Filtering setup for docker containers not working

mitlonik · January 27, 2022, 11:27am

filtering setup for docker containers not working.

I started Elastic Stack without anybody additional settings. And here are my filebeat settings:
filebeat.yml

filebeat.autodiscover:
  providers:
    - type: docker
      labels.dedot: true
      hints.enabled: true
      templates:
        - condition:
            contains:
              container.labels.collect_logs_with_filebeat: "true"      # label name in service docker-compose file
              docker.container.name: "test_golang_app_2"
          config:
            - type: container
              format: docker # auto, docker, cli
              # stream: stdout # all, stdout, stderr
              #containers.ids:
              #  - "${data.docker.container.id}"
              paths:
                - "/var/lib/docker/containers/${data.docker.containers.id}/*.log"

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

setup.template.settings:
  index.number_of_shards: 1

setup.kibana:
  host: "localhost:5601"

output.elasticsearch:
  enabled: true
  hosts: ["localhost:9200"]

output.logstash:
  enabled: false
  hosts: ["localhost:5044"]

processors:
  - drop_fields:
      fields: ["agent.ephemeral_id", "agent.hostname", "agent.id", "agent.name", "agent.version", "docker.container.labels.com_docker_compose_config-hash", "docker.container.labels.com_docker_compose_container-number", "docker.contain>
      ignore_missing: false

monitoring.enabled: false
logging.metrics.enabled: false
logging.level: debug
logging.selectors: ["*"]
logging.to_files: true

and to test, I wrote a simple application in docker container that constantly sends data to the stdout stream

docker-compose.yml

version: '3.7'

services:
  simple_golang_app:
    image: simple_golang_app
    container_name: simple_golang_app
    build:
      context: app/golang/
      dockerfile: Dockerfile
      args:
        TEST_ENV: $TEST_ENV
    networks:
      - net

  test_golang_app_2:
    image: test_golang_app_2
    container_name: test_golang_app_2
    build:
      context: app/golang/
      dockerfile: Dockerfile
      args:
        TEST_ENV: $TEST_ENV
    networks:
      - net
    deploy:
      labels:
        docker.container.labels.description: "collect_logs_with_filebeat"
        co.elastic.logs/enabled: "true" # for Filebeat
        collect_logs_with_filebeat: "true"
    labels:
        docker.container.labels.description: "collect_logs_with_filebeat"
        co.elastic.logs/enabled: "true" # for Filebeat
        collect_logs_with_filebeat: "true"

networks:
  net:
    driver: overlay

main.go

package main

import (
        "fmt"
		"io"
        "os"
		"time" // https://pkg.go.dev/time
)

func main() {
        fmt.Println("Print from the Go program")
        fmt.Println(os.Getenv("TEST_ENV"))

		io.WriteString(os.Stdout,"This is the line to standard output.\n")
		io.WriteString(os.Stderr,"This is the line for standard error output.\n")

		// print every 5 seconds how long the program is running
		for range time.Tick(time.Second * 30) {
			go func() {
				fmt.Println(os.Stdout, time.Now())
			}()
		}
}

Dockerfile

FROM golang:1.17-alpine

ADD main.go /home

WORKDIR /home

RUN \
    apk add --no-cache bash git openssh && \
    go get -u github.com/minio/minio-go

CMD ["go","run","main.go"]

The problem is that the templates filter doesn't work. I have tried various methods: by container name, by adding labels, but I still see the logs of all running containers on my host, and not a specific one.
How can I still configure the sending of logs for certain containers, and not all those running on the host?

mtojek · January 28, 2022, 10:53am

Hi,

what do you mean by "templates filter doesn't work"? Did you see any error or just filtering is not applied? I'm wondering if debug mode can reveal more details.

BTW which version of Elastic stack and filebeat are you using?

mitlonik · January 28, 2022, 12:38pm

Thanks for the answer!

Yes, fitering is not applied.
I'm use 7.16.3.

I have the debug option set, but there is nothing in the filebeat logs about processing templates in them.

filebeat.yml

......
logging.level: debug
......

maybe I completely misunderstand how filebeat templates work?

the full code of my Elastic Stack is here - GitHub - mitlonik/elastic_stack: everything is working. Filebeat finds all running docker containers on the host and sends the stdout stream from the containers to logstash or elasticsearch (depending on needs)
a simple application that will help test this problem is here - GitHub - mitlonik/testing_applications: Applications in different programming languages for testing various tasks

mitlonik · January 31, 2022, 6:27am

Please tell me, do you have any other ideas about this?

system · February 28, 2022, 8:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.