I am running filebeat as a DaemonSet on my Kubernetes cluster. The following is my configuration file:
filebeat.modules:
filebeat.inputs:
- type: container
paths:
- /var/log/containers/*.log
processors:
- add_kubernetes_metadata:
in_cluster: true
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
processors:
- decode_json_fields:
fields: ["message"]
process_array: false
max_depth: 1
target: "json-message"
overwrite_keys: false
- add_cloud_metadata:
output.elasticsearch:
hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}
setup.ilm.enabled: true
setup.ilm.rollover_alias: "filebeat"
setup.ilm.pattern: "{now/d}-000001"
setup.ilm.overwrite: true
Despite the fact that I have no modules specified, I'm somehow seeing every module's output enabled when I look at the filebeat elasticsearch index in kibana. Like I see fields for apache and cisco modules which I do not care about. Any idea why this would happen?