Ingest mixed container logs with text and JSON [filebeat][docker]

felixbarny · April 28, 2021, 9:35am

Yep, that's possible using two different templates for the same container and route logs based on whether or not they start with {.

Here's an example of how it should work with k8s:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      templates:
        - condition:
            contains:
              kubernetes.container.name: "my-app-1"
          config:
            - type: container
              paths:
                - "/var/log/containers/*-${data.kubernetes.container.id}.log"
              include_lines: ['^{']
              json.keys_under_root: true
              json.overwrite_keys: true
              json.add_error_key: true
              json.expand_keys: true
        - condition:
            contains:
              kubernetes.container.name: "my-app-1"
          config:
            - type: container
              paths:
                - "/var/log/containers/*-${data.kubernetes.container.id}.log"
              multiline.pattern: '^[[:blank:]]'
              multiline.negate: false
              multiline.match: after
              exclude_lines: ['^{']

Disclaimer: I have not tested the config. Please let me know if it works for you or if you had to make adjustments.

Topic		Replies	Views
Ingest mixed container logs with text and JSON [ECK][filebeat] Beats filebeat	3	1453	December 16, 2021
Filebeat kubernetes unable to format json logs into fields Beats docker , filebeat	3	276	May 29, 2023
Is there something about my configuration isn't right? What did I miss? Beats filebeat	2	399	January 3, 2019
Combine separated JSON logs in k8s Beats docker , filebeat	2	321	October 6, 2021
Multiline usage Beats beats-module , filebeat	3	431	March 25, 2022

Ingest mixed container logs with text and JSON [filebeat][docker]

Related topics