How to deploy filebeat as a daemonset with ECK in Kubernetes?

seikyo-cho-lvgs · June 6, 2024, 3:56am

I installed ECK from the guide(see the reply bellow):

Deploy ECK in your Kubernetes cluster | Elastic Cloud on Kubernetes [2.13] | Elastic

Elasticsearch and Kibana are working well.

I want to use filebeat to send container logs to Elasticsearch by this guide(see the reply bellow):

Run Filebeat on Kubernetes | Filebeat Reference [8.14] | Elastic

The setting in filebeat-kubernetes.yaml maybe need change to:

            - name: ELASTICSEARCH_HOST
              value: https://quickstart-es-http.elastic-system.svc.cluster.local
            - name: ELASTICSEARCH_PORT
              value: '9200'
            - name: ELASTICSEARCH_USERNAME
              value: elastic
            - name: ELASTICSEARCH_PASSWORD
              value: my_password

After install it, I can't find logs sent by filebeat:

curl -k -u elastic:$PASSWORD https://localhost:9200/_cat/indices\?v

The deployed daemonset always restart.

Back-off restarting failed container filebeat in pod filebeat-ws569_kube-system(853828f7-6b76-44ba-8896-af7bf15d6a38)

What else need to change?

Is it necessary to add ssl.certificate_authorities to output.elasticsearch?

    output.elasticsearch:
      hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
      username: ${ELASTICSEARCH_USERNAME}
      password: ${ELASTICSEARCH_PASSWORD}

seikyo-cho-lvgs · June 6, 2024, 5:11am

Maybe I have to use this guide:

But after I run

cat <<EOF | kubectl apply -f -
apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
  name: quickstart
spec:
  type: filebeat
  version: 8.14.0
  elasticsearchRef:
    name: quickstart
  config:
    filebeat.inputs:
    - type: container
      paths:
      - /var/log/containers/*.log
  daemonSet:
    podTemplate:
      spec:
        dnsPolicy: ClusterFirstWithHostNet
        hostNetwork: true
        securityContext:
          runAsUser: 0
        containers:
        - name: filebeat
          volumeMounts:
          - name: varlogcontainers
            mountPath: /var/log/containers
          - name: varlogpods
            mountPath: /var/log/pods
          - name: varlibdockercontainers
            mountPath: /var/lib/docker/containers
        volumes:
        - name: varlogcontainers
          hostPath:
            path: /var/log/containers
        - name: varlogpods
          hostPath:
            path: /var/log/pods
        - name: varlibdockercontainers
          hostPath:
            path: /var/lib/docker/containers
EOF

I can't see filebeat in default namespace:

kubectl get beat
NAME         HEALTH   AVAILABLE   EXPECTED   TYPE       VERSION   AGE
quickstart                                   filebeat             10m

kubectl get pods
NAME
quickstart-es-default-0
quickstart-kb-122212122-abcde

seikyo-cho-lvgs · June 6, 2024, 6:06am

The reason is version.

kubectl describe beat quickstart

Got this event:

Delaying deployment of version 8.14.0 since the referenced elasticsearch is not upgraded yet

The Elasticsearch guide is using 8.13.4. After changing Beat's version to the same version, it works.