feat(infra): dev, prod integrate centralized logging with Logstash and Filebeat

Author: YuSunjo

.gitignore

@@ -42,4 +42,4 @@ memory-infra/docker/**/data/*
 .env
 CLAUDE.md
 settings.local.json
-./logs
+./logs/*

memory-api/src/main/resources/logback-spring.xml

@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
     <!-- 공통 변수 정의 -->
-    <springProfile name="!prod">
+    <springProfile name="local">
         <property name="LOG_PATH" value="./logs"/>
     </springProfile>
-    <springProfile name="prod">
+    <springProfile name="prod, dev">
         <property name="LOG_PATH" value="/app/logs"/>
     </springProfile>
 

memory-infra/docker/dev/docker-compose.yml

@@ -89,6 +89,8 @@ services:
       SPRING_ELASTICSEARCH_URIS: http://elasticsearch:9200
       SPRING_ELASTICSEARCH_USERNAME: elastic
       SPRING_ELASTICSEARCH_PASSWORD: ${ELASTIC_PASSWORD}
+    volumes:
+      - ./data/logs:/app/logs
     networks:
       - memory-network
     restart: always
@@ -216,6 +218,54 @@ services:
       - ./data/certbot/www:/var/www/certbot
     entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
 
+  logstash:
+    image: docker.elastic.co/logstash/logstash:8.17.4
+    container_name: memory-logstash-dev
+    ports:
+      - "5045:5044"
+      - "9602:9600"
+    environment:
+      - LS_JAVA_OPTS=-Xms256m -Xmx256m
+      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200
+      - ELASTICSEARCH_USERNAME=elastic
+      - ELASTICSEARCH_PASSWORD=${ELASTIC_PASSWORD}
+    volumes:
+      - ./logstash/pipeline:/usr/share/logstash/pipeline:ro
+      - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
+      - ./data/logstash-data:/usr/share/logstash/data
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+      - memory-network
+    restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "curl -f http://localhost:9600/_node/stats || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+
+  filebeat:
+    image: docker.elastic.co/beats/filebeat:8.17.4
+    container_name: memory-filebeat-dev
+    user: root
+    environment:
+      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200
+      - ELASTICSEARCH_USERNAME=elastic
+      - ELASTICSEARCH_PASSWORD=${ELASTIC_PASSWORD}
+      - LOGSTASH_HOSTS=logstash:5044
+    volumes:
+      - ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
+      - ./data/logs:/var/log/memory:ro
+      - ./data/filebeat-data:/usr/share/filebeat/data
+      - /var/lib/docker/containers:/var/lib/docker/containers:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    depends_on:
+      - logstash
+    networks:
+      - memory-network
+    restart: always
+
 networks:
   memory-network:
     driver: bridge
@@ -224,3 +274,6 @@ volumes:
   postgres-data:
   minio-data:
   elasticsearch-data:
+  logs:
+  logstash-data:
+  filebeat-data:

memory-infra/docker/dev/filebeat/filebeat.yml

@@ -0,0 +1,137 @@
+filebeat.inputs:
+  # Memory Application Logs
+  - type: log
+    enabled: true
+    paths:
+      - /var/log/memory/application*.log
+    fields:
+      service: memory-api
+      environment: dev
+      log_type: application
+    fields_under_root: true
+    multiline.pattern: '^\\{'
+    multiline.negate: true
+    multiline.match: after
+    exclude_lines: ['^$']
+    ignore_older: 0
+    close_inactive: 5m
+    scan_frequency: 10s
+
+  # Memory API Logs
+  - type: log
+    enabled: true
+    paths:
+      - /var/log/memory/api*.log
+    fields:
+      service: memory-api
+      environment: dev
+      log_type: api
+    fields_under_root: true
+    multiline.pattern: '^\\{'
+    multiline.negate: true
+    multiline.match: after
+    exclude_lines: ['^$']
+    ignore_older: 0
+    close_inactive: 5m
+    scan_frequency: 5s
+
+  # Memory Error Logs
+  - type: log
+    enabled: true
+    paths:
+      - /var/log/memory/error*.log
+    fields:
+      service: memory-api
+      environment: dev
+      log_type: error
+    fields_under_root: true
+    multiline.pattern: '^\\{'
+    multiline.negate: true
+    multiline.match: after
+    exclude_lines: ['^$']
+    ignore_older: 0
+    close_inactive: 5m
+    scan_frequency: 5s
+
+  # Memory Business Logs
+  - type: log
+    enabled: true
+    paths:
+      - /var/log/memory/business*.log
+    fields:
+      service: memory-api
+      environment: dev
+      log_type: business
+    fields_under_root: true
+    multiline.pattern: '^\\{'
+    multiline.negate: true
+    multiline.match: after
+    exclude_lines: ['^$']
+    ignore_older: 0
+    close_inactive: 5m
+    scan_frequency: 10s
+
+  # Docker Container Logs (비활성화)
+  - type: container
+    enabled: false
+    paths:
+      - /var/lib/docker/containers/*/*.log
+    containers.ids:
+      - "*"
+    exclude_containers:
+      - "memory-postgres-dev"
+      - "memory-minio-dev"
+      - "memory-elasticsearch-dev"
+      - "memory-kibana-dev"
+      - "memory-prometheus-dev"
+      - "memory-grafana-dev"
+      - "memory-logstash-dev"
+      - "memory-filebeat-dev"
+    fields:
+      environment: dev
+      log_type: container
+    fields_under_root: true
+
+# Logstash Output 설정
+output.logstash:
+  hosts: ["logstash:5044"]
+  compression_level: 3
+  worker: 2
+  bulk_max_size: 2048
+  timeout: 30s
+  pipelining: 2
+
+# Filebeat 자체 로그 설정
+logging.level: info
+logging.to_files: true
+logging.files:
+  path: /var/log/filebeat
+  name: filebeat
+  keepfiles: 7
+  permissions: 0600
+
+# 성능 설정
+filebeat.registry.path: /usr/share/filebeat/data/registry
+filebeat.registry.file_permissions: 0600
+filebeat.registry.flush: 1s
+
+# 모니터링 설정
+monitoring.enabled: true
+monitoring.elasticsearch:
+  hosts: ["elasticsearch:9200"]
+  username: elastic
+  password: ${ELASTICSEARCH_PASSWORD}
+
+# 프로세서 설정
+processors:
+  - add_host_metadata:
+      when.not.contains.tags: forwarded
+  - add_docker_metadata: ~
+  - add_kubernetes_metadata: ~
+  - timestamp:
+      field: json.timestamp
+      layouts:
+        - '2006-01-02 15:04:05.000'
+        - '2006-01-02T15:04:05.000Z'
+      test:
+        - '2023-12-01 12:34:56.789'

