Currently I use filebeat 7.16.3 and it runs on a kubernetes 1.20 cluster (docker runtime). I use the following configuration to collect container logs, but I found that FB does not recognize the container name corresponding to the collected logs. Is there something wrong with my configuration?
If it is as I expected, FB should be able to automatically identify the log and the corresponding container name.
Strangely,
data.kubernetes.pod.uidanddata.kubernetes.container.namedo not appear in the fields
filebeat.yml: |-
name: masa-iot
tags: ["masa-iot"]
fields:
env: production
filebeat.inputs:
- type: docker
containers.paths:
- /var/log/pods/${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log
containers.ids:
- "*"
message_key: log
keys_under_root: true
symlinks: true
processors:
- add_kubernetes_metadata:
in_cluster: true
scan_frequency: 10s
close_inactive: 1m
setup.ilm.enabled: auto
setup.ilm.rollover_alias: "iot-logs"
setup.ilm.pattern: "{now/d}-000001"
setup.ilm.policy_name: "iot-logs"
output.elasticsearch.hosts: ["XXXXX:31111"]
monitoring.enabled: true
monitoring.elasticsearch.hosts: ["XXXXX:31111"]
In addition, why can't variables data.kubernetes.pod.uid and data.kubernetes.container.name be used when type: containers
But type: docker can
filebeat.inputs:
- type: container
paths:
- /var/log/pods/${data.kubernetes.pod.uid}/${data.kubernetes.container.name}/*.log