Filebeat Nginx ingress_controller doesn't parse message properly

zbioe · November 15, 2020, 5:25am

We setted the pipeline for filebeat to get the logs from ingress-nginx inside kubernetes.
In output it appears with event.dataset: "nginx.ingress_controller", but it don't parse properlly.
We can't see any dashboard, and the fields nginx.ingress_controller.*doesn't appear in output.
Only appears the message field in raw format.

I can't understand why it doesn't work's properly, can you help me with this?

Thank's for your time

Filebeat Version: 7.10.0
Ingress Nginx Version: 2.13.0
nginx-ingress-controller Version: v0.35.0
Kubernetes Version: v1.16.9

Here is my config:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      host: ${NODE_NAME}
      hints.enabled: true
      hints.default_config:
        type: container
        paths:
          - /var/log/containers/*${data.kubernetes.container.id}.log
      templates:
        - condition:
            and:
            - equals:
                kubernetes.namespace: "ingress-nginx"
            - equals:
                kubernetes.container.name: "controller"
          config:
          - module: nginx
            ingress_controller:
              enabled: true
              input:
                type: container
                paths:
                  - /var/log/containers/*${data.kubernetes.container.id}.log

Here is the json getted from beats after it's read from log

{
  "@timestamp": "2020-11-15T05:06:27.057Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.10.0",
    "pipeline": "filebeat-7.10.0-nginx-ingress_controller-pipeline"
  },
  "message": "200.100.200.100 - - [15/Nov/2020:05:06:27 +0000] \"GET /rule HTTP/2.0\" 401 46 \"-\" \"curl/7.72.0\" 42 0.014 [name-container-80] [] 10.244.11.46:80 57 0.016 401 5fc020e09398691a5fbe0a8e7838ade0",
  "input": {
    "type": "container"
  },
  "fileset": {
    "name": "ingress_controller"
  },
  "kubernetes": {
    "namespace": "ingress-nginx",
    "replicaset": {
      "name": "ingress-nginx-controller-df5c8b795"
    },
    "labels": {
      "app_kubernetes_io/name": "ingress-nginx",
      "pod-template-hash": "df5c8b795",
      "app_kubernetes_io/component": "controller",
      "app_kubernetes_io/instance": "ingress-nginx"
    },
    "container": {
      "name": "controller",
      "image": "sha256:2807ba84fc0dab039be33de7e9fbe1d9457ef5a7f3616e4b2c084e42a9eca45b"
    },
    "node": {
      "name": "aks-agentpool-30798937-22"
    },
    "pod": {
      "name": "ingress-nginx-controller-df5c8b795-wtsrs",
      "uid": "72b00bda-b934-4fe5-8313-a52b471d21d1"
    }
  },
  "container": {
    "id": "be83a8cfdd317bc586b31406ae2a399e9eaa5e1835b38be4006fac29d40b2ddb",
    "image": {
      "name": "sha256:2807ba84fc0dab039be33de7e9fbe1d9457ef5a7f3616e4b2c084e42a9eca45b"
    },
    "runtime": "docker"
  },
  "ecs": {
    "version": "1.5.0"
  },
  "host": {
    "hostname": "aks-agentpool-30798937-22",
    "architecture": "x86_64",
    "os": {
      "family": "redhat",
      "name": "CentOS Linux",
      "kernel": "4.15.0-1096-azure",
      "codename": "Core",
      "platform": "centos",
      "version": "7 (Core)"
    },
    "containerized": false,
    "ip": [
      "10.240.0.26",
      "fe80::20d:3aff:fee4:e097",
      "172.17.0.1",
      "10.244.22.1",
      "fe80::409c:1dff:fe0d:5651",
      "fe80::3072:d5ff:feb4:b1f8",
      "fe80::9c9e:95ff:fed4:ebd6",
      "fe80::c076:27ff:fe1b:9f",
      "fe80::e4f2:3ff:fe2f:29db",
      "fe80::b03a:2cff:fe62:d699",
      "fe80::c8e9:d0ff:fef2:a210",
      "fe80::fc7b:42ff:fecb:d7cb",
      "fe80::1489:64ff:fedb:9973",
      "fe80::ec87:ccff:fe7a:cdca",
      "fe80::4804:15ff:fe4a:80a2",
      "fe80::f0c3:87ff:fe60:c8da",
      "fe80::789e:40ff:fe93:3878",
      "fe80::949a:71ff:fee4:467d",
      "fe80::30a0:13ff:fe93:e9f6",
      "fe80::340c:64ff:fefe:9a5",
      "fe80::d004:2fff:fec9:cb83",
      "fe80::6c29:b1ff:fe19:d1ef",
      "fe80::94b0:a6ff:fec6:60bc",
      "fe80::748c:96ff:fe57:9579"
    ],
    "mac": [
      "00:0d:3a:e4:e0:97",
      "00:0d:3a:e4:e0:97",
      "02:42:ba:e7:54:b6",
      "42:9c:1d:0d:56:51",
      "32:72:d5:b4:b1:f8",
      "9e:9e:95:d4:eb:d6",
      "c2:76:27:1b:00:9f",
      "e6:f2:03:2f:29:db",
      "b2:3a:2c:62:d6:99",
      "ca:e9:d0:f2:a2:10",
      "fe:7b:42:cb:d7:cb",
      "16:89:64:db:99:73",
      "ee:87:cc:7a:cd:ca",
      "4a:04:15:4a:80:a2",
      "f2:c3:87:60:c8:da",
      "7a:9e:40:93:38:78",
      "96:9a:71:e4:46:7d",
      "32:a0:13:93:e9:f6",
      "36:0c:64:fe:09:a5",
      "d2:04:2f:c9:cb:83",
      "6e:29:b1:19:d1:ef",
      "96:b0:a6:c6:60:bc",
      "76:8c:96:57:95:79"
    ],
    "name": "aks-agentpool-30798937-22"
  },
  "log": {
    "file": {
      "path": "/var/log/containers/ingress-nginx-controller-df5c8b795-wtsrs_ingress-nginx_controller-be83a8cfdd317bc586b31406ae2a399e9eaa5e1835b38be4006fac29d40b2ddb.log"
    },
    "offset": 20472
  },
  "stream": "stdout",
  "event": {
    "module": "nginx",
    "dataset": "nginx.ingress_controller",
    "timezone": "+00:00"
  },
  "service": {
    "type": "nginx"
  },
  "agent": {
    "name": "aks-agentpool-30798937-22",
    "type": "filebeat",
    "version": "7.10.0",
    "hostname": "aks-agentpool-30798937-22",
    "ephemeral_id": "79626a52-50b4-414f-b3ed-8a617bd5e07c",
    "id": "308d5291-2021-4a48-ae74-6da5dca91e37"
  },
  "cloud": {
    "instance": {
      "name": "aks-agentpool-30798937-22",
      "id": "491c5509-1b46-4415-8953-8c0dcf89bece"
    },
    "machine": {
      "type": "Standard_DS2_v2"
    },
    "provider": "azure",
    "region": "eastus2",
    "account": {}
  }
}

system · December 13, 2020, 7:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.