Environment: Rocky Linux 9.6. Filebeat 8.19.7 (tar.gz install). Docker version 29.0.2 (API 1.52). SELinux enabled (but no difference with it in permissive mode)
With filebeat (tar.gz install) running as a non-root user (but with that user a member of the docker group) I cannot get the application to read the container logs.
I have a container running and actively logging. The filebeat.yml file is as below:
filebeat.config.inputs:
enabled: true
path: inputs.d/*.yml
reload.enabled: true
reload.period: 10s
filebeat.config.modules:
enabled: true
path: modules.d/*.yml
reload.enabled: true
reload.period: 10s
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
output.logstash:
enabled: true
hosts: ["bigblue.lan:5252"]
logging.metrics.enabled: false
When starting filebeat as a non-root user, the last log entry I get is:
"Starting autodiscover manager"
I was assuming that filebeat would be able to attach to the docker socket and read the logs through that. With the same configuration, but this time running filebeat as the root user, I get the same last log entry, and again no further action despite starting and stopping various containers.
I swapped out the filebeat.autodiscover above with the section below:
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
templates:
- config:
- type: container
paths:
- /var/lib/docker/containers/${data.docker.container.id}/*.log
(Clearly running this as a non-root user will cause permission errors).
Running this as the root user causes the logs to be picked up and a connection to be established:
"Starting autodiscover manager"
"Configured paths: [/var/lib/docker/containers/804b6879b67515964d66afee90970ec326450c6ec914451bf7699bf3fa66d303/*.log]"
"Configured paths: [/var/lib/docker/containers/804b6879b67515964d66afee90970ec326450c6ec914451bf7699bf3fa66d303/*.log]"
"Harvester started for paths: [/var/lib/docker/containers/804b6879b67515964d66afee90970ec326450c6ec914451bf7699bf3fa66d303/*.log]"
"Connecting to backoff(async(tcp://bigblue.lan:5252))"
"Connection to backoff(async(tcp://bigblue.lan:5252)) established"
However, with this config the hints.enabled: true does not work how I would expect, eg, if I start an nginx container as docker run --rm --label co.elastic.logs/enabled=false nginx then I was assuming that filebeat would ignore the logs?
What I am confused about, is it is possible to run filebeat as a non-root user and use the autodiscover mechanism to pull in container logs, as they come and go? If so, what is the correct configuration to do so?
Thanks.