Aws ecs filebeat log collection stops when the application containers are restarted

vaseem_tt · August 10, 2022, 12:52pm

We collect the logs of the container of our java application on ecs with the container of Filebeat.
When any one or multiple container in the AWS ECS intance restart continously, filebeat container stops pushing logs to elasticsearch.

And if we restart the filebeat container then the logs starts coming.

When I checked the Filebeat log, there were no errors.

filebeat config file (filebeat.yml)

setup.ilm.enabled: false
filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
      json.message_key: log
      templates:
        - condition:
            equals:
              docker.container.labels.filebeat_enable: "true"
          config:
            - type: docker
              containers.ids:
                - "${data.docker.container.id}"
              json.keys_under_root: true
              json.add_error_key: false
              multiline.pattern: '^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.*'
              multiline.negate: true
              multiline.match: after
              multiline.timeout: 120s
              multiline.max_lines: 1000
processors:
- add_cloud_metadata: ~
- add_docker_metadata: ~
output.elasticsearch:
  hosts: ["http://x.x.x.x:9200","http://x.x.x.x:9200","http://x.x.x.x:9200"]
  username: "XXX"
  password: "XXXX"

vaseem_tt · August 15, 2022, 1:54pm

@system please help me out here

Kaiyan_Sheng · August 15, 2022, 9:36pm

@Tetiana_Kravchenko Could you take a look at this one please? TIA!!

Tetiana_Kravchenko · August 16, 2022, 1:36pm

Hi @vaseem_tt

I think that you need to use container as the config.type.
Try to use this configuration (below the co.elastic.logs/pipeline) with docker as a autodiscover provider and container as a template.config.type.
Also if you are not using hints based autodiscovery - hints.enabled can be removed from the configuration.

vaseem_tt · September 1, 2022, 10:59am

@Tetiana_Kravchenko
we have updated the filebeat configuration as like you have mentioned above. But still the issue persists.

setup.ilm.enabled: false
filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
      json.message_key: log
      templates:
        - condition:
            equals:
              docker.container.labels.filebeat_enable: "true"
          config:
            - type: container
              paths:
                - /var/lib/docker/containers/${data.docker.container.id}/*.log
              max_bytes: 1048576
              json.keys_under_root: true
              json.add_error_key: false
              multiline.pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
              multiline.negate: true
              multiline.match: after
              multiline.timeout: 120s
              multiline.max_lines: 1000
              close_inactive: 30s
              scan_frequency: 10s

vaseem_tt · September 26, 2022, 3:10am

@system please can someone check this?

vaseem_tt · October 12, 2022, 5:07am

@system please look into this

system · November 9, 2022, 7:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.