I'm trying to configure filebeat and my pods in kubernetes to use auto disscover and hints. I found this previous topic: Filebeat autodiscover for Kubernetes uses inconsistent log files path by default but it's now closed.
At this point in time I'm unable to upgrade past 7.17, so I was curious what the proper workaround should be.
Thanks
Did you get this working?
filebeat.autodiscover:
providers:
- type: kubernetes
host: ${NODE_NAME}
hints:
enabled: true
default_config:
enabled: true
paths:
- /var/log/pods/*${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log
add_resource_metadata:
namespace:
enabled: true
If I use this config, I get all logs no matter if the namespace or deployment is annotated or not
annotations:
co.elastic.logs/enabled: 'true'
I feel like I had this working at some point. Are you saying it works in 7.17? And then I should disable config? I am on OpenShift 4.10 by the way.
I think I got it working by disabling default_config. This is my config now:
filebeat.autodiscover:
providers:
- type: kubernetes
hints:
enabled: true
default_config:
enabled: false
paths:
- /var/log/pods/*${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log
add_resource_metadata:
namespace:
enabled: true
output.logstash:
hosts: ["*****:5044"]
ssl.enabled: true
Why it reads paths when default_config is disabled, I don't know, but changing path was required for it to find the logs. Note that this is for OpenShift, so the path might be a bit different for Kubernetes running containerd or cri-o (I had to add the * before pod uid variable).
I also have no idea what "host: ${NODE_NAME}" is supposed to do...
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.