[
  {
    "path": "README.md",
    "content": "Docker compose file for setting up a EFK service\n================================================\n\nA basic docker compose file that will set up Elasticsearch, Fluent Bit, and Kibana.\n\nThe following docker compose allows to ingest data through Forward protocol or Syslog in UDP mode, examples:\n\n### Send data through Forward protocol\n\n```json\necho \"{\\\"key\\\": 1234}\" | fluent-cat test\n```\n\n### Send data through Syslog UDP socket\n\n```bash\nlogger -d -n 127.0.0.1 --port 5140 \"hello\"\n```\n\n"
  },
  {
    "path": "docker-compose.yml",
    "content": "version: '2.2'\nservices:\n\n  fluent-bit:\n    image: fluent/fluent-bit:1.5\n    volumes:\n      - ./fluent-bit/conf:/fluent-bit/etc\n    links:\n      - \"elasticsearch\"\n    ports:\n      - 24224:24224\n      - 5140:5140/udp\n      - 2020:2020\n    logging:\n        driver: \"json-file\"\n        options:\n            max-size: 100m\n            max-file: \"5\"\n    networks:\n      - elastic\n\n  elasticsearch:\n    image: docker.elastic.co/elasticsearch/elasticsearch:7.8.1\n    container_name: es01\n    ports:\n      - \"9200:9200\"\n    networks:\n      - elastic\n    environment:\n      - node.name=es01\n      - cluster.name=es-docker-cluster\n      - bootstrap.memory_lock=false\n      - cluster.initial_master_nodes=es01\n      - \"ES_JAVA_OPTS=-Xms512m -Xmx512m\"\n\n  kibana:\n    image: docker.elastic.co/kibana/kibana:7.8.1\n    container_name: kib01\n    links:\n      - \"elasticsearch\"\n    ports:\n      - 5601:5601\n    environment:\n      ELASTICSEARCH_URL: http://es01:9200\n      ELASTICSEARCH_HOSTS: http://es01:9200\n    networks:\n      - elastic\n\nnetworks:\n  elastic:\n    driver: bridge\n\n"
  },
  {
    "path": "fluent-bit/conf/fluent-bit.conf",
    "content": "[SERVICE]\n    flush            1\n    log_Level        info\n    daemon           off\n    parsers_File     parsers.conf\n    http_server      on\n    http_listen      0.0.0.0\n    http_port        2020\n    storage.metrics  on\n\n[INPUT]\n    name             forward\n    max_chunk_size   1M\n    max_buffer_size  5M\n\n[INPUT]\n    name             syslog\n    mode             udp\n\n[OUTPUT]\n    name             es\n    match            *\n    host             es01\n    port             9200\n    logstash_format  on\n    replace_dots     on\n    retry_limit      false\n"
  },
  {
    "path": "fluent-bit/conf/parsers.conf",
    "content": "[PARSER]\n    Name   apache\n    Format regex\n    Regex  ^(?<host>[^ ]*) [^ ]* (?<user>[^ ]*) \\[(?<time>[^\\]]*)\\] \"(?<method>\\S+)(?: +(?<path>[^\\\"]*?)(?: +\\S*)?)?\" (?<code>[^ ]*) (?<size>[^ ]*)(?: \"(?<referer>[^\\\"]*)\" \"(?<agent>[^\\\"]*)\")?$\n    Time_Key time\n    Time_Format %d/%b/%Y:%H:%M:%S %z\n\n[PARSER]\n    Name   apache2\n    Format regex\n    Regex  ^(?<host>[^ ]*) [^ ]* (?<user>[^ ]*) \\[(?<time>[^\\]]*)\\] \"(?<method>\\S+)(?: +(?<path>[^ ]*) +\\S*)?\" (?<code>[^ ]*) (?<size>[^ ]*)(?: \"(?<referer>[^\\\"]*)\" \"(?<agent>.*)\")?$\n    Time_Key time\n    Time_Format %d/%b/%Y:%H:%M:%S %z\n\n[PARSER]\n    Name   apache_error\n    Format regex\n    Regex  ^\\[[^ ]* (?<time>[^\\]]*)\\] \\[(?<level>[^\\]]*)\\](?: \\[pid (?<pid>[^\\]]*)\\])?( \\[client (?<client>[^\\]]*)\\])? (?<message>.*)$\n\n[PARSER]\n    Name   nginx\n    Format regex\n    Regex ^(?<remote>[^ ]*) (?<host>[^ ]*) (?<user>[^ ]*) \\[(?<time>[^\\]]*)\\] \"(?<method>\\S+)(?: +(?<path>[^\\\"]*?)(?: +\\S*)?)?\" (?<code>[^ ]*) (?<size>[^ ]*)(?: \"(?<referer>[^\\\"]*)\" \"(?<agent>[^\\\"]*)\")\n    Time_Key time\n    Time_Format %d/%b/%Y:%H:%M:%S %z\n\n[PARSER]\n    # https://rubular.com/r/IhIbCAIs7ImOkc\n    Name        k8s-nginx-ingress\n    Format      regex\n    Regex       ^(?