This on its own is working as expected, we get logs for pods that have the logging annotation on them, with cloud metadata attached to the event.
We thought we could add hints.enabled: true to the configuration that would then allow certain pods to specify custom parsing operations (i.e. to handle the presence of multiline logs). However when adding hints.enabled: true to the provider configuration (example below), suddenly everything from Kubernetes starts getting logged, and is also missing the cloud metadata:
What we're after is the ability to send logs only from pods that have a specific annotation, and then provide a further option on top of that (using hints) to provide annotations to help better parse multiline messages etc. Is that possible?
When you are using hints, all logs are retrieved by default, as you said. But you can change that behavior, as templates are evaluated first, for instance creating a template that throws no configs.
Also, there is a hint to disable logging, try: co.elastic.logs/disable: true. I'll have a look to the docs, we may need to include this one
Thanks very much for the quick response! I'm pretty new to using Filebeat, would you possible be able to clarify what you mean by this?
for instance creating a template that throws no configs
Are there any plans/would a feature request be welcomed to have an inverse of the current behaviour, with an option to default no log collection by hints, and only enabled when co.elastic.logs/enable: true is set?
As templates are processed first, if logging == false hints won't be processed. In practice this removes the need for adding it as a feature. As you can use these settings to get the behavior you want.
As I understand it from that example, files will be processed for anything with logging == false
Apologies if I'm missing the point (quite likely), ideally I don't want to rely on everything having to include an annotation to be excluded from logging, I'd rather that be the default and there be an annotation to opt in
Uhm, I think you are right, after checking the code, hints will work as long as you don't provide a valid config. This is useful to override some behavior, but not to cancel it entirely.
In this case, I would be OK with accepting a feature or pull request to support what you need. Feel free to open a new issue, please give as much detail as possible: https://github.com/elastic/beats/issues
I have managed to almost achieve what I was after. I've been able to use the hints autodiscover to only publish logs with a specific annotation, whilst also being able to make use of multiline hints:
The last thing I'm struggling to get working is tail_files within the Kubernetes autodiscovery (Since our filebeat instances are stateless). Currently when a filebeat restarts it ends up scraping logs that have already been scraped, resulting in duplicated messages being published.
Is there somewhere I can configure the hints discovery/kubernetes logger to only tail files?
Neither of the below configs appear to work:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.