Skip to Main Menu

Exploring Serilog v2 - Using Splunk with the File Sink and Docker

Posted on 2 mins read

I have had a few questions recently about how to setup Docker with Serilog and Splunk when logging to a file. Generally I opt to use the HTTP Event Collector however there are some situations that warrant logging to a file.

A simple way to get logging out via a file to Splunk in Docker is via a shared volume. As I mentioned I can think of better production approaches however here is some quick setups to get up and running.

First create a few files and setup the project.

mkdir docker-example
cd docker-example
touch docker-compose.yml
touch Dockerfile

# Setup the app
mkdir example
cd example
dotnet new console
dotnet add package Serilog
dotnet add package Serilog.Sinks.Console
dotnet add package Serilog.Sinks.File

Open Program.cs in your favourite editor and update accordingly. In this case we are going to log to a text file called mylog.txt.

using System;
using Serilog;
using System.Collections.Generic;
using System.Linq;
using System.IO;

namespace example
{
    class Program
    {
        static void Main(string[] args)
        {
            Log.Logger = new LoggerConfiguration()
                    .WriteTo.Console()
                    .WriteTo.File(path:"mylog.txt", buffered: true)
                    .CreateLogger();

            foreach (var i in Enumerable.Range(0, 1000))
            {
                Log.Information("Hello world {Counter}", i * x);
            }

            Log.CloseAndFlush();
        }
    }
}

Next add the build steps to the multi-stage Dockerfile. Note we are pubishing the build output to the sample folder.

FROM microsoft/dotnet:2.1-sdk AS build
WORKDIR /sample
ADD . /sample
RUN dotnet restore
RUN dotnet publish -c Release -o out

FROM microsoft/dotnet:2.1-runtime AS runtime
WORKDIR /sample
COPY --from=build /sample/out ./
ENTRYPOINT ["dotnet", "example.dll"]

Now we need to setup the app, with a Splunk instance to ingest the logs. Update the docker-compose.yml as below. This setup includes a shared volume applogs that will be mounted on both containers.

version: '3'
services:
  myexample:
    image: myexample
    volumes:
      - applogs:/sample

  splunkenterprise:
    image: splunk/splunk:7.1.0
    environment: 
      SPLUNK_START_ARGS: --accept-license --answer-yes --seed-passwd changeme
      SPLUNK_ENABLE_LISTEN: 9997
      SPLUNK_ADD: tcp 1514
      SPLUNK_ADD_1: monitor /sample/*
    ports:
      - "8001:8000"
      - "9997:9997"
      - "8088:8088"
      - "8089:8089"
      - "1514:1514"
    volumes:
      - applogs:/sample/logs

volumes:
  applogs:

Run it up with docker-compose up and then open a browser at http://locahost:8001.

Sources should now show the file source, and events should be available.

Sources

Events

This is a simple way of getting log files using Serilog, into Splunk when using Docker.

Get Amongst It!!

comments powered by Disqus