I set FileBeat to pull the log and LogStash to process the log format to es.But today's log does not collect the index. The logs from the last two days are here.
filebeat.yaml
filebeat.inputs:
- type: container
enabled: true
paths:
- /var/log/containers/*_core_*.log
fields:
env: canary
processors:
- add_kubernetes_metadata:
default_indexers.enabled: true
default_matchers.enabled: true
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
processors:
- decode_json_fields:
fields: ["message"]
process_array: false
max_depth: 1
target: ""
overwrite_keys: false
add_error_key: true
- rename:
fields:
- from: "traceid"
to: "trace.id"
ignore_missing: false
fail_on_error: true
# output.elasticsearch:
# hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
output.logstash:
hosts: ["logstash-svc.elastic-system.svc:80"]
logstash.yaml
input {
beats {
port => 5044
}
}
filter {
if [type] == "k8s-log" {
grok {
match => { "message" => "(%{TIMESTAMP_ISO8601:logdatetime} %{LOGLEVEL:level} %{GREEDYDATA:logmessage})|%{GREEDYDATA:logmessage}" }
remove_field => [ "message" ]
remove_field => [ "agent" ]
remove_field => [ "ecs" ]
remove_field => [ "tags" ]
}
}
}
output {
if [fields][env] == "canary" {
elasticsearch {
hosts => ["elastic:9200"]
index => "k8s-%{[kubernetes][namespace]}-%{[kubernetes][labels][app]}-%{+YYYY.MM.dd}"
ilm_policy => "k8s-logs"
}
#stdout { codec => rubydebug { metadata => true}}
}
}