Filebeat kubernetes

Elastic Stack Beats
1

hello, I have installed this documentation
https://www.elastic.co/guide/en/beats/filebeat/master/running-on-kubernetes.html#running-on-kubernetes
but I have a problem, logs elasticsearch

[filebeat-6.4.1-2018.09.28] [0] failed to execute bulk item (index) BulkShard
Request [[filebeat-6.4.1-2018.09.28] [0]] containing [10] requests
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [kubernetes.labels.app]

my indexes are in elasticsearch

curl localhost:9200/_cat/indices
yellow open filebeat-6.4.1-2018.09.28 V8uZgvoBQ7KmKEBA9VXE-Q 5 1 29833362 0 41gb 41gb
yellow open filebeat-6.4.1-2018.09.27 TxyduJ9FRxu4CQduQKqxFQ 5 1 4251 0 1.2mb 1.2mb
green open .kibana DgMyQx7QSK659uBo1CccJQ 1 0 3 0 34.3kb 34.3kb

how do i fix this error? I understand it is necessary to remove the filebeat version, but maybe I'm wrong, tell me the solution

2

Could you please share your configuration formatted using </>? Have you run ./filebeat setup? Could you share the event which cannot be indexed by ES?

3

my config filebeat-kubernetes.yaml

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: kube-system
  labels:
    k8s-app: filebeat
data:
  filebeat.yml: |-
    filebeat.config:
      inputs:
        # Mounted `filebeat-inputs` configmap:
        path: ${path.config}/inputs.d/*.yml
        # Reload inputs configs as they change:
        reload.enabled: false
      modules:
        path: ${path.config}/modules.d/*.yml
        # Reload module configs as they change:
        reload.enabled: false

    # To enable hints based autodiscover, remove `filebeat.config.inputs` configuration and uncomment this:
    filebeat.autodiscover:
      providers:
      - type: kubernetes
        hints.enabled: true

    processors:
      - add_cloud_metadata:

    cloud.id: ${ELASTIC_CLOUD_ID}
    cloud.auth: ${ELASTIC_CLOUD_AUTH}

   output.elasticsearch:
      hosts: ['${ELASTICSEARCH_HOST:my_ip}:${ELASTICSEARCH_PORT:9200}']
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-inputs
  namespace: kube-system
  labels:
    k8s-app: filebeat
data:
  kubernetes.yml: |-
    - type: docker
      containers.ids:
      - "*"
      processors:
        - add_kubernetes_metadata:
            in_cluster: true
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: filebeat
  namespace: kube-system
  labels:
    k8s-app: filebeat
spec:
  template:
    metadata:
      labels:
        k8s-app: filebeat
    spec:
      serviceAccountName: filebeat
      terminationGracePeriodSeconds: 30
      containers:
      - name: filebeat
        image: docker.elastic.co/beats/filebeat:6.4.1
        args: [
          "-c", "/etc/filebeat.yml",
          "-e",
        ]
        env:
        - name: ELASTICSEARCH_HOST
          value: my_ip
        - name: ELASTICSEARCH_PORT
          value: "9200"
        - name: ELASTIC_CLOUD_ID
          value:
        - name: ELASTIC_CLOUD_AUTH
          value:
        securityContext:
          runAsUser: 0
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: config
          mountPath: /etc/filebeat.yml
          readOnly: true
          subPath: filebeat.yml
        - name: inputs
          mountPath: /usr/share/filebeat/inputs.d
          readOnly: true
        - name: data
          mountPath: /usr/share/filebeat/data
        - name: varlibdockercontainers
          mountPath: /var/lib/docker/containers
          readOnly: true
      volumes:
      - name: config
        configMap:
          defaultMode: 0600
          name: filebeat-config
      - name: varlibdockercontainers
        hostPath:
          path: /var/lib/docker/containers
      - name: inputs
        configMap:
          defaultMode: 0600
          name: filebeat-inputs
      # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
      - name: data
        hostPath:
          path: /var/lib/filebeat-data
          type: DirectoryOrCreate
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: filebeat
subjects:
- kind: ServiceAccount
  name: filebeat
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: filebeat
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: filebeat
  labels:
    k8s-app: filebeat
rules:
- apiGroups: [""] # "" indicates the core API group
  resources:
  - namespaces
  - pods
  verbs:
  - get
  - watch
  - list
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: filebeat
  namespace: kube-system
  labels:
    k8s-app: filebeat
---

run command - kubectl create -f filebeat-kubernetes.yaml

my elasticsearch.log

[DEBUG][o.e.a.b.TransportShardBulkAction] [filebeat-6.4.1-2018.09.28][4] failed to execute bulk item (index) BulkShardRequest [[filebeat-6.4.1-2018.09.28][4]] containing [13] requests
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [kubernetes.labels.app]
        at org.elasticsearch.index.mapper.FieldMapper.parse(FieldMapper.java:302) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:481) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:501) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:390) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:380) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:478) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:501) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:390) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:380) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:478) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:501) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:390) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:380) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.internalParseDocument(DocumentParser.java:95) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentParser.parseDocument(DocumentParser.java:69) ~[elasticsearch-6.4.1.jar:6.4.1]
        at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:263) ~[elasticsearch-6.4.1.jar:6.4.1]
        ...
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.