Hi,
I was wondering how filebeat collects containers logs when filebeat is also a container?
Are logs read from a path ?
Are logs pulled from container (ex : nginx) and sent to filebeat?
Should volumes (/var/run/docker.sock, /var/lib/docker, etc...) be mounted in filebeat container?
Any full config file example ?
Thx
How it works is that it hooks up to the events emitted let's say by docker.
Then listener listens for start/stop events, compile metadata and emits event by itself, contestable by ELK.
Implementation wise, you can check autodiscover docker provider
and its watcher
Configuration wise (but I'm not sure if this is what you had in mind):
filebeat.autodiscover:
providers:
- type: docker
labels.dedot: true
templates:
- condition:
contains:
docker.container.image: redis
config:
- type: docker
containers.ids:
- "${data.docker.container.id}"
exclude_lines: ["^\\s+[\\-`('.|_]"] # drop asciiart lines
This configuration launches a docker logs input for all
containers running an image with redis in the name.
labels.dedot defaults to be true for docker autodiscover,
which means dots in docker labels are replaced with '_' by default.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.