Ingest mixed container logs with text and JSON [filebeat][docker]

felixbarny · April 28, 2021, 9:35am

Yep, that's possible using two different templates for the same container and route logs based on whether or not they start with {.

Here's an example of how it should work with k8s:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      node: ${NODE_NAME}
      templates:
        - condition:
            contains:
              kubernetes.container.name: "my-app-1"
          config:
            - type: container
              paths:
                - "/var/log/containers/*-${data.kubernetes.container.id}.log"
              include_lines: ['^{']
              json.keys_under_root: true
              json.overwrite_keys: true
              json.add_error_key: true
              json.expand_keys: true
        - condition:
            contains:
              kubernetes.container.name: "my-app-1"
          config:
            - type: container
              paths:
                - "/var/log/containers/*-${data.kubernetes.container.id}.log"
              multiline.pattern: '^[[:blank:]]'
              multiline.negate: false
              multiline.match: after
              exclude_lines: ['^{']

Disclaimer: I have not tested the config. Please let me know if it works for you or if you had to make adjustments.

Topic		Replies	Views
Ingest mixed container logs with text and JSON [ECK][filebeat] Beats filebeat	3	1440	December 16, 2021
Filebeat kubernetes unable to format json logs into fields Beats docker , filebeat	3	275	May 29, 2023
Combine separated JSON logs in k8s Beats docker , filebeat	2	320	October 6, 2021
Multiline usage Beats beats-module , filebeat	3	429	March 25, 2022
Filebeat fails to process kibana json logs "failed to format message from *json-.log "in a kubernetes enviroment Logs	17	4476	February 21, 2019

Ingest mixed container logs with text and JSON [filebeat][docker]

Related Topics