Kubernetes autodiscovery: pod with multiple log files

DominicWatson · November 11, 2019, 5:50pm

Hi there, I'm struggling to get filebeats to pick up log files in my pods using autodiscovery annotations. My filebeat daemonset config looks like this:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: kube-system
  labels:
    k8s-app: filebeat
data:
  filebeat.yml: |-
    filebeat.autodiscover:
      providers:
        - type: kubernetes
          host: ${NODE_NAME}
          hints.enabled: true
          hints.default_config:
            type: container
            paths:
              - /var/log/containers/*${data.kubernetes.container.id}.log

    processors:
      - add_cloud_metadata:
      - add_host_metadata:
      - add_labels:
          labels:
            cluster.name: pixl8staging

    output.elasticsearch:
      hosts: ['https://xxx.xxx.xxx:9200']

    l

This works just great in getting all the stdout from all the pods. However, I have deployments that will have multiple log files and I wanted to configure them with annotations. I have this, in my deployment:

spec:
  template:
    metadata:
      name: xxx
      labels:
        app: xxx
      annotations:
        co.elastic.logs/raw: "[{\"type\": \"log\", \"paths\": [\"/var/www/logs/*.log\", \"/opt/lucee/conf/lucee-web/logs/*.log\"] } ]"
    spec:
      containers:
        ...

That stringified json looks like this in full:

[
    {
        "type": "log",
        "paths": [
            "/var/www/logs/*.log",
            "/opt/lucee/conf/lucee-web/logs/*.log"
        ]
    }
]

I still see stdout logs for my pod in Kibana, but I don't see any content from the logs that are local to the container as defined in the input configuration above.

I have a suspicion that I'm close, but missing some fundamental understanding. Is anyone able to point me in the right direction?

TIA

Dominic

DominicWatson · November 13, 2019, 8:35am

While not a direct answer to the question, what I have ended up doing is making all the logs symlinks to the standard output of the main process in my docker container, i.e. in Dockerfile:

RUN ln -sf /proc/1/fd/1 /path/to/log.log
RUN ln -sf /proc/1/fd/1 /path/to/another/log.log

The filebeats config in the cluster remains the same, but sends output to logstash instead.

I then configure logstash filters to grok the lines and extract metadata from them. This works well because logstash can deal with a single stream of logs in various formats and put them through a custom pipeline to further categorize them.

exekias · November 13, 2019, 3:29pm

Hi @DominicWatson,

When doing containers logging this is one of the recommended ways, as the container should not be sending logs to container filesystem.

The other option would be to use a streaming sidecar, as described in Kubernetes docs: https://kubernetes.io/docs/concepts/cluster-administration/logging/#streaming-sidecar-container. In a nutshell: you deploy a second container in the pod, tail the log file to stdout.

This way FIlebeat will be able to read it as with any other log.

system · December 11, 2019, 5:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.