I'm using Filebeat as a docker container and I keep having problems with trying make sure that nginx error logs and access logs go to the right place. It seems that they just go to both places. I setup a different logstash port for each one.
Here's how I launch a container:
sudo docker run -d -v /path/to/nginx/logs:/var/log/nginx -v /path/to/filebeats/nginx_access.yml:/usr/share/filebeat/filebeat.yml --name nginx_access docker.elastic.co/beats/filebeat:5.4.2;
Here's how my filebeat.yml file is:
filebeat.prospectors: - input_type: log paths: - /var/log/nginx/access*.log exclude_files: [".gz$"] output.logstash: hosts: ["host:9251"]
I've also tried using /var/log/nginx/access*.log* as one of the paths, but each filebeat container will still read all of the log files. Am i doing something wrong? Should I upgrade the container to the latest version?