Logging only kubelet logs

Elastic Stack Beats
,
1

Hi everybody!
I have a Kubernets cluster deployed with RKE. When you deploy using RKE, the kubelet is not deployed as a pod, but it is deployed as a Docker container.
I want to collect logs from kubelet container and ignore the rest of containers logs.
I'm using the following configuratión on my filebeat.yaml but seems to ignore it and getting all containers logs.
Can someone tell me if there is something missing or perhaps I'm not configuring correctly.
Currente FIlebeat version: 7.6.2

filebeat.yml: |-
    filebeat.config: 
      spool_size: 512
    filebeat.inputs: 
      - type: docker 
        containers.ids: 
          - "*"
        fields_under_root: true
        tail_files: true
        processors:
          - add_docker_metadata: ~
          - add_kubernetes_metadata:
              kube_config: ~/.kube/config
          - drop_event:
              when:
                regexp:
                  docker.container.name: "^k8s.*"                 
    filebeat.autodiscover:
      providers:
        - type: docker
          templates:
            - condition:
                contains:
                  docker.container.name: kubelet
              config:
                - type: container
                  paths:
                    - /var/lib/docker/containers/${data.docker.container.id}/*.log
                  exclude_lines: ["^\\s+[\\-`('.|_]"]  # drop asciiart lines
    output.file:
      path: "/tmp/filebeat"
      filename: filebeat

Thanks for helping!

2

Hey @Mario_Albo_Soria, welcome to discuss :slight_smile:

It seems that you are configuring both, a static input configuration with filebeat.inputs, and a dynamic one with autodiscover. If your kubelet is being executed as a docker container, and it contains kubelet on its name, the autodiscover configuration should be enough.

The filebeat.inputs configuration you have there is configured for all containers, could you try to remove it, and use only the configuration in autodiscover?

1 Like
3

It works!!
I was misunderstanding how the filebeat.inputs works, I thought I needed to add metadata to logs before filtering with the filebeat.autodiscover (I read something similar there [Problem getting autodiscover docker to work with filebeat])

Thank you so much!

1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.