I am trying to get logs from my shadowsocks docker into a file so that it can be integrated with fail2ban. The container outputs logs to stdout, which is already integrated with my ELK stack (also docker) through docker-compose:
version: '3.9'
services:
shadowsocks:
image: shadowsocks/shadowsocks-libev
...
logging:
driver: gelf
options:
gelf-address: "udp://10.0.0.1:12201"
tag: "shadowsocks"
I thought the simplest way to write the shadowsocks logs to a file would be through logstash, the output for which is configured as such:
output {
redis {
host => "redis-cache"
data_type => "list"
key => "logstash"
}
if [tag] == "shadowsocks" {
file {
path => "/tmp/shadowsocks/shadowsocks-%{+YYYY-MM-dd}.log"
codec => json
}
}
}
Unfortunately, this never writes any logs. I think that the problem is the conditional statement if [tag] == "shadowsocks" because when I remove this, it writes to the log file just fine (of course, it's then writing EVERYTHING to the log file, not only shadowsocks logs).
What am I doing wrong and how can I get logstash to write only shadowsocks logs to the file?
