I was wondering how filebeat collects containers logs when filebeat is also a container?
Are logs read from a path ?
Are logs pulled from container (ex : nginx) and sent to filebeat?
Should volumes (/var/run/docker.sock, /var/lib/docker, etc...) be mounted in filebeat container?
How it works is that it hooks up to the events emitted let's say by docker.
Then listener listens for start/stop events, compile metadata and emits event by itself, contestable by ELK.
Implementation wise, you can check autodiscover docker provider
and its watcher
Configuration wise (but I'm not sure if this is what you had in mind):
This configuration launches a docker logs input for all
containers running an image with redis in the name. labels.dedot defaults to be true for docker autodiscover,
which means dots in docker labels are replaced with '_' by default.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.