Logging only kubelet logs

Mario_Albo_Soria · April 6, 2020, 11:35am

Hi everybody!
I have a Kubernets cluster deployed with RKE. When you deploy using RKE, the kubelet is not deployed as a pod, but it is deployed as a Docker container.
I want to collect logs from kubelet container and ignore the rest of containers logs.
I'm using the following configuratión on my filebeat.yaml but seems to ignore it and getting all containers logs.
Can someone tell me if there is something missing or perhaps I'm not configuring correctly.
Currente FIlebeat version: 7.6.2

filebeat.yml: |-
    filebeat.config: 
      spool_size: 512
    filebeat.inputs: 
      - type: docker 
        containers.ids: 
          - "*"
        fields_under_root: true
        tail_files: true
        processors:
          - add_docker_metadata: ~
          - add_kubernetes_metadata:
              kube_config: ~/.kube/config
          - drop_event:
              when:
                regexp:
                  docker.container.name: "^k8s.*"                 
    filebeat.autodiscover:
      providers:
        - type: docker
          templates:
            - condition:
                contains:
                  docker.container.name: kubelet
              config:
                - type: container
                  paths:
                    - /var/lib/docker/containers/${data.docker.container.id}/*.log
                  exclude_lines: ["^\\s+[\\-`('.|_]"]  # drop asciiart lines
    output.file:
      path: "/tmp/filebeat"
      filename: filebeat

Thanks for helping!

jsoriano · April 6, 2020, 7:00pm

Hey @Mario_Albo_Soria, welcome to discuss

It seems that you are configuring both, a static input configuration with filebeat.inputs, and a dynamic one with autodiscover. If your kubelet is being executed as a docker container, and it contains kubelet on its name, the autodiscover configuration should be enough.

The filebeat.inputs configuration you have there is configured for all containers, could you try to remove it, and use only the configuration in autodiscover?

Mario_Albo_Soria · April 7, 2020, 6:42am

It works!!
I was misunderstanding how the filebeat.inputs works, I thought I needed to add metadata to logs before filtering with the filebeat.autodiscover (I read something similar there [Problem getting autodiscover docker to work with filebeat])

Thank you so much!

system · May 5, 2020, 6:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat white/black list for container logs in kubernetes Beats docker , filebeat	8	2532	June 9, 2020
Filebeat doesn't log anythign with kubernetes autodiscover Beats filebeat	2	1336	September 17, 2018
Filebeat and Kubernetes: excluding log files Beats filebeat	12	13314	March 1, 2018
KUBERNETES Log Reading using File Beat Beats filebeat	2	462	June 13, 2018
Is there a complete, working example of a filebeats config on kubernetes? Beats filebeat	6	1628	July 27, 2019

Logging only kubelet logs

Related topics