Hello. I want to parse logs from the java app running in the kubernetes pod. I have a filebeat configuration like this:
filebeat.autodiscover:
providers:
- type: kubernetes
templates:
- condition.or:
- equals.kubernetes.labels.app: my-app
config:
- type: container
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
ignore_decoding_error: false
symlinks: true
processors:
- dissect:
tokenizer: '%{} %{} %{log.level} %{log.logger} - %{log.origin.function} %{log.original}'
field: "message"
target_prefix: ""
processors:
- add_host_metadata:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
- rename:
ignore_missing: true
fields:
- from: "file"
to: "file.name"
output.elasticsearch:
host: '${NODE_NAME}'
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}'
setup.ilm:
enabled: false
overwrite: true
rollover_alias: "filebeat"
pattern: "{now/M{yyyy.MM}}-000001"
policy_file: /usr/share/filebeat/ilm.json
setup.template.name: "filebeat"
setup.template.pattern: "filebeat-*"
Example log message:
2021-05-30 15:20:38 DEBUG c.t.s.a.AkkaSSLConfig - [AkkaSSLConfig(akka://main)] Initializing AkkaSSLConfig extension...
Dissect pattern tester shows correct fields, but in Kibana I see only original message with no extra fields. No errors in the filebeat log.