Last Updated: October 15, 2024

Overview

To enable external logging service on SaladCloud , you must configure your Container Group Deployment with the host address and port number of your tcp endpoint. The host should be publicly reachable. Note that all communication between SCE and your TCP endpoint will be encrypted with TLS(Transport Layer Security). Many tools are available to you when creating your TCP endpoint. In this example, we will be using Logstash. Logstash is a free and open-source server-sde data processing pipeline for ingesting and transforming data from a variety of sources.

Prerequisite

  • Logstash Installation: You must have Logstash installed on the endpoint where you want to receive logs from SCE. To install Logstash, you can follow the official documentation here.
  • TLS/SSL Certificates: Prepare SSL/TLS certificates and private keys for securing the communication between Logstash and SCE.
📘 A note on certificates You can use self-signed certificates for testing and development, but in a production environment, it is highly recommended to use certificates from a trusted Certificate Authority (CA).

Generating Self-Signed Certificates

To generate self-signed certificate you can use OpenSSL.
  1. Generate a CA (Certificate Authority) Certificate and Key:
# Generate CA private key
openssl genpkey -algorithm RSA -out ca-key.pem

# Create a self-signed CA certificate
openssl req -x509 -new -key ca-key.pem -out ca-certificate.pem
  1. Generate Logstash Server Certificate and Key:
# Generate Logstash server private key
openssl genpkey -algorithm RSA -out logstash-private-key.pem

# Create a CSR (Certificate Signing Request) for Logstash server
openssl req -new -key logstash-private-key.pem -out logstash-csr.pem
  1. Sign the Logstash server CSR with the CA Certificate:
# Sign the Logstash server CSR with the CA certificate
openssl x509 -req -in logstash-csr.pem -CA ca-certificate.pem -CAkey ca-key.pem -CAcreateserial -out logstash-certificate.pem

Logstash Configuration

With the certificates ready, it’s time to configure Logstash to accept secure log connections from SCE. Create a Logstash configuration file, typically named logstash.conf, and add the following content: 
input {
  tcp {
    host => "0.0.0.0" # listen on all available network interfaces
    port => 5001      # port to receive logs from SCE
    ssl_enable => true
    ssl_key => "/path/to/logstash-private-key.pem"
    ssl_cert => "/path/to/logstash-certificate.pem"
    ssl_certificate_authorities =>["/path/to/ca-certificate.pem"]
  }
}

# Remove unnecessary fields from log events
filter {
  mutate {
    remove_field => ["host", "port", "@version", "@timestamp"]
  }
}

# add your desired output plugin (e.g Elasticsearch, File, etc.)
output {
  stdout {
    codec => rubydebug
  }
}
In the input section, we configure Logstash to listen on port 5001, enable SSL/TLS encryption, and provide the paths to your Logstash TLS/SSL certificates. For more information about the logstash configuration, please visit their official documentation.

Starting Logstash

$ bin/logstash -f logstash.conf
Logstash is now configured and ready to use the SSL/TLS private key and certificate for secure logging service.

Next Steps

Once you’ve set up Logstash, you can configure your Container Group Deployment on SCE and provide the host and port number. Then, start the container group and, on your TCP endpoint, you should see streaming logs from your containers!