I'm trying, via a busybox pod, to generate a json that sends it to filebeat which in turn sends it to logstash but I have this problem:
at [Source: (byte[])"Hello, World!"; line: 1, column: 7]>}
[2023-11-24T10:41:27,442][WARN ][logstash.filters.json ][main][2a1e8d294f7b2bb72aa995abe5a8d1d3e3658491512d3fc08a3248e4bed6580c] Error parsing json {:source=>"message", :raw=>"Hello, World!", :exception=>#<LogStash::Json::ParserError: Unrecognized token 'Hello': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
This is my configuration:
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox
namespace: logging
spec:
selector:
matchLabels:
app: busybox
template:
metadata:
labels:
app: busybox
spec:
containers:
- name: busybox
image: busybox
command: ["/bin/sh"]
args: ["-c", "while true; do echo '{\"time\": \"$(date -u --rfc-3339=ns)\", \"message\": \"Hello, World!\"}' >> /var/log/busybox.log; sleep 1; done"]
volumeMounts:
- name: varlog
mountPath: /var/log
resources:
requests:
memory: 128Mi
cpu: 200m
limits:
memory: 128Mi
cpu: 200m
- name: filebeat
image: docker.elastic.co/beats/filebeat:8.11.0
volumeMounts:
- name: config-volume
mountPath: /usr/share/filebeat/filebeat.yml
subPath: filebeat.yml
- name: varlog
mountPath: /var/log
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 512Mi
cpu: 1
volumes:
- name: config-volume
configMap:
name: filebeat-config
- name: varlog
emptyDir: {}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
namespace: logging
data:
filebeat.yml: |-
filebeat.inputs:
- type: log
paths:
- /var/log/*.log
json.keys_under_root: true
json.add_error_key: true
json.message_key: message
output.logstash:
hosts: ["logstash.logging.svc:5044"]
---
apiVersion: v1
kind: ConfigMap
metadata:
name: logstash-config
namespace: logging
data:
logstash.conf: |
input {
beats {
port => 5044
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch {
hosts => [ "https://elasticsearch:9200" ]
ssl => true
ssl_certificate_verification => false
user => "elastic"
password => "elastic"
index => "logstash-%{+YYYY.MM.dd}"
}
}