ELK no read logs from docker containers

angie · May 24, 2019, 10:13am

hello,

Filebeat is not reading docker logs, of course, because of permission:
Exiting: error initializing publisher: error initializing processors: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Could you please tell me what command should I add?

docker-compose.yml
filebeat:
image: docker.elastic.co/beats/filebeat:6.6.0
volumes:
- ./conf/filebeat.yml:/usr/share/filebeat/filebeat.yml
- /var/lib/docker/containers:/var/lib/docker/containers:ro
depends_on:
- elasticsearch

filebeat.yml

filebeat.inputs:
- type: docker
  containers.ids: '*'
  json.message_key: message
  json.keys_under_root: true
  json.add_error_key: true
  json.overwrite_keys: true

processors:
- add_docker_metadata: ~

# setup filebeat to send output to logstash
output.logstash:
  hosts: ["localhost:5044"]

I look forward to hearing from you.

faec · May 28, 2019, 7:18pm

This looks like possibly a problem in the docker environment rather than the filebeat configuration. Is the Docker daemon running, and if so what do you see in /var/run/docker.sock?

system · June 25, 2019, 7:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.