Hi! We're trying to better manage our Kubernetes logs. I have Filebeat running in the cluster using autodiscover and shipping off to Logstash.
Say in the K8s cluster, I have the Docker logging driver set to max-size of 10MB. When that file size is reached - Docker rolls the log.
Filebeat will pick up the new log, correct?
In Docker, if I set max-file to like 2, this will help ensure that Filebeat will still be able to finish reading from the old log file and then go on to the new. And so forth and so forth as logs are rotated.
The only draw back, is looking at the Kubernetes logging documentation (Logging Architecture | Kubernetes), if you have more than one log file, it seems like kubectl logs will output the latest:
Note: Currently, if some external system has performed the rotation, only the contents of the latest log file will be available through kubectl logs. E.g. if there’s a 10MB file, logrotate performs the rotation and there are two files, one 10MB in size and one empty, kubectl logs will return an empty response.
Which really shouldn't be a problem if Filebeat is working correctly as we should be getting all output into Elastic and view-able in Kibana.
I guess my main concern is with autodiscover, Filebeat is hitting the K8s API for pod creation / removal, correct? Will Filebeat still pickup log file rotation changes with autodiscover?
docker input will always read from the .log file, including when it's created after rotation.
I recently discovered it will be better sense to put a pattern for the rotated files in the list of paths, that will ensure Filebeat gets those too in case it's down for a while.
But then I can't limit based on namespace right? I don't want to pickup CNI crap or anything else Kubernetes is throwing under the hood just yet. I just want our application logs.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.