From b38de32201ddaa4e58437c80865e67b086563af7 Mon Sep 17 00:00:00 2001
From: Christos Arvanitis <christos.arvanitis@cern.ch>
Date: Thu, 14 Sep 2023 15:45:25 +0200
Subject: [PATCH] Provide fluentd service to ship logs to logging
 infrastructure

---
 files/docker/docker-compose.yml  | 11 ++++++++++-
 files/docker/fluentd/Dockerfile  |  3 +++
 files/docker/fluentd/fluent.conf | 31 +++++++++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 files/docker/fluentd/Dockerfile
 create mode 100644 files/docker/fluentd/fluent.conf

diff --git a/files/docker/docker-compose.yml b/files/docker/docker-compose.yml
index 7903f25..4599cad 100644
--- a/files/docker/docker-compose.yml
+++ b/files/docker/docker-compose.yml
@@ -1,7 +1,7 @@
 version: "3.9"
 services:
   dnscollector:
-    image: pdnssoc
+    image: ghcr.io/cern-cert/pdnssoc:edge
     command: >
       bash -c "mkdir -p /var/dnscollector/alerts
       && mkdir -p /var/dnscollector/matches
@@ -12,3 +12,12 @@ services:
     volumes:
       - ./logs:/var/dnscollector/ # Logging destination
       - ./pdnssoccli.yml:/etc/pdnssoccli.yml
+
+  # Uncomment to enable shipping to different logging systems
+  # e.g. Opensearch, kafka
+  #fluentd:
+  #  build: ./fluentd
+  #  volumes:
+  #    - ./fluentd:/fluentd/etc
+  #    - ./logs:/var/pDNSSOC/
+
diff --git a/files/docker/fluentd/Dockerfile b/files/docker/fluentd/Dockerfile
new file mode 100644
index 0000000..6121db1
--- /dev/null
+++ b/files/docker/fluentd/Dockerfile
@@ -0,0 +1,3 @@
+FROM fluent/fluentd:v1.16.0-debian-1.0
+USER root
+RUN ["gem", "install", "fluent-plugin-opensearch", "--no-document"]
\ No newline at end of file
diff --git a/files/docker/fluentd/fluent.conf b/files/docker/fluentd/fluent.conf
new file mode 100644
index 0000000..c11df00
--- /dev/null
+++ b/files/docker/fluentd/fluent.conf
@@ -0,0 +1,31 @@
+## match tag=debug.** and dump to console
+<match debug.**>
+  @type stdout
+  @id output_stdout
+</match>
+
+# Getting logs from pdnssoc to send to OpenSearch
+ <source>
+   @type tail
+   path /var/pDNSSOC/alerts/matches.json
+   tag pdnssoc
+   read_from_head true
+   pos_file /fluentd/etc/alerts.log.pos
+   <parse>
+     @type json
+   </parse>
+ </source>
+
+<match pdnssoc>
+  @type opensearch
+  hosts https://opensearch_instance
+  index_name ${tag}-%Y.%m.%d #=> e.g.) elastic.20170811
+  <buffer tag, time>
+    @type memory
+    flush_mode immediate
+    timekey 3600
+  </buffer>
+   user %{CHANGE_ME}
+  password %{CHANGE_ME}
+  ssl_verify false
+ </match>