Filebeat Input docker on stopped containers

Anatoliy · April 4, 2019, 9:47am

I configured filebeat with type docker and everything workes well on runnig containers and new started. Also i got in logstash.conf Output to file and elasticsearch.

filebeat.autodiscover:
  providers:
    - type: docker
      templates:
        - condition:
            regexp:
              docker.container.name: '.*service.*'
          config:
            - type: docker
              containers.ids:
                - "${data.docker.container.id}"
              fields:
                service: service

But after first start i was expecting processing old stoped containers logs what does not happened. What is the best way to:

Start reprocessing old logs of stopped containers to existing outputs or restart filebeat with cleaning registry from very beginning and got logs from all containers?
How to resend logs from single stopped container to existing outputs?

Michal_Pristas · April 5, 2019, 9:00am

Hey @Anatoliy, welcome to elastic discuss
unfortunately there's not a deterministic way of gathering logs from old, not running containers.
auto discover feature work only with running and newly started containers

If you use docker input and specify a specific container id you might be able to ingest logs. But just in case docker did not get rid of the metadata

you can configure docker input as stated here

filebeat.inputs:
- type: docker
  containers.ids: 
    - '8b6fe7dc9e067b58476dc57d6986dd96d7100430c5de3b109a99cd56ac655347'

Also please make sure to format any configuration you post here. Theres a button </> to do that. Sometimes the issue is with indentation of the configuration which is hard to spot if it is not correctly formatted

system · May 3, 2019, 9:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.