I would like to use filebeat to monitor my container infrastructure. I am wondering why some of the filebeat modules seem so insufficient documented about any details that are beyond the most standard configuration of the applications.
Just two examples:
Docker input does not state if it only supports
json-file or also the
local logging driver.
json-file is the old default, not really useful because it will fill up your disk.
local seems like the better solution,
docker logs just works with it. But what about filebeat?
I tested it myself (with autodiscovery) and it seems not to work, but I might just have not configured it correctly. Forum post stays unanswered.
Traefik module does not state the supported log file format for the access logs. Traefik default is
CLF, but it also has a
json option which provides much more (valuable) information.
Again the docs don't state what format is supported, tests for me did not work, a request stays unresolved.
My take away To me it looks like filebeat does not get the love it deserved, new users are left in the dark, be it with the documentation and in the form. What really bothers me is that potentially hundreds of people waste their time in researching about those topics and it could easily be answered within the documentation.
Disclaimer: I am long time unhappy with how Elastic deals with things, that started long before the license change, when Elastic 10 years ago didn't bother to provide a simple password auth method without payment. But I want to be constructive, that's why I am writing down those issues.