본문 바로가기
ElasticSearch & OpenSearch

[OpenSearch] docker-elk 에서 AWS ES 로 옮기기 - 2. docker-logstash

by yonikim 2021. 4. 20.
728x90

docker-elk 에서 Elasticsearch 와 Kibana 는 AWS 를 이용하기에, Logstash 만 따로 띄워주면 됐다.

AWS Elastic Container Service (ECS) 에 띄우는 걸 최종 목표로 하고,

우선 AWS EC2 인스턴스를 띄워 docker 로 띄우기로 결정했다.

 

※ 사전준비 작업
AWS Elasticsearch Service 생성하기
- AWS Elastic Container Registry(ECR) 세팅하기
- Bitbucket Pipelines 세팅하기

docker-logstash를 AWS EC2 인스턴스에 띄우기

(근데 이제 삽질을 곁들인)

▷ bitbucket-pipelines.yml

options:
  docker: true            
  size: 2x    
definitions:
  services:
    docker:
      memory: 2048
pipelines:
  branches:
    master:
      - step:
          name: Docker Logstash with AWS Elasticsearch Service
          services:
            - docker
          image: atlassian/pipelines-awscli
          script:
            - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ECR_REPOSITORY
            - IMAGE=$AWS_ECR_REPOSITORY/$AWS_ECR_REPOSITORY_NAME
            - TAG=latest
            - docker build -t $IMAGE:$TAG . 
              --build-arg ES_HOST=$ES_HOST 
              --build-arg ES_USER=$ES_USER 
              --build-arg ES_PASSWORD=$ES_PASSWORD 
            - docker push $IMAGE:$TAG

 

▷ Dockerfile

FROM docker.elastic.co/logstash/logstash-oss:7.9.0

ARG ES_HOST=ES_HOST
ENV ES_HOST=$ES_HOST
ARG ES_USER=ES_USER
ENV ES_USER=$ES_USER
ARG ES_PASSWORD=ES_PASSWORD
ENV ES_PASSWORD=$ES_PASSWORD

RUN logstash-plugin install logstash-output-amazon_es

RUN rm -f /usr/share/logstash/pipeline/logstash.conf
ADD pipeline/ /usr/share/logstash/pipeline/
ADD config/ /usr/share/logstash/config/

WORKDIR /usr/share/logstash

EXPOSE 5000

 

▷ logstash.conf

input {
    beats {
        port => 5000
        codec => json
        type => "filebeat"
    }
}

filter {
    json {
        source => "message"
    }
    date {
        match => [ "timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
        target => "@timestamp"
    }
}

output {
  amazon_es {
      hosts => ["${ES_HOST}"]
      ssl => true
      region => "${AWS_REGION}"
      index => "%{[fields][log_type]}-%{+YYYY.MM.dd}"
      user => "${ES_USER}"
      password => "${ES_PASSWORD}"
  }
 }

 

▷ AWS EC2 인스턴스에 접속

$ docker pull $AWS_ECR_REPOSITORY/$AWS_ECR_REPOSITORY_NAME:$TAG
$ docker run -p 5000:5000 -p 9600:9600 -d --name logstash $AWS_ECR_REPOSITORY/$AWS_ECR_REPOSITORY_NAME:$TAG

 

[2021-04-19T02:56:07,118][INFO ][logstash.outputs.amazonelasticsearch][main] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>https://root:xxxxxx@${ES_HOST}:443/, :path=>"/"} [2021-04-19T02:56:07,140][WARN ][logstash.outputs.amazonelasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://root:xxxxxx@${ES_HOST}:443/", :error_type=>LogStash::Outputs::AmazonElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '403' contacting Elasticsearch at URL '${ES_HOST}:443/'"}

 

▷ logstash.conf

output {
  amazon_es {
      hosts => ["${ES_HOST}"]
      ssl => true
      region => "${AWS_REGION}"
      index => "%{[fields][log_type]}-%{+YYYY.MM.dd}"
      aws_access_key_id => "${AWS_ACCESS_KEY_ID}"
      aws_secret_access_key => "${AWS_SECRET_ACCESS_KEY}"
      user => "${ES_USER}"
      password => "${ES_PASSWORD}"
  }
 }

 

[2021-04-19T02:56:07,118][INFO ][logstash.outputs.amazonelasticsearch][main] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>https://root:xxxxxx@${ES_HOST}:443/, :path=>"/"} [2021-04-19T02:56:07,140][WARN ][logstash.outputs.amazonelasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://root:xxxxxx@${ES_HOST}:443/", :error_type=>LogStash::Outputs::AmazonElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '403' contacting Elasticsearch at URL '${ES_HOST}:443/'"}

결론은 아래와 같이 작성하면 된다.

output {
    elasticsearch {
        hosts => ["${ES_HOST}"]
        ssl => true
        index => "%{[fields][log_type]}-%{+YYYY.MM.dd}"
        user => "${ES_USER}"
        password => "${ES_PASSWORD}"
        ilm_enabled => false
    }
}

찾아보니 Amazon ES 도메인에서 HTTP 기본 인증으로 세분화된 액세스 제어 를 사용하는 경우에는

다른 Elasticsearch 클러스터와 유사하기 때문에 기존대로 elasticsearch 플러그인을 사용하면 되고,

 

IAM 기반 도메인 액세스 정책 또는 IAM 마스터 사용자의 세분화된 액세스 제어 를 사용하는 경우에

logstash-output-amazon-es 플러그인을 사용하면 된다고 한다.

 

(출처: docs.aws.amazon.com/ko_kr/elasticsearch-service/latest/developerguide/es-managedomains-logstash.html)

 

한글이 이렇게나 어렵습니다.

 

728x90

'ElasticSearch & OpenSearch' 카테고리의 다른 글

[ElasticSearch] 한글 형태소 분석기 설치하기  (0) 2021.05.03
[Filebeat] docker-filebeat 세팅하고 띄우기  (0) 2021.04.29
[OpenSearch] dictionary 추가하기  (0) 2021.04.23
[Docker-elk] docker-elk 세팅하고 띄우기  (0) 2021.04.20
[OpenSearch] docker-elk 에서 AWS ES 로 옮기기 - 1. AWS ES 생성  (0) 2021.04.20

관련글

티스토리툴바