Filebeat kubernetes provider mixed logs another containers from same pod

Elastic Stack Beats
1

Hi guys. May be anyone can check that?
Im using daemonset of filebeat 7.14.1 in openshift cluster with config

    filebeat.autodiscover:
      providers:
        - type: kubernetes
          include_pod_uid: true
          in_cluster: true
          templates:
            - config:
                - type: container
                  paths:
                    - /var/log/pods/*_${data.kubernetes.pod.uid}/*/*.log

For temp storage using kafka cluster, then logstash cluster get logs from kafka and write to elastic.

Today i'm trying to find logs from container, which running in pod with 2 containers. And some times later found that logs had kubernetes.container.name with name another container in that pod.
I'm checked kubernetes.container.name with log.path.file. You can see that on screenshot.
How to fix that?

Screenshot from 2021-09-09 16-48-03
Screenshot from 2021-09-09 16-48-031265×857 105 KB

2

Hey @froheik,

With this autodiscover configuration all the containers in the same pod are going to generate the same configuration. Each configuration will include the metadata of the container generating the config, so it is possible that the input of one of these configurations is collecting all logs, and then including the metadata of this configuration.

You should include something that identifies the logs of a single container in the path pattern.

For example, try something like the following ones.

  • /var/log/containers/*-${data.kubernetes.container.id}.log
  • /var/log/pods/*_${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log
2 Likes
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.