Filebeat autodiscovery logging twice

strowi · February 24, 2019, 12:06pm

Hi,

i'm currently playing with hint-based autodiscovery in kubernetes. So far my tests with an nginx-deployment seem to work fine, except that the logline appears twice in elasticsearch.
One time as "message", the other time as nginx-parsed output.

Is there a way to only log the parsed log with hint-based discovery?

regards,
strowi

kvch · February 25, 2019, 11:17am

Could you please share your configuration formatted using </>?

strowi · February 25, 2019, 12:34pm

Here is the one from filebeat:

logging.level: 'debug'
tags: ['k8-rancher2-tier']
name: ${FILEBEAT.NAME}

output.elasticsearch:
  index: "logs-%{+yyyy.MM.dd}"

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false
  inputs:
    path: ${path.config}/prospectors.d/*.yml
    reload.enabled: false
    ignore_older: 24h

setup:
  template:
    name: "logs"
    pattern: "logs-*"

  kibana:
    host: 

  dashboards:
    enabled: true
    index: "logs-*"

filebeat.inputs:
- type: log
  enabled: true
  paths:
  - /var/log/messages
  - /var/log/syslog

- type: docker
  containers.ids:
  - "*"
  processors:
    - add_kubernetes_metadata:
        in_cluster: "true"
    - drop_event:
        when:
          regexp:
            kubernetes.container.name: ".*(heapster|kube-state-metrics).*"
    - drop_event:
        when:
          not:
            regexp:
              kubernetes.pod.name: ".+"


filebeat.autodiscover:
  providers:
    - type: kubernetes
      hints.enabled: true

and an example nginx-deployment:

---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    team: roman
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2 # tells deployment to run 2 pods matching the template
  template:
    metadata:
      labels:
        app: nginx
      annotations:
        co.elastic.logs/module: nginx
        co.elastic.logs/fileset.stdout: access
        co.elastic.logs/fileset.stderr: error
    spec:
      containers:
      - name: nginx
        image: nginx:alpine
        ports:
        - containerPort: 80

kvch · February 25, 2019, 2:44pm

Where does your nginx put your logs? Have you enabled the nginx module?
It is possible that your logs are duplicated, because you have configured both the nginx module and the log input of Filebeat to read the logs. If yes, please make sure that you only configure a file once, otherwise it can lead to problems in state handling.
You can validate my theory by checking if the duplicated events have fileset.module and fileset.name keys with values.

system · March 25, 2019, 2:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat 7.3.0 with kubernetes autodiscover and nginx module creating duplicate log entries Beats filebeat	1	1322	September 21, 2019
Filebeat hints-based autodiscover for JSON encoded logs Beats filebeat	1	1111	May 3, 2019
Module nginx save documents twice with kubernetes autodiscover Beats filebeat	5	937	March 14, 2019
Filebeat as Daemonset for all Kubernetes Logs (including nginx) Beats filebeat	4	4113	March 2, 2019
Autodiscover hints.enabled logs all pods Beats filebeat	2	1238	November 13, 2019

Filebeat autodiscovery logging twice

Related topics