I'm having trouble configuring filebeat on Kubernetes.
Let's say you want filebeat to get the containers logs from Kubernetes, but you would like to exclude some files (for example because you don't want to get logs from filebeat, which is also running as a pod on Kubernetes).
I thought this prospector config would be right, but no luck so far:
Am I doing something wrong, or is it just not possible at the moment ?
This work seems to been made possible thanks to this PR : https://github.com/elastic/beats/pull/4981 .
Using filebeat:6.1.3, btw.
Hi @exekias, thanks for the response. I tried with the single quotes, but still not working unfortunately. But actually, even trying without any exclude_files key also does not work:
So, perhaps even this config ^ is false ? I know that by default filebeat goes in /var/lib/docker/containers to get the logs. However since the logs in that folder are referenced via an id rather than a name, it's impossible for me to exclude the ones I want, as I can't know the ids.
My understanding from that merged PR (https://github.com/elastic/beats/pull/4981) was that it was possible to configure Filebeat to get the logs from the /var/log/containers directory instead, which does contain the name of the applications. Is that true ? Do you have an example for this use case ?
Surely I can't be the only one needing to remove some of these logs (I hope )
Thanks,
Jeremie
Btw I did try with the drop_event processor, and it works, however it does become a heavy query on the logs when the list of containers to blacklist grows, which seems very inefficient to me.
Also for your use case, we have been working on Kubernetes autodiscover, but it hasn't been released yet (will be available with 6.2): https://github.com/elastic/beats/pull/6055
The current behaviour is that filebeat starts on every node but does not pick up any file at all. I did mount the /var/log/containers directory to Filebeat, and I checked it could access the files inside that folder.
Yes I am mounting both. Actually, the files in /var/log/containers contain symlinks to files in /var/log/pods which contain symlinks to /var/lib/docker/containers.
I started by mounting these 3 folders, but didn't help.
I'm now testing to mount /var/log entirely, see if that would work.
it seems that the format of your configuration file is wrong, e.g. processors should not be on the same level as type and path, rather on the same level as filebeat.prospectors (type's and path's parent).
Here's my config file running on our production cluster. However, I have not yet updated to 6.1, still using 6.0 beta plus my changes. So my config might not be fully up to date.
filebeat.prospectors:
- type: log
paths:
- "/var/log/containers/*.log"
# Don't read my own logs, and some others:
exclude_files:
- filebeat-.*\.log
- default-http-backend-.*\.log
- nginx-ingress-controller-.*\.log
# Keys are copied top level in the output document:
json.keys_under_root: true
# Filebeat adds a "error.message" and "error.type: json" key in case of JSON unmarshalling errors:
json.add_error_key: true
# Allow Filebeat to harvest symlinks in addition to regular files:
symlinks: true
filebeat.shutdown_timeout: 5s
filebeat.registry_file: /var/log/containers/filebeat_registry
name: ${NODE_NAME}
processors:
# In logs from our microservices, "log" contains a JSON object.
# In logs from Kubernetes services, "log" contains the log message.
# Fortunately, Filebeat detects the difference and decodes "log" only when it contains an escaped JSON String.
- decode_json_fields:
fields: ["log"]
# Merge the decoded JSON fields into the root of the event:
target: ""
- add_kubernetes_metadata:
in_cluster: true
output.elasticsearch:
hosts:
- xxxxxxxx
- xxxxxxxx
- xxxxxxxx
username: xxxxxxxx
password: xxxxxxxx
index: "filebeat-%{[beat.version]}-kube-prod-%{+yyyy.MM.dd}"
bulk_max_size: 2500
# These are required since 6.0.0-beta2 if output.elasticsearch.index is defined
setup.template.name: "filebeat-%{[beat.version]}"
setup.template.pattern: "filebeat-%{[beat.version]}-*"
Hi @Sven_Woltmann! Thanks a lot for your messages, I finally got it working!
You're right, indentation was off, and also I didn't have the symlinks: true option on. Here's my final config, and I can confirm it works with filebeat:6.1.3:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.