I have an express server running in k8s which writes its logs to a file:
'/var/lib/docker/containers/analytics-error.log'
I cannot get Filebeat to pick up this file, here is my conf
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
namespace: kube-system
labels:
k8s-app: filebeat
data:
filebeat.yml: |-
filebeat.config:
inputs:
path: ${path.config}/inputs.d/*.yml
# Reload inputs configs as they change:
reload.enabled: false
modules:
path: ${path.config}/modules.d/*.yml
# Reload module configs as they change:
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
# To enable hints based autodiscover, remove `filebeat.config.inputs` configuration and uncomment this:
# filebeat.autodiscover:
# providers:
# - type: kubernetes
filebeat.inputs:
- type: log
paths:
- /var/lib/docker/containers
fields_under_root: true
fields:
log_type: etp_log
logging.level: debug
logging.selectors: ["prospector","harvester"]
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
output.logstash:
enabled: true
ssl.enabled: true
hosts: ["logstash.chargepayments.io:8751"]
ssl.certificate_authorities: ["${path.config}/keys/ca.crt"]
ssl.certificate: "${path.config}/keys/client.crt"
ssl.key: "${path.config}/keys/client.key"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-inputs
namespace: kube-system
labels:
k8s-app: filebeat
data:
kubernetes.yml: |-
- type: docker
containers.ids:
- "*"
path: "/var/lib/docker/containers"
processors:
- add_kubernetes_metadata:
in_cluster: true
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: filebeat
namespace: kube-system
labels:
k8s-app: filebeat
spec:
template:
metadata:
labels:
k8s-app: filebeat
spec:
serviceAccountName: filebeat
terminationGracePeriodSeconds: 30
containers:
- name: filebeat
image: docker.elastic.co/beats/filebeat:7.0.1
args: [
"-c", "/etc/filebeat.yml",
"-e",
]
securityContext:
runAsUser: 0
# If using Red Hat OpenShift uncomment this:
#privileged: true
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- name: config
mountPath: /etc/filebeat.yml
readOnly: true
subPath: filebeat.yml
- name: inputs
mountPath: /usr/share/filebeat/inputs.d
readOnly: true
- name: data
mountPath: /usr/share/filebeat/data
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
- name: cacert
mountPath: /usr/share/filebeat/keys/ca.crt
subPath: ca.crt
- name: clientcert
mountPath: /usr/share/filebeat/keys/client.crt
subPath: client.crt
- name: clientkey
mountPath: /usr/share/filebeat/keys/client.key
subPath: client.key
volumes:
- name: config
configMap:
defaultMode: 0600
name: filebeat-config
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: inputs
configMap:
defaultMode: 0600
name: filebeat-inputs
# data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
- name: data
hostPath:
path: /var/lib/filebeat-data
type: DirectoryOrCreate
- name: cacert
secret:
secretName: certs
items:
- key: cacert
path: ca.crt
- name: clientcert
secret:
secretName: certs
items:
- key: clientcert
path: client.crt
- name: clientkey
secret:
secretName: certs
items:
- key: clientkey
path: client.key
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: filebeat
subjects:
- kind: ServiceAccount
name: filebeat
namespace: kube-system
roleRef:
kind: ClusterRole
name: filebeat
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: filebeat
labels:
k8s-app: filebeat
rules:
- apiGroups: ["*"] # "" indicates the core API group
resources:
- namespaces
- pods
verbs:
- get
- watch
- list
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: filebeat
namespace: kube-system
labels:
k8s-app: filebeat
---