Filebeat autodiscover for Kubernetes uses incorrect log path

I'm trying to configure filebeat and my pods in kubernetes to use auto disscover and hints. I found this previous topic: Filebeat autodiscover for Kubernetes uses inconsistent log files path by default but it's now closed.

At this point in time I'm unable to upgrade past 7.17, so I was curious what the proper workaround should be.

Thanks

1 Like

Did you get this working?

filebeat.autodiscover:
      providers:
        - type: kubernetes
          host: ${NODE_NAME}
          hints:
            enabled: true
            default_config:
              enabled: true
              paths:
                - /var/log/pods/*${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log
          add_resource_metadata:
            namespace:
              enabled: true

If I use this config, I get all logs no matter if the namespace or deployment is annotated or not

annotations:
  co.elastic.logs/enabled: 'true'

I feel like I had this working at some point. Are you saying it works in 7.17? And then I should disable config? I am on OpenShift 4.10 by the way.

I think I got it working by disabling default_config. This is my config now:

filebeat.autodiscover:
      providers:
        - type: kubernetes
          hints:
            enabled: true
            default_config:
              enabled: false
              paths:
                - /var/log/pods/*${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log
          add_resource_metadata:
            namespace:
              enabled: true
output.logstash:
      hosts: ["*****:5044"] 
      ssl.enabled: true

Why it reads paths when default_config is disabled, I don't know, but changing path was required for it to find the logs. Note that this is for OpenShift, so the path might be a bit different for Kubernetes running containerd or cri-o (I had to add the * before pod uid variable).

I also have no idea what "host: ${NODE_NAME}" is supposed to do...