How filebeat chooses module paths based on OS when running inside docker

I have filebeat running on a docker container, on the documentation it says that when activating a module, if i leave the paths as default it will choose the path based on the OS.

Obviously i want to capture the log files of the HOST.

How is filebeat made aware of the HOST OS in order to make that decision ? or will it just assume the paths of the container OS?

hi @micas,

How is filebeat made aware of the HOST OS in order to make that decision ? or will it just assume the paths of the container OS?

The filebeat input (log in this case) will detect which operating system is running on and depending on the modules/filesets enabled different default paths are configured in the manifest.yml file. For example system module, syslog fileset here are the default paths https://github.com/elastic/beats/blob/master/filebeat/module/system/syslog/manifest.yml.

Just to make it clear, so if i have it running on a HOST system running Darwin and use a docker container running debian with filebeat inside it, it will default to the paths of debian and not be able to identify that is running on a darwin host.

Any setting i can use to bypass this behaviour? Like being able to globally tell filebeat and others that they should use darwin paths by default with a certain prefix say "/hostfs/..." ?