I have filebeat set up along elasticsearch, logstash, kibana and other containers in docker using a docker-compose file. To monitor the host with this filebeat instance as well, I have the host /var/log/syslog mounted into the container under the same path. It uses the system module to parse the logs and send them to logstash
filebeat:
config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
modules:
- module: system
It is working for some time, but then just stops (I assume when the log is rotated).
Filebeat frequently logs "File is inactive: /var/log/syslog. Closing because close_inactive of 5m0s reached." and always starts a new harvester until at some point it doesn't. I thought the close_inactive setting might help, but that does not seem to be available for system.
I'd be grateful for any ideas or pointers!