Docker logs are not coming

Elastic Stack Beats
1

Hi Team,

I am trying to configure Docker logs forwarding to ELK through filebeat. I have followed (https://www.elastic.co/blog/enrich-docker-logs-with-filebeat).

I can see docker logs on kibana but without log message and no docker related info.

please suggest if any other configuration required.

filebeat yml (filebeat-7.3.2-1.x86_64) :-
filebeat.inputs:

  • type: log
    enabled: true
    paths:
    • /VMWNODE/docker/containers//.log
      json.message_key: log
      json.keys_under_root: true
      processors:
    • add_docker_metadata:
      host: "unix:///var/run/docker.sock"

docker version :-
Docker version 19.03.1, build 74b1e89

Kibana JSON
{
"_index": "filebeat-7.3.2-2020.01.09-000001",
"_type": "_doc",
"_id": "2ad5im8BisIPkQkKIfp5",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-01-09T13:23:10.607Z",
"ecs": {
"version": "1.0.1"
},
"log": {
"offset": 68782907,
"file": {
"path": "/VMWNODE/docker/containers/2e65d4a4f8f6f337877736b21195de83c4663009a876faace614509f66761f9e/2e65d4a4f8f6f337877736b21195de83c4663009a876faace614509f66761f9e-json.log"
}
},
"stream": "stdout",
"time": "2020-01-08T21:22:58.353467812Z",
"input": {
"type": "log"
},
"container": {
"id": "2e65d4a4f8f6f337877736b21195de83c4663009a876faace614509f66761f9e-json.log"
},
"host": {
"hostname": "N1PBBL-EXPA0159",
"architecture": "x86_64",
"name": "N1PBBL-EXPA0159",
"os": {
"codename": "Maipo",
"platform": "rhel",
"version": "7.6 (Maipo)",
"family": "redhat",
"name": "Red Hat Enterprise Linux Server",
"kernel": "3.10.0-957.21.2.el7.x86_64"
},
"id": "f462e1d352fd42739bea16c0ed67b21e",
"containerized": false
},
"agent": {
"ephemeral_id": "67dddafd-cf42-43c8-b727-1ba847c60430",
"hostname": "N1PBBL-EXPA0159",
"id": "65528822-8256-4813-9f44-dc4cfbd47a22",
"version": "7.3.2",
"type": "filebeat"
}
},
"fields": {
"@timestamp": [
"2020-01-09T13:23:10.607Z"
],
"suricata.eve.timestamp": [
"2020-01-09T13:23:10.607Z"
]
},
"sort": [
1578576190607
]
}

2

Hi, is it possible that your logs are not being ingested by Elasticsearch/Logstash correctly? What is filebeat's output?

3

Hi,
If i have used simple log path in YML file, i can see docker logs on KIbana
type: log
enabled: true
paths:

  • /VMWNODE/docker/containers/ / .log

Also I have tried container input in YMP file, it's working without container Name and other details :-

  • type: container
    paths:
    • '/VMWNODE/docker/containers//.log'

processors:

  • add_docker_metadata:
    host: "unix:///var/run/docker.sock"

  • decode_json_fields:
    fields: ["message"]
    target: "json"
    overwrite_keys: true

logging.json: true
logging.metrics.enabled: false

JSON :-
{
"_index": "filebeat-7.3.2-2020.01.09-000001",
"_type": "_doc",
"_id": "O8fZjW8BisIPkQkKjFqk",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-01-10T05:07:17.718Z",
"stream": "stdout",
"input": {
"type": "container"
},
"ecs": {
"version": "1.0.1"
},
"host": {
"containerized": false,
"hostname": "N1PBBL-EXPA0159",
"name": "N1PBBL-EXPA0159",
"architecture": "x86_64",
"os": {
"platform": "rhel",
"version": "7.6 (Maipo)",
"family": "redhat",
"name": "Red Hat Enterprise Linux Server",
"kernel": "3.10.0-957.21.2.el7.x86_64",
"codename": "Maipo"
},
"id": "f462e1d352fd42739bea16c0ed67b21e"
},
"agent": {
"ephemeral_id": "3bf716c6-5ab1-4a2b-a184-646439ffa9ea",
"hostname": "N1PBBL-EXPA0159",
"id": "65528822-8256-4813-9f44-dc4cfbd47a22",
"version": "7.3.2",
"type": "filebeat"
},
"message": " [fabsdk/fab] 2020/01/10 05:07:17 UTC - comm.(*CachingConnector).sweepAndRemove -> DEBU connection janitor closing connection [peer1.airtel.com:7051]",
"log": {
"offset": 92473190,
"file": {
"path": "/VMWNODE/docker/containers/b506a1f1c7fc8728b1961782de459fd9a4c3b085475caf78d1fdba1c076f49b9/b506a1f1c7fc8728b1961782de459fd9a4c3b085475caf78d1fdba1c076f49b9-json.log"
}
}
},
"fields": {
"@timestamp": [
"2020-01-10T05:07:17.718Z"
],
"suricata.eve.timestamp": [
"2020-01-10T05:07:17.718Z"
]
},
"sort": [
1578632837718
]
}

how can I collect container related info on Kibana (Container Name is important)

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.