Hi,
I am running filebeat container using the following command:
docker run -d \
--name=filebeat \
--user=root \
--volume="$(pwd)/filebeat-file.yml:/usr/share/filebeat/filebeat.yml:ro" \
--volume="$(pwd)/apps/logs:/usr/share/apps/logs:ro" \
docker.elastic.co/beats/filebeat:7.9.2 filebeat -e -strict.perms=false \
-E output.elasticsearch.hosts=["elasticsearch:9200"]
filebeat-file.yaml:
filebeat.inputs:
\- type: log
enabled: true
paths:
- /usr/share/apps/logs/*.log
output.elasticsearch:
hosts: '{ELASTICSEARCH_HOSTS: HOST:9200}'
Then I have copied a sample file in ${pwd}/apps/logs having a basic log line:
I am line 1.
Now whenever I add a new line to this file from host machine. I get additional hits in Elastic Search for the logs which have already been sent to ES by filebeat i.e. if I add another line to this file as:
I am line 1.
I am line 2.
Then I get total 3 hits in ES index. 1 for previous state i.e. line 1 and 2 for the current state i.e. line 1 and line 2.
However, I should ideally get just 2 hits in ES.
There is one more behavior I have observed is that if I get inside the docker container as:
sudo docker exec -it cont-id bash
cd /usr/share/app/logs
vi app.log
Now, if I edit from inside the container it works perfectly fine i.e. when I add line 2. I just get 2 hits in ES.
Could anyone help me understand what is happening here? How could modifying the log file on host machine is different from modifying it from within the container that it is resulting in different behavior.
Thanks