Filbeat with docker compose

Hello everyone

I am trying to send the generated logs by cowrie to logstash:

Here is my docker compose:

version: '3'
volumes:
  cowrie-etc:
    driver: local
  cowrie-var:
    driver: local
services:
  cowrie:
    container_name: cowrie      
    restart: always
    build:
      context: .
      dockerfile: ./cowrie/Dockerfile

    ports:
      - "2222:2222"
      - "2223:2223"
    volumes:
      - cowrie-etc:/cowrie/cowrie-git/etc
      - cowrie-var:/cowrie/cowrie-git/var/log/cowrie


  filebeat:
    image: docker.elastic.co/beats/filebeat:7.5.1
    container_name: filebeat      
    user: root
    volumes:
      - ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
      - cowrie-var:/data/cowrie:ro
      - /home/ubuntu/demo/:/data/cowrie:ro

    environment:
      - LOGSTASH_HOST='${LOGSTASH_HOST}'
    command: ["--strict.perms=false"]
    networks:
      - docker_elk

networks:
  docker_elk:
    driver: bridge

And this is my filebeat.yml config file:

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /data/cowrie/*.log
      - /data/cowrie/*.json*

output:
  #logstash:
  #  hosts: ["${LOGSTASH_HOST}"]
  #  bulk_max_size: 1024
  #  username: "elastic"
  #  password: "password"

  console:
    pretty: true

When I run the containers, filebeat doesnt seam to work as it doesnt print any log. Dont have any clue of why it is not working. The container is up.

Hope anyone can help me.

Can you verify that the Cowrie logs are present in the mount inside the Filebeat container?

docker exec -it filebeat ls -al /data/cowrie

If they are present as expected, then could you temporarily add logging.level: debug to your filebeat.yml config file and restart the Filebeat container? Then please post the first 100 lines or so of your Filebeat container logs, after masking out any sensitive information.

Thanks,

Shaunak

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.