Shiny_Hou
June 16, 2020, 7:27am
1
I don't want need filbeat-version-%{+yyyy.MM.dd} Index, my config don't have the config , but the container log still input to filbeat-version-%{+yyyy.MM.dd}
---
filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints.enabled: true
templates:
- condition:
equals:
kubernetes.namespace: dev
config:
- type: container
paths:
- /var/lib/docker/containers/${data.kubernetes.container.id}/*.log
fields:
logtype: app-console
- type: log
paths:
- /var/log/k8s/${data.kubernetes.pod.name}/*.log
multiline:
pattern: '^\d{4}-\d{2}-\d{2}'
negate: true
match: after
fields:
logtype: app-file
- condition:
equals:
kubernetes.namespace: istio-system
config:
- type: log
paths:
- /var/log/istio-proxy/access.log
fields:
logtype: ingressgateway-access
- config:
- type: container
paths:
- /var/lib/docker/containers/${data.kubernetes.container.id}/*.log
fields:
logtype: kubernetes-pods
processors:
- drop_event:
when:
equals:
kubernetes.container.name: 'istio-proxy'
- add_kubernetes_metadata:
default_indexers.enabled: false
default_matchers.enabled: false
in_cluster: true
output.elasticsearch:
hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}
pipelines:
- pipeline: "ingressgateway-access"
when.equals:
fields.logtype: ingressgateway-access
indices:
- index: "app-console-%{+yyyy.MM.dd}"
when.equals:
fields.logtype: app-console
- index: "ingressgateway-access-%{+yyyy.MM.dd}"
when.equals:
fields.logtype: ingressgateway-access
- index: "app-file-%{+yyyy.MM.dd}"
when.equals:
fields.logtype: app-file
- index: "kubernetes-pods-%{+yyyy.MM.dd}"
when.equals:
fields.logtype: kuberentes-pods
jsoriano
June 16, 2020, 5:52pm
2
Hey @Shiny_Hou , welcome to discuss
Since 7.7.0, indexes are managed by ILM . If you want to disable this behaviour and use your own policies you can disable ilm with setup.ilm.enabled: false.
Shiny_Hou
June 17, 2020, 1:18am
3
thanks @jsoriano i setted setup.ilm.enabled: false. but still exists the filebeat index
jsoriano
June 17, 2020, 10:14am
4
The filebeat index won't be removed. But after disabling ILM, are events being written to this index or to the custom ones?
Shiny_Hou
June 17, 2020, 12:08pm
5
disable ilm, delete all index, delete fielbeat , then renew apply filebat like this :
Shiny_Hou
June 17, 2020, 12:10pm
6
this my filebeat config:
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
namespace: kube-system
labels:
app: filebeat
data:
filebeat.yml: |-
setup.ilm.enabled: false
ilm.enabled: false
output.elasticsearch.ilm.enabled: false
queue.mem:
events: 4096
flush.min_events: 512
flush.timeout: 5s
filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints.enabled: true
templates:
- condition:
equals:
kubernetes.namespace: dev
config:
- type: container
paths:
# - /var/log/containers/*${data.kubernetes.container.id}.log
- /var/lib/docker/containers/${data.kubernetes.container.id}/*.log
fields:
logtype: app-console
- type: log
paths:
- /var/log/k8s/${data.kubernetes.pod.name}/*.log
multiline:
pattern: '^\d{4}-\d{2}-\d{2}'
negate: true
match: after
fields:
logtype: app-file
- condition:
equals:
kubernetes.namespace: istio-system
config:
- type: log
paths:
- /var/log/istio-proxy/access.log
fields:
logtype: ingressgateway-access
- config:
- type: container
paths:
- /var/lib/docker/containers/${data.kubernetes.container.id}/*.log
fields:
logtype: kubernetes-pods
processors:
- drop_event:
when:
equals:
kubernetes.container.name: 'istio-proxy'
- add_kubernetes_metadata:
default_indexers.enabled: false
default_matchers.enabled: false
in_cluster: true
output.elasticsearch:
hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}
pipelines:
- pipeline: "ingressgateway-access"
when.equals:
fields.logtype: ingressgateway-access
indices:
- index: "app-console-%{+yyyy.MM.dd}"
when.equals:
fields.logtype: app-console
- index: "ingressgateway-access-%{+yyyy.MM.dd}"
when.equals:
fields.logtype: ingressgateway-access
- index: "app-file-%{+yyyy.MM.dd}"
when.equals:
fields.logtype: app-file
- index: "kubernetes-pods-%{+yyyy.MM.dd}"
when.equals:
fields.logtype: kuberentes-pods
---
jsoriano
June 17, 2020, 5:46pm
7
I see you have indexes starting with app-console-, ingressgateway- and so on, do they contain the events you expect?
Shiny_Hou
June 18, 2020, 1:37am
8
yes , they are look good, but /var/lib/docker/containers all log stdout to filbeat-7.7.1-xxxx
jsoriano
June 18, 2020, 5:46pm
9
Oh, I have just seen that you have hints-based autodiscover enabled. When hints-based autodiscover is enabled in filebeat it collects logs from all pods by default.
Could you try to disable hints (hints.enabled: false) to see if filebeat does what you expect?
1 Like
Shiny_Hou
June 19, 2020, 6:05am
10
thanks ! i use this config , it's look good
setup.ilm.enabled: false
filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints.enabled: true
hints.default_config.enabled: false
1 Like
system
July 17, 2020, 8:05am
11
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
, 