...
| Code Block |
|---|
data_dir: /var/lib/vector
api:
enabled: true
address: 127.0.0.1:8686
playground: false
sources:
coredns_logs:
type: docker_logs
docker_host: "unix:///var/run/docker.sock"
transforms:
logs_transform:
type: remap
inputs: [coredns_logs]
drop_on_abort: true
metric_tag_values: single
source: |-
.regex = parse_regex!(.message, r'^\[(?P<level>\w+)\] (?P<client_ip>[\d\.]+):\d+ - (?P<pid>\d+) "(?P<type>\w+) IN (?P<domain_name>[\w\-]+(?:\.[\w\-]+)*)\. udp \d+ (?P<is_public>\w+) \d+" (?P<response_code>\w+) (?P<message>.*)$')
.level = .regex.level
.client_ip = .regex.client_ip
.pid = .regex.pid
.type = .regex.type
.domain_name = .regex.domain_name
.is_public = .regex.is_public
.response_code = .regex.response_code
.message = .regex.message
del(.regex)
del(.source_type)
del(.stream)
del(.label)
sinks:
elastic:
type: elasticsearch
inputs: [logs_transform]
api_version: auto
compression: none
doc_type: _doc
endpoints: ["https://d1-es.uenpay.com"]
auth:
strategy: basic
user: "elastic"
password: "elastic"
id_key: id
mode: bulk
bulk:
index: "coredns-d1-prod-%Y.%m.%d" |
修改vector运行用户,否则没有权限监听docker.sock
| Code Block |
|---|
vi /usr/lib/systemd/system/vector.service
User=root
Group=root |
启动vector
| Code Block |
|---|
systemctl daemon-reload
systemctl enable --now vector |
更多配置详见
https://vector.dev/docs/reference/configuration/sources/docker_logs/
...