Filebeat dropping events

smanoranjan005 · April 29, 2021, 1:39pm

Hi,

I am using filebeat as daemonset in Kubernetes to transfer application logs to Logstash to Elasticsearch. But the issue here is there is some data drop during this transfer to ES.
There is only one filter in filebeat configmap to read only application namespace data.
I am validating the data on ES with the pod logs and found lots of data loss.
If there are 4 pods running for an application, I am not getting all 4 pods logs in ES.

I have checked filebeat & ES logs, but not able to find any error related to event rejection from ES.
I have tried to save filebeat output in the file and found the data loss there also.

I am using the latest(7.12) version of filebeat, logstash & elasticsearch.

Please help me here.

legoguy1000 · April 29, 2021, 5:08pm

can you provide the configs for Filebeat and Logstash?

smanoranjan005 · April 30, 2021, 3:21am

Filebeat config:
filebeat.yml: |-
filebeat.inputs:

type: container
paths:
- /var/log/containers/*.log
  processors:
- add_kubernetes_metadata:
  host: ${NODE_NAME}
  matchers:
  - logs_path:
    logs_path: "/var/log/containers/"
- drop_event:
  when:
  equals:
  kubernetes.namespace: "istio-system"
- drop_event:
  when:
  equals:
  kubernetes.namespace: "kube-system"
- drop_event:
  when:
  equals:
  kubernetes.namespace: "kube-public"
- drop_event:
  when:
  equals:
  kubernetes.namespace: "monitoring"

setup.ilm.enabled: false
multiline.type: pattern
multiline.pattern: '^['
multiline.negate: false
multiline.match: after

output.elasticsearch:
hosts: ['logstash:5044']

Logstash config:
input {
beats {
port => "5044"
}
}
filter {
grok {
match => {"message" => ["[AUDIT] %{GREEDYDATA:message}"]}
overwrite => [ "message" ]
add_tag => ["audit"]
}
}
output {
if "audit" in [tags] {
elasticsearch {
hosts => [ "node1", "node2", "node3" ]
index => "audit-%{+YYYY.MM.dd}"
}
}
if [kubernetes][container][name] == "app1" {
elasticsearch {
hosts => [ "node1", "node2", "node3" ]
index => "app1-%{+YYYY.MM.dd}"
}
}
else if [kubernetes][container][name] == "app2" {
elasticsearch {
hosts => [ "node1", "node2", "node3" ]
index => "app2-%{+YYYY.MM.dd}"
}
}
else if [kubernetes][container][name] in ["app5", "app6", "app6-1", "app7", "app8", "app9", "app10", "app11"] {
elasticsearch {
hosts => [ "node1", "node2", "node3" ]
index => "inventory-%{+YYYY.MM.dd}"
}
}
else if [kubernetes][container][name] == "app4" {
elasticsearch {
hosts => [ "node1", "node2", "node3" ]
index => "app4-%{+YYYY.MM.dd}"
}
}
else {
elasticsearch {
hosts => [ "node1", "node2", "node3" ]
index => "filebeat-%{+YYYY.MM.dd}"
}
}
}

The count of concurrent files filebeat should read in our my environment will be 100-120.

legoguy1000 · April 30, 2021, 11:13am

Can u please use the code format option so it's easier to read.

smanoranjan005 · April 30, 2021, 12:37pm

Filebeat config:

filebeat.yml: |-
  filebeat.inputs:
  - type: container
    paths:
      - /var/log/containers/*.log
    processors:
      - add_kubernetes_metadata:
          host: ${NODE_NAME}
          matchers:
          - logs_path:
              logs_path: "/var/log/containers/"
      - drop_event:
          when:
            equals:
              kubernetes.namespace: "istio-system"
      - drop_event:
          when:
            equals:
              kubernetes.namespace: "kube-system"
      - drop_event:
          when:
            equals:
              kubernetes.namespace: "kube-public"
      - drop_event:
          when:
            equals:
              kubernetes.namespace: "monitoring"
  processors:
    - drop_fields:
          fields: ["agent.ephemeral_id", "agent.hostname", "agent.id", "agent.type", "agent.version", "ecs.version", "input.type", "log.offset", "version", "kubernetes.labels.pod-template-hash", "kubernetes.pod.uid", "kubernetes.replicaset.name", "log.file.path", "log.offset", "kubernetes.node.name", "kubernetes.namespace", "kubernetes.labels.tier"]

  setup.ilm.enabled: false
  multiline.type: pattern
  multiline.pattern: '^\['
  multiline.negate: false
  multiline.match: after

  output.logstash:
    hosts: ['logstash:5044']

Logstash Config:

input {
  beats {
    port => "5044"
  }
}
filter {
  grok {
    match => {"message" => ["[AUDIT] %{GREEDYDATA:message}"]}
    overwrite => [ "message" ]
    add_tag => ["audit"]
  }
}

output {
  if "audit" in [tags] {
    elasticsearch {
      hosts => [ "node1", "node2", "node3" ]
      index => "audit-%{+YYYY.MM.dd}"
    }
  }
  else if [kubernetes][container][name] == "app1" {
    elasticsearch {
      hosts => [ "node1", "node2", "node3" ]
      index => "app1-%{+YYYY.MM.dd}"
    }
  }
  else if [kubernetes][container][name] == "app2" {
    elasticsearch {
      hosts => [ "node1", "node2", "node3" ]
      index => "app2-%{+YYYY.MM.dd}"
    }
  }
  else if [kubernetes][container][name] in ["app5", "app6", "app6-1", "app7", "app8", "app9", "app10", "app11"] {
    elasticsearch {
      hosts => [ "node1", "node2", "node3" ]
      index => "inventory-%{+YYYY.MM.dd}"
    }
  }
  else if [kubernetes][container][name] == "app4" {
    elasticsearch {
      hosts => [ "node1", "node2", "node3" ]
      index => "app4-%{+YYYY.MM.dd}"
    }
  }
  else {
    elasticsearch {
      hosts => [ "node1", "node2", "node3" ]
      index => "filebeat-%{+YYYY.MM.dd}"
    }
  }
}

smanoranjan005 · May 6, 2021, 8:04am

Any luck here?

smanoranjan005 · May 17, 2021, 7:50am

Any update?

system · June 14, 2021, 9:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat configuration file troubles Beats docker , filebeat	1	249	August 3, 2021
Filebeat 7.10 fails to collect events from multiple kubernetes pods Beats filebeat	7	699	April 17, 2021
Just cannot have filebeat ouput right! Beats filebeat	2	1314	October 15, 2018
Filebeat opening two harvesters for the same file Beats docker , filebeat	1	825	November 12, 2020
Kubernetes - Filebeat stops sending/picking up logs Beats filebeat	17	6440	June 26, 2018

Filebeat dropping events

Related topics