Kubernetes autodiscovery: pod with multiple log files

DominicWatson · November 11, 2019, 5:50pm

Hi there, I'm struggling to get filebeats to pick up log files in my pods using autodiscovery annotations. My filebeat daemonset config looks like this:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: kube-system
  labels:
    k8s-app: filebeat
data:
  filebeat.yml: |-
    filebeat.autodiscover:
      providers:
        - type: kubernetes
          host: ${NODE_NAME}
          hints.enabled: true
          hints.default_config:
            type: container
            paths:
              - /var/log/containers/*${data.kubernetes.container.id}.log

    processors:
      - add_cloud_metadata:
      - add_host_metadata:
      - add_labels:
          labels:
            cluster.name: pixl8staging

    output.elasticsearch:
      hosts: ['https://xxx.xxx.xxx:9200']

    l

This works just great in getting all the stdout from all the pods. However, I have deployments that will have multiple log files and I wanted to configure them with annotations. I have this, in my deployment:

spec:
  template:
    metadata:
      name: xxx
      labels:
        app: xxx
      annotations:
        co.elastic.logs/raw: "[{\"type\": \"log\", \"paths\": [\"/var/www/logs/*.log\", \"/opt/lucee/conf/lucee-web/logs/*.log\"] } ]"
    spec:
      containers:
        ...

That stringified json looks like this in full:

[
    {
        "type": "log",
        "paths": [
            "/var/www/logs/*.log",
            "/opt/lucee/conf/lucee-web/logs/*.log"
        ]
    }
]

I still see stdout logs for my pod in Kibana, but I don't see any content from the logs that are local to the container as defined in the input configuration above.

I have a suspicion that I'm close, but missing some fundamental understanding. Is anyone able to point me in the right direction?

TIA

Dominic

DominicWatson · November 13, 2019, 8:35am

While not a direct answer to the question, what I have ended up doing is making all the logs symlinks to the standard output of the main process in my docker container, i.e. in Dockerfile:

RUN ln -sf /proc/1/fd/1 /path/to/log.log
RUN ln -sf /proc/1/fd/1 /path/to/another/log.log

The filebeats config in the cluster remains the same, but sends output to logstash instead.

I then configure logstash filters to grok the lines and extract metadata from them. This works well because logstash can deal with a single stream of logs in various formats and put them through a custom pipeline to further categorize them.

exekias · November 13, 2019, 3:29pm

Hi @DominicWatson,

When doing containers logging this is one of the recommended ways, as the container should not be sending logs to container filesystem.

The other option would be to use a streaming sidecar, as described in Kubernetes docs: https://kubernetes.io/docs/concepts/cluster-administration/logging/#streaming-sidecar-container. In a nutshell: you deploy a second container in the pod, tail the log file to stdout.

This way FIlebeat will be able to read it as with any other log.

system · December 11, 2019, 5:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeats autodiscover on kubernetes doesn't collect logs from annotated pods Beats filebeat	1	323	June 2, 2022
Configuring multiple filebeat instances in Kubernetes Beats filebeat	1	1204	October 3, 2020
Autodiscover Kubernetes + annotations on pods not working as excepted Beats filebeat	2	785	October 15, 2019
Filebeat Kubernetes Autodiscovery Template Problem (6.5.4) Beats filebeat	3	947	February 11, 2019
[solved] Kubernetes – autodiscover and add_kubermetes_metadata only working partially Beats filebeat	4	1989	July 11, 2019

Kubernetes autodiscovery: pod with multiple log files

Related topics