How can I send the logs from the jwilder/nginx-proxy docker image to logstash?

Question

I tried adding the following to a my_proxy.conf file that gets mounted into /etc/nginx/conf.d/ in the container as described in https://github.com/jwilder/nginx-proxy#custom-nginx-configuration but the logs aren't making into logstash.

Initially I added this to the conf file:

http {
  # Custom log format that also includes the host that processed the request
  log_format logstash '$remote_addr - $remote_user [$time_local] "$host" '
                  '"$request" $status $body_bytes_sent '
                  '"$http_referer" "$http_user_agent"';

  # Send logs to Logstash
  access_log syslog:server=logstash:5140,tag=nginx_access logstash;
  error_log syslog:server=logstash:5140,tag=nginx_error notice;
}

but when I start the container it tells me "http" directive is not allowed here in /etc/nginx/conf.d/my_proxy.conf:11

So now I just have

# Custom log format that also includes the host that processed the request
log_format logstash '$remote_addr - $remote_user [$time_local] "$host" '
                  '"$request" $status $body_bytes_sent '
                  '"$http_referer" "$http_user_agent"';

# Send logs to Logstash
access_log syslog:server=logstash:5140,tag=nginx_access logstash;
error_log syslog:server=logstash:5140,tag=nginx_error notice;

which doesn't get any complaints when starting nginx, but doesn't put anything into logstash either. From here I don't know how to troubleshoot.

Answer 1

Syslog doesn't run in your container, so it doesn't make sense to use it for logging. Your options:

1.) Configure gelf logging driver on the Docker daemon level:

Writes log messages to a Graylog Extended Log Format (GELF) endpoint such as Graylog or Logstash.

Doc: https://docs.docker.com/config/containers/logging/configure/

2.) Start/configure dedicated logging container, which will send data for selected container(s) to logstash. See Logspout or other similar tools.

Tool: https://github.com/gliderlabs/logspout

Answer 2

What I did was modify the nginx.tmpl file, which is the template used to generate /etc/nginx/conf.d/default.conf.

I added a line to everywhere access_log appeared. For example:

  access_log /var/log/nginx/access.log vhost;
  access_log syslog:server=111.222.111.222:1025 custom;

I defined the custom format next to the other format. Eg.

log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';


log_format custom '$remote_addr - $remote_user [$time_local]'
                  '"$request" $status $body_bytes_sent'
                  '"$http_referer" "$http_user_agent"'
                  '"$request_time" "$upstream_connect_time"';

And then mount nginx.tmpl into the container. eg.

    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./config/nginx.conf:/etc/nginx/nginx.conf
      - ./nginx.tmpl:/app/nginx.tmpl
      - ./logs:/var/log/nginx

To verify, restart nginx-proxy, bash into the nginx-proxy container and look at the generated /etc/nginx/conf.d/default.conf.

That's the idea. It'd be nice to be able to specify the syslog URL somewhere instead of having to manually copy paste into nginx.tmpl.

Note this does work despite Jan's point about syslog not working inside a container. Don't know why, It Just Works™