AutoDiscover - can't ship docker container logs by image name

Asaf_Shabat · December 24, 2017, 7:58pm

I'm trying to set up the AutoDiscover component in the Filebeat.yml.
I'm using it in order to take logs from specific containers which generated by a specific Docker image.
When I'm working with the "filebeat.autodiscover" should I need to add the "filebeat.prospectors" block too?
Currently, this is my configuration without filebeat.prospectors:

filebeat.autodiscover:
# List of enabled autodiscover providers
providers:
- type: docker
templates:
- condition:
equals.docker.container.image: wildfly_image
config:
- type: log
paths:
- /var/lib/docker/containers/${data.docker.container.id}/*.log
processors:
- add_docker_metadata: ~

fields:
environment: WF-Prod
fields_under_root: true

multiline.pattern: '^[[:space:]]+|]$'
multiline.match: after

As you can see, because of the "filebeat.prospectors" has been omitted, I had to add the processors, fields & multiline options under the "filebeat.autodiscover". Is it the right thing to do?

adrisr · December 26, 2017, 6:16pm

Your setup looks good to me. I guess either a problem with your config (indentation?) or the docker container image is wrong.

Can you share your whole filebeat.yml file and the debug log of filebeat run?

Asaf_Shabat · December 27, 2017, 11:29am

The issue was the indentation, and "add_docker_metadata" should be omitted.
Working configuration is below:

filebeat.autodiscover:
  # List of enabled autodiscover providers
  providers:
    - type: docker
      templates:
        - condition:
            equals.docker.container.image: full_image_path/image_name:version
          config:
            - type: log
              paths:
                - /var/lib/docker/containers/${data.docker.container.id}/*.log
              fields:
                environment: Development
              fields_under_root: true

              multiline.pattern: '^[[:space:]]+|]$'
              multiline.match: after

Thanks a lot!

exekias · December 27, 2017, 1:07pm

I'm glad you discovered the original issue @Asaf_Shabat,

Also you may want to use the new docker prospector, available since 6.1, prospector conf would look like this:

type: docker
containers.ids: ${data.docker.container.id}
multiline.pattern: '^[[:space:]]+|]$'
multiline.match: after

Asaf_Shabat · December 27, 2017, 1:28pm

Great, but how could I filter the containers by image name without the using of autodiscover?

exekias · December 27, 2017, 5:49pm

Not at the moment, docker prospector is dumb, it only accepts container ids as it's what it uses to search for the logs. Autodiscover is in place to do what you want.

Best regards

exekias · December 27, 2017, 5:58pm

Also I forgot to mention, you are using equals condition, but you have all existing conditions available, just in case you want to match only some part of the image, for instance.

Asaf_Shabat · December 28, 2017, 6:37am

Thank you very much!
It helps!

system · January 25, 2018, 6:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem getting autodiscover docker to work with filebeat Beats filebeat	11	8731	September 12, 2018
Filebeat autodiscover for docker does not work on /var/lib/docker/containers Beats filebeat	8	3127	January 15, 2019
Cannot get Autodiscover conditions to work Beats docker , filebeat	1	20	September 27, 2024
Filebeat: docker autodiscover problem Beats docker , filebeat	4	720	May 23, 2022
Filebeat autodicover with docker doesn't see any logs from the containers Beats filebeat	2	326	April 24, 2019

AutoDiscover - can't ship docker container logs by image name

Related topics