I'm sending logs to Graylog using filebeat on linux with the following conf:
filebeat.autodiscover:
providers:
- type: docker
templates:
- condition:
regexp:
docker.container.name: ^.+$
config:
- type: container
paths:
- /srv/docker/containers/*/*
exclude_lines:
- ^\s+[\-`('.|_]
encoding: plain
scan_frequency: 10s
tail_files: true
symlinks: true
multiline.type: pattern
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
json.message_key: log
json.keys_under_root: true
There are several containers running on the server running the log collector. I want to collect logs for all the containers and in fact the conf above is doing the job BUT the information of filebeat container fields is mismatching the actual information.
I get the correct filebeat_log_file_path and the correct message but the filebeat container fields does not match the container from where I get the message.
Any hint, help?