Hello everyone,
I've been trying to get my eck-stack to work, but filebeat and logstash aren't getting along very well.
On the logstash side I saw that it is opening the 5044 beats port and listening.
However Filebeat isn't using the configured logstash output (or even elasticsearch output that I tried) and just tries what I would think is the default output. When I run "filebeat test output" inside one of the pods I get this:
filebeat test output
elasticsearch: elasticsearch:9200...
parse url... OK
connection...
parse host... OK
dns lookup... ERROR lookup elasticsearch on 10.43.0.10:53: server misbehaving
Here is what I have configured in the values.yaml:
config:
logging.level: debug
filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints.enabled: true
in_cluster: true
ssl.certificate_authorities:
- /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
hints.default_config:
type: filestream
id: kubernetes-container-logs-${data.kubernetes.pod.name}-${data.kubernetes.container.id}
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
parsers:
- container:
stream: all
format: auto
prospector:
scanner:
fingerprint.enabled: true
symlinks: true
file_identity.fingerprint: ~
output.logstash:
hosts: ["logstash.svc:5044"]
ssl.enabled: false