How to parse additional kubernetes pods with json fomat logs?

tarabhavi · December 29, 2021, 1:45pm

I have a ELK stack with Filebeat as an agent. Works great for collecting logs of existing pods.
Here is the helm values for filebeat

filebeatConfig:
  filebeat.yml: |
    logging.level: error
    filebeat.autodiscover:
      providers:
        - type: kubernetes
          node: ${NODE_NAME}
          hints.enabled: true
          hints.default_config:
            type: container
            paths:
              - /var/log/containers/*${data.kubernetes.container.id}.log
            
    output.logstash:
      hosts: 'logstash-logstash.logging.svc.cluster.local:5044'

    setup.template:
      name: "k8s"
      pattern: "k8s-*"
      enabled: false

    setup.ilm.enabled: false

Now, I have a new Kubernetes deployment of falco , whose logs are in json format and want to ship it to ELK stack but not able to with this config. How can I possibly do it, not able to figure out the right way.

Tried following that didn't work

            type: container
            paths:
              - /var/log/containers/*${data.kubernetes.container.id}.log
             json.keys_under_root: true
             json.add_error_key: true
             json.message_key: message

system · January 26, 2022, 3:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kubernetes/Filebeat - How to Handle JSON Logging for some containers Beats filebeat	1	635	January 20, 2020
Filebeat - Kubernetes - logs in plaintest instead JSON Beats filebeat	4	402	September 7, 2019
Its possible activate the parser a json format for specific pod? Beats filebeat	3	344	September 3, 2020
Decode json data from Kubernetes Pods Beats filebeat	2	2682	May 14, 2020
Kubernetes json log parsing with filebeat Beats filebeat	1	343	December 2, 2019

How to parse additional kubernetes pods with json fomat logs?

Related topics