-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-compose.yml
81 lines (70 loc) · 2.6 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Copyright 2023 Codenotary Inc. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
version: '2'
services:
# Needed to set up proper permissions for non root user in bitnami/postgresql
volume-init:
image: alpine
volumes:
- 'postgresql_logs:/logs'
user: root
group_add:
- '1000'
command: chown -R 1001:1000 /logs
postgresql:
image: docker.io/bitnami/postgresql:15
ports:
- '5432:5432'
volumes:
- 'postgresql_data:/bitnami/postgresql'
- 'postgresql_logs:/logs'
environment:
- 'ALLOW_EMPTY_PASSWORD=yes'
- 'POSTGRESQL_PGAUDIT_LOG=ALL'
# Configure postgresql to store data in /logs folder in json format, every minute.
# There will be log file per each minute, rotating every 60 minutes.
# It can be changed to rotate per hour, day etc..
- "POSTGRESQL_EXTRA_FLAGS=-c log_destination=jsonlog -c logging_collector=true -c log_directory=/logs -c log_filename=posgresql-%M -c log_rotation_age=1 -c log_truncate_on_rotation=on"
depends_on:
- volume-init
# Create colleciton in Vault
vault-log-audit-init:
image: codenotary/vault-log-audit
command: create default --parser pgauditjsonlog --log-level debug
environment:
# Do not forget to add your API key here
- VAULT_API_KEY=<your API key here>
depends_on:
- postgresql
# Send audit logs to Vault
vault-log-audit:
image: codenotary/vault-log-audit
command: tail file --parser pgauditjsonlog "/logs/*" --follow --file-registry-dir=/data --log-level debug
environment:
# Do not forget to add your API key here
- VAULT_API_KEY=<your API key here>
volumes:
- 'vault-log-audit_data:/data'
- 'postgresql_logs:/logs'
restart: on-failure
depends_on:
- postgresql
- vault-log-audit-init
volumes:
# Permanent storage for posgresql database
postgresql_data:
driver: local
# Permanent storage for posgresql logs
postgresql_logs:
driver: local
# Permanent storage for vault-log-audit. Used for tracking already monitored files.
vault-log-audit_data:
driver: local