I'm running Filebeat as a Docker container. I bind-mount a config file "filebeat.yml" that defines logging to files, but the logs still end up in the console, not in a file.
The config file is being read (other config values are picked up fine, e.g. "logging.json: true"). The syntax seems to be fine (filebeat test config returns OK), and the values seem to be fine too (filebeat export config output looks fine).
When I run those two commands (filebeat test config and filebeat export config), I do this by entering into the container (docker exec -it mycont /bin/bash) and running the filebeat command from command line in there. Funny enough, those two tests write logs at the locations I specify, so the locations are picked up fine, and the permissions seems to be fine:
# No logfile yet: bash-4.2$ ls -lpah ./logs total 4.0K drwxrwx---. 2 root filebeat 6 Aug 17 22:30 ./ drwxr-x---. 8 root filebeat 4.0K Aug 17 22:30 ../ # Test config: bash-4.2$ ./filebeat test config Config OK # Now a logfile is there: bash-4.2$ ls -lpah ./logs total 8.0K drwxrwx---. 2 root filebeat 30 Sep 4 13:48 ./ drwxr-x---. 8 root filebeat 4.0K Aug 17 22:30 ../ -rw-r--r--. 1 filebeat filebeat 3.6K Sep 4 13:48 this_name_please # Export config: bash-4.2$ ./filebeat export config filebeat: [...] # Now, a second logfile was created: bash-4.2$ ls -lpah ./logs total 12K drwxrwx---. 2 root filebeat 56 Sep 4 13:48 ./ drwxr-x---. 8 root filebeat 4.0K Aug 17 22:30 ../ -rw-r--r--. 1 filebeat filebeat 564 Sep 4 13:48 this_name_please -rw-r--r--. 1 filebeat filebeat 3.6K Sep 4 13:48 this_name_please.1
So the difference seems to be whether filebeat is run inside the container manually by user "filebeat", or whether it is run by being launched through docker-compose up.
Any help would be appreciated!