I am using filebeat to ship container logs to ELK. I have way too many metadata that I don't need.
container.id, container.name, conatiner.labels, container.image and so on. The only one I need her is container.name, so I am trying to drop the rest.
This is my configuration file, but what had worked for dropping the host meta isn't working for dropping the docker metadata. Am I missing something?
filebeat.inputs:
- type: filestream
id: my-filestream-id
enabled: true
paths:
- /home/logs/**/*.log
- type: container
enable: true
paths:
- "/var/lib/docker/containers/*/*.log"
filebeat.config.modules:
path: /etc/filebeat/modules.d/*.yml
reload.enabled: false
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata:
host: "unix:///var/run/docker.sock"
- drop_fields:
fields: ["container.id", "container.labels", "container.image"]
- decode_json_fields:
fields: ["message"]
target: "json"
overwrite_keys: true
- drop_fields:
fields: ["agent", "cloud", "ecs", "host", "input", "tags"
ignore_missing: true
output.logstash:
hosts: ["${elasticip}:5044"]