Filebeat 7.2.0 Container Input: Error Reading Docker Output

DougR · July 17, 2019, 4:44pm

I have installed Filebeat 7.2.0 on a host in our Docker cluster to test the container input.

This is the container input segment of my filebeat.yml for that host:

filebeat:
  inputs:
    - type: container
      paths:
        - /var/lib/docker/containers/*/*.log

However, I am getting the following error in the logs:

Jul 17 11:32:05 <docker-host> filebeat[23063]: 2019-07-17T11:32:05.298-0500        ERROR        log/harvester.go:280        Read line error: invalid CRI log format; File: /var/lib/docker/containers/1adbe9378a731b9b8a96f40b46039476eee8bad9bd410e5b02f3fc2bdf6234d6/container-cached.log
Jul 17 11:32:05 <docker-host> filebeat[23063]: 2019-07-17T11:32:05.303-0500        ERROR        log/harvester.go:280        Read line error: invalid CRI log format; File: /var/lib/docker/containers/34c211f3fd10d6ab445bd65c03bfd22ba87043a67888de64b67a7e03deeef1f7/container-cached.log
Jul 17 11:32:05 <docker-host> filebeat[23063]: 2019-07-17T11:32:05.305-0500        ERROR        log/harvester.go:280        Read line error: invalid CRI log format; File: /var/lib/docker/containers/54af27d74e66a69b4e6fc714d4949aec11bdc9aa584fadd67df69f3a53407cea/container-cached.log
Jul 17 11:32:05 <docker-host> filebeat[23063]: 2019-07-17T11:32:05.313-0500        ERROR        log/harvester.go:280        Read line error: invalid CRI log format; File: /var/lib/docker/containers/8c380bdc6577bd806f662b46ace79ebf692f44dd80c35014c1e81745e3d60075/container-cached.log
Jul 17 11:32:05 <docker-host> filebeat[23063]: 2019-07-17T11:32:05.319-0500        ERROR        log/harvester.go:280        Read line error: invalid CRI log format; File: /var/lib/docker/containers/167f71a9923034dfa435853ee03219b3107ff10d2e6cd2d7a367d05f3e4999fc/container-cached.log

martinr_ubi · July 17, 2019, 6:08pm

Please share a sample of such log files properly formatted or in gist so someone can hopefully assist you.

DougR · July 18, 2019, 5:33pm

In doing a further dive, it appears that our logs are being directed to syslogd and some junk characters are being injected into them. We're still using Docker 18.07, which can only send to a single log destination; multi-destination logs weren't introduced until 18.09, I believe. Our Docker admins are checking into this.

system · August 15, 2019, 5:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat 6.4.2 Read line error: invalid CRI log format; File Beats filebeat	18	3446	January 2, 2019
Invalid CRI error (Filebeat 7.17 + docker) Beats docker , filebeat	1	238	September 13, 2023
Filebeat 7.17.3 invalid CRI log format error Beats docker , filebeat	6	1831	July 14, 2022
Read line error: invalid CRI log; filbeat halts processing logs Beats filebeat	12	6176	September 28, 2018
Filebeat 6.4.2 and 6.5.1: Read line error: "parsing CRI timestamp" and "invalid CRI log format" Beats filebeat	9	4083	February 13, 2019

Filebeat 7.2.0 Container Input: Error Reading Docker Output

Related topics