠴ syslog-ng Pulling                                                                                           5.6s
 ⠴ grafana Pulling                                                                                             5.6s
error getting credentials - err: exec: "docker-credential-desktop": executable file not found in $PATH, out:

Persitant saving of data and customized dashboards

Good evening Lux4rd0,

First of all let me start off by saying that this stack you have put together here is really awesome out of the box. I have been messing around with this over the last week or so and it seems like all of my attempts to make custom dashboards have been failing. Every time I try to make changes, the either don't persist or just tell me that unique id already exists etc. I have tried making new dashboards from scratch but as soon as the stack restarts for whatever reason, the new dashboards do not seem to persist.

I am running this on docker and creating the stack using portainer. The only modifications I have made are changing the external directories from .config to something like /home/docker/syslog/.

I have tried changing the mounts on the grafana container to RW, and that doesn't seem to be solving my issue. Is there a way you could recommend for changes I need to make so that I can create customizable dashboards? I really like the dashboards you have included here but would like to mix/match some of the data they are all providing into a dashboard more tailored to my home environment. Again, love the work you have done with this :)