<host>[^ ]*) - (?<user>[^ ]*) \\[(?<time>[^\\]]*)\\] \"(?<method>\\S+)(?: +(?<path>[^\\\"]*?)(?: +\\S*)?)?\" (?<code>[^ ]*) (?<size>[^ ]*) \"(?<referer>[^\\\"]*)\" \"(?<agent>[^\\\"]*)\" (?<request_length>[^ ]*) (?<request_time>[^ ]*) \\[(?<proxy_upstream_name>[^ ]*)\\] (\\[(?<proxy_alternative_upstream_name>[^ ]*)\\] )?(?<upstream_addr>[^ ]*) (?<upstream_response_length>[^ ]*) (?<upstream_response_time>[^ ]*) (?<upstream_status>[^ ]*) (?<reg_id>[^ ]*).*$\n    Time_Key    time\n    Time_Format %d/%b/%Y:%H:%M:%S %z\n\n[PARSER]\n    Name   json\n    Format json\n    Time_Key time\n    Time_Format %d/%b/%Y:%H:%M:%S %z\n\n[PARSER]\n    Name         docker\n    Format       json\n    Time_Key     time\n    Time_Format  %Y-%m-%dT%H:%M:%S.%L\n    Time_Keep    On\n    # --\n    # Since Fluent Bit v1.2, if you are parsing Docker logs and using\n    # the Kubernetes filter, it's not longer required to decode the\n    # 'log' key.\n    #\n    # Command      |  Decoder | Field | Optional Action\n    # =============|==================|=================\n    #Decode_Field_As    json     log\n\n[PARSER]\n    Name        docker-daemon\n    Format      regex\n    Regex       time=\"(?<time>[^ ]*)\" level=(?<level>[^ ]*) msg=\"(?<msg>[^ ].*)\"\n    Time_Key    time\n    Time_Format %Y-%m-%dT%H:%M:%S.%L\n    Time_Keep   On\n\n[PARSER]\n    Name        syslog-rfc5424\n    Format      regex\n    Regex       ^\\<(?<pri>[0-9]{1,5})\\>1 (?<time>[^ ]+) (?<host>[^ ]+) (?<ident>[^ ]+) (?<pid>[-0-9]+) (?<msgid>[^ ]+) (?<extradata>(\\[(.*?)\\]|-)) (?<message>.+)$\n    Time_Key    time\n    Time_Format %Y-%m-%dT%H:%M:%S.%L%z\n    Time_Keep   On\n\n[PARSER]\n    Name        syslog-rfc3164-local\n    Format      regex\n    Regex       ^\\<(?<pri>[0-9]+)\\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<ident>[a-zA-Z0-9_\\/\\.\\-]*)(?:\\[(?<pid>[0-9]+)\\])?(?:[^\\:]*\\:)? *(?<message>.*)$\n    Time_Key    time\n    Time_Format %b %d %H:%M:%S\n    Time_Keep   On\n\n[PARSER]\n    Name        syslog-rfc3164\n    Format      regex\n    Regex       /^\\<(?<pri>[0-9]+)\\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\\/\\.\\-]*)(?:\\[(?<pid>[0-9]+)\\])?(?:[^\\:]*\\:)? *(?<message>.*)$/\n    Time_Key    time\n    Time_Format %b %d %H:%M:%S\n    Time_Keep   On\n\n[PARSER]\n    Name    mongodb\n    Format  regex\n    Regex   ^(?<time>[^ ]*)\\s+(?<severity>\\w)\\s+(?<component>[^ ]+)\\s+\\[(?<context>[^\\]]+)]\\s+(?<message>.*?) *(?<ms>(\\d+))?(:?ms)?$\n    Time_Format %Y-%m-%dT%H:%M:%S.%L\n    Time_Keep   On\n    Time_Key time\n\n[PARSER]\n    # https://rubular.com/r/3fVxCrE5iFiZim\n    Name    envoy\n    Format  regex\n    Regex ^\\[(?<start_time>[^\\]]*)\\] \"(?<method>\\S+)(?: +(?<path>[^\\\"]*?)(?: +\\S*)?)? (?<protocol>\\S+)\" (?<code>[^ ]*) (?<response_flags>[^ ]*) (?<bytes_received>[^ ]*) (?<bytes_sent>[^ ]*) (?<duration>[^ ]*) (?<x_envoy_upstream_service_time>[^ ]*) \"(?<x_forwarded_for>[^ ]*)\" \"(?<user_agent>[^\\\"]*)\" \"(?<request_id>[^\\\"]*)\" \"(?<authority>[^ ]*)\" \"(?<upstream_host>[^ ]*)\"  \n    Time_Format %Y-%m-%dT%H:%M:%S.%L%z\n    Time_Keep   On\n    Time_Key start_time\n\n[PARSER]\n    # http://rubular.com/r/tjUt3Awgg4\n    Name cri\n    Format regex\n    Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$\n    Time_Key    time\n    Time_Format %Y-%m-%dT%H:%M:%S.%L%z\n\n[PARSER]\n    Name    kube-custom\n    Format  regex\n    Regex   (?<tag>[^.]+)?\\.?(?<pod_name>[a-z0-9](?:[-a-z0-9]*[a-z0-9])?(?:\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)_(?<namespace_name>[^_]+)_(?<container_name>.+)-(?<docker_id>[a-z0-9]{64})\\.log$\n"
  }
]