Hello,
I am having challenges to set up the filebeat to honor multiline configurations so I need your help. I am configuring filebeat to ship the logs from linux servers where large number of docker containers are running so I want to be selective about which container logs to enable for filebeat and I used "hints.default_config.enabled: false" for it from filebeat.autodiscover and utilized the docker labels to "co.elastic.logs/enabled=true" target docker containers. This works fine but I am unable to determine how to enable multiline configuration. I tried to leverage my "container" type in filebeat.input but with that multiline configuration works but logs of all of the containers starts shipping. In other words. filebeat ignores chosen targets via auto-discovery.
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
hints.default_config.enabled: false
My entire filebeat.docker.yml file looks like this.
filebeat.config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
hints.default_config.enabled: false
processors:
- add_cloud_metadata: ~
- add_docker_metadata:
host: "unix:///var/run/docker.sock"
output.console:
pretty: true
Please suggest the how would I achieve multiline configuration while retaining auto discovery solution to select only appropriate docker containers through docker labels.