Filebeat harvest only currently running docker containers

kwojcicki · November 8, 2017, 7:31pm

I am currently running filebeat to harvest all logs in /var/lib/docker/containers//-json.log however this harvests all logs even if a container isn't running anymore. Is there a way to get around this or perhaps a different approach should be used?

exekias · November 8, 2017, 9:54pm

Hi @kwojcicki,

This is something that should not worry you if you plan to ship all logs, initial sync may be an issue though.

You can consider pruning your previous state, have a look to docker system prune command.

Also, we are already working on new features that will help with this https://github.com/elastic/beats/pull/5245

kwojcicki · November 9, 2017, 3:48pm

Hey @exekias thanks for the quick reply. The auto discover feature looks great however until that is out I am worried about dev's running filebeat locally. Asking them to constantly docker container prune seems annoying when they are starting/stopping many containers constantly. I saw your comment about using drop_event to whitelist/blacklist containers on this github issue https://github.com/elastic/beats/issues/918#issuecomment-335999673 . Is this a viable solution if so how would it work?

exekias · November 10, 2017, 10:21am

Understood, There are several things you can do:

1- Put the docker id of the container you are interested in into filebeat.yml, you can probably script this

2- Whitelist containers by name, image or labels:

For example, you can do something like this to drop any event not matching any of the images you want

filebeat.prospectors:
- type: log
  paths:
   - '/var/lib/docker/containers/*/*.log'
  json.message_key: log
  json.keys_under_root: true
  processors:
  - add_docker_metadata: ~
  - drop_event.when.not.or:
      - equals:
          docker.contaner.image: busybox
      - equals:
          docker.contaner.image: alpine

kwojcicki · November 13, 2017, 7:01pm

We decided to go for option #1 as mentioned was a fairly simple script . The auto discover feature is there an ETA for when it will be merged and generally available?

exekias · November 15, 2017, 4:24pm

I don't have an ETA on when it will merged, although it's pretty advanced Once that happens it should make it to the next release in the 6.X line.

kwojcicki · November 15, 2017, 4:50pm

Sounds good I will follow the github PR to see when its merged. Thanks for the help this can be closed

Topic		Replies	Views
Docker implementation - Filebeats 7.17.2 - drop_events not working Beats docker , filebeat	9	782	May 29, 2022
Filebeat Docker input: exclude container by name Beats docker , filebeat	1	1248	June 6, 2022
Filebeat autodicover with docker doesn't see any logs from the containers Beats filebeat	2	366	April 24, 2019
Filebeat 6.3.2 doesn´t detect every started container Beats filebeat	7	838	September 27, 2018
How to include specified docker containers in Filebeat? Beats docker , filebeat	3	464	October 3, 2019

Filebeat harvest only currently running docker containers

Related topics