Andrew Mercer
Docs
Andrew Mercer

Ship OPNsense logs to OpenSearch using Fluent-bit

Install an OpenSearch & Fluent-bit stack

Docker compose

services:
  opensearch:
    image: opensearchproject/opensearch:2.9.0
    container_name: opensearch
    environment:
      - discovery.type=single-node
      - bootstrap.memory_lock=true
      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
      #- plugins.security.disabled=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
    ports:
      - "9200:9200"
      - "9600:9600"   # performance analyzer
    volumes:
      - opensearch-data:/usr/share/opensearch/data
    restart: always
    networks:
      - logging

  opensearch-dashboards:
    image: opensearchproject/opensearch-dashboards:2.9.0
    container_name: opensearch-dashboards
    environment:
      - OPENSEARCH_HOSTS=https://opensearch:9200
      - OPENSEARCH_SSL_VERIFICATIONMODE=none
    ports:
      - "5601:5601"
    depends_on:
      - opensearch
    restart: always
    networks:
      - logging

  fluentd:
    #image: fluent/fluentd:v1.17-1
    image: fluent/fluentd-kubernetes-daemonset:v1.17-debian-elasticsearch7-1
    container_name: fluentd
    volumes:
      - ./fluent.conf:/fluentd/etc/fluent.conf
    ports:
      - "5140:5140/udp"
    depends_on:
      - opensearch
    networks:
      - logging

volumes:
  opensearch-data:

networks:
  logging:
    driver: bridge

Fluentd config

# ./fluent.conf 

<source>
  @type syslog
  port 5140
  bind 0.0.0.0
  tag opnsense
</source>

<match opnsense.**>
  @type elasticsearch
  host opensearch
  port 9200
  scheme http
  logstash_format true
  index_name opnsense-logs
  include_tag_key true
  type_name _doc
  ssl_verify false
</match>

Create the stack

docker-compose up -d

Configure OPNsense to ship to Fluentd

Prev
OPNsense port forwarding
Next
kubeadm cheat sheet