"docker" or "log" input/prospector for Docker JSON logs?


#1

We currently use the "logs" prospector to collect JSON logs that Docker outputs. I just recently noticed there is now a native "docker" input [1]. What are the benefits of using this over the "logs" prospector?

[1] https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-input-docker.html


(ruflin) #2

The main advantage if the docker prospector over the log prospector is that it already works out of the box and the settings to make the log prospector work with the docker files are already set.

An other advantage is that it allows us to make docker specific tweaks to it on the code side. A good example that happened recently is the detection of the multiline events in the docker log (coming from docker). As this is something we do on the code side and is specific to docker logs, it will only be in the docker prospector. So in general if you consume docker logs, I would recommend to use the docker prospector.


#3

The "docker" prospector is not yet available (in 6.2.4), correct? If not - do you have any idea when it will be released?


(ruflin) #4

The docker prospector should already be in 6.2: https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html Some of the features mentioned above like mutiline are not in 6.2 yet.


#5

The docker "input" [1] is not available in 6.2.4, though, correct? Are "inputs" just a terminology change from "prospectors"?

[1] https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-input-docker.html


(ruflin) #6

Yes, input is just a termonology change. In the config you can still use both.


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.