memory-infra/docker/dev/logstash/config/logstash.yml

@@ -0,0 +1,12 @@
+http.host: "0.0.0.0"
+xpack.monitoring.elasticsearch.hosts: ["http://elasticsearch:9200"]
+xpack.monitoring.elasticsearch.username: "elastic"
+xpack.monitoring.elasticsearch.password: "${ELASTICSEARCH_PASSWORD}"
+xpack.monitoring.enabled: true
+path.config: /usr/share/logstash/pipeline
+path.data: /usr/share/logstash/data
+pipeline.workers: 2
+pipeline.batch.size: 125
+pipeline.batch.delay: 50
+queue.type: memory
+log.level: info

memory-infra/docker/dev/logstash/pipeline/memory-logs.conf

@@ -0,0 +1,128 @@
+input {
+  beats {
+    port => 5044
+  }
+}
+
+filter {
+  # FileBeat에서 오는 메타데이터 처리
+  if [agent][type] == "filebeat" {
+    mutate {
+      add_field => { "log_source" => "filebeat" }
+    }
+  }
+
+  # JSON 로그 파싱
+  if [message] =~ /^\{.*\}$/ {
+    json {
+      source => "message"
+      target => "parsed_json"
+    }
+
+    # 파싱된 JSON 데이터를 최상위로 이동
+    if [parsed_json] {
+      ruby {
+        code => "
+          parsed = event.get('parsed_json')
+          if parsed.is_a?(Hash)
+            parsed.each { |k, v| event.set(k, v) }
+            event.remove('parsed_json')
+          end
+        "
+      }
+    }
+  }
+
+  # API 로그 특별 처리
+  if [type] == "API_REQUEST" or [type] == "API_RESPONSE" {
+    mutate {
+      add_field => { "log_category" => "api_access" }
+    }
+
+    # 응답 시간 기반 성능 태그
+    if [processingTime] {
+      if [processingTime] > 5000 {
+        mutate { add_tag => ["slow_api"] }
+      } else if [processingTime] > 1000 {
+        mutate { add_tag => ["medium_api"] }
+      } else {
+        mutate { add_tag => ["fast_api"] }
+      }
+    }
+
+    # HTTP 상태 코드 기반 태그
+    if [statusCode] {
+      if [statusCode] >= 500 {
+        mutate { add_tag => ["server_error"] }
+      } else if [statusCode] >= 400 {
+        mutate { add_tag => ["client_error"] }
+      } else if [statusCode] >= 200 {
+        mutate { add_tag => ["success"] }
+      }
+    }
+  }
+
+  # 에러 로그 특별 처리
+  if [level] == "ERROR" {
+    mutate {
+      add_field => { "log_category" => "error" }
+      add_tag => ["error"]
+    }
+  }
+
+  # 타임스탬프 처리
+  if [timestamp] {
+    date {
+      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSS", "ISO8601" ]
+      target => "@timestamp"
+    }
+  }
+
+  # 불필요한 필드 제거
+  mutate {
+    remove_field => [ "ecs", "host", "agent", "input", "log" ]
+  }
+}
+
+output {
+  # 로그 타입별로 다른 인덱스에 저장 (dev 환경 prefix)
+  if [log_type] == "api" {
+    elasticsearch {
+      hosts => ["elasticsearch:9200"]
+      user => "elastic"
+      password => "${ELASTICSEARCH_PASSWORD}"
+      index => "memory-dev-api-logs-%{+YYYY.MM.dd}"
+    }
+  } else if [log_type] == "error" {
+    elasticsearch {
+      hosts => ["elasticsearch:9200"]
+      user => "elastic"
+      password => "${ELASTICSEARCH_PASSWORD}"
+      index => "memory-dev-error-logs-%{+YYYY.MM.dd}"
+    }
+  } else if [log_type] == "business" {
+    elasticsearch {
+      hosts => ["elasticsearch:9200"]
+      user => "elastic"
+      password => "${ELASTICSEARCH_PASSWORD}"
+      index => "memory-dev-business-logs-%{+YYYY.MM.dd}"
+    }
+  } else if [log_type] == "container" {
+    elasticsearch {
+      hosts => ["elasticsearch:9200"]
+      user => "elastic"
+      password => "${ELASTICSEARCH_PASSWORD}"
+      index => "memory-dev-container-logs-%{+YYYY.MM.dd}"
+    }
+  } else {
+    elasticsearch {
+      hosts => ["elasticsearch:9200"]
+      user => "elastic"
+      password => "${ELASTICSEARCH_PASSWORD}"
+      index => "memory-dev-application-logs-%{+YYYY.MM.dd}"
+    }
+  }
+
+  # 개발환경에서는 콘솔 출력도 활성화
+  stdout { codec => rubydebug }
+}