Hello everyone! I'm using this filebeats installation script in my deploys to ec2.
files:
"/etc/filebeat/filebeat.yml":
mode: "000755"
owner: root
group: root
content: |
filebeat.prospectors:
- input_type: log
paths:
- /var/log/eb-engine.log
- /var/log/puma/puma.log
- /var/app/current/log/sidekiq.log
- /var/app/current/log/staging.log
- /var/app/current/log/production.log
exclude_lines: ['^[[:space:]]*$']
multiline:
# Order for pattern: 'eb-engine, sidekiq and staging|puma'
pattern: '^\s*(([I,V,E,W,L], ){0,1}\[{0,1}2[0-9]{3}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}|=== |.*\[[a-z,0-9,\-]{36}\]( Started| Sending| $))'
negate: true
match: after
fields:
appname: appname
appcomponent: appcomponent
environment: ${ELK_ENV:empty_value}
output.logstash:
hosts: ["my_host"]
container_commands:
1_command:
command: "curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.8.2-x86_64.rpm"
cwd: /home/ec2-user
2_command:
command: "rpm -ivh --replacepkgs filebeat-6.8.2-x86_64.rpm"
cwd: /home/ec2-user
3_command:
command: "/etc/init.d/filebeat stop"
4_command:
command: "/etc/init.d/filebeat start"
This file is placed in my .ebextensions folder of my project. This same script is working fine in two other projects, but in this new one it's not working as expected, as I see in my Kibana dashboard that the logs are coming from appname-empty_value instead of appname-development. So, I'm not entirely sure why my environment: ${ELK_ENV:empty_value} it's not taking the env var 
. The only difference is this new project, is that's running on Amazon Linux 2 platform. Any hint?
Thanks in advanced.