Need to gather the host logs , filebeat running as a container

mohammed.sabil · September 13, 2021, 4:37am

Hello Team,

I am new to ELK and Filebeat.
I have ELK stack running on one server using docker-compose.
I have Filebeat running on another server as docker container 7.14.1.

I have configured filebeat-docker.yml and I can see some logs at the Kibana dashboard which are coming within the containers.

My question here is as I am running filebeat as a container, however I wanted to collect the application and system logs which are running on host not on the container. As the application running on host on which filebeat running as a docker container

Is it possible? if yes, can you please guide/suggest me how to achieve it?

Thank you in advance.
Sabil.

warkolm · September 13, 2021, 5:37am

Welcome to our community!

Generally you would install Filebeat directly on the host, that way you can monitor the host and any other containers it runs. Running Filebeat in a container and monitoring the underlying host is possible, you just need to make sure it has the relevant local filesystem points mounted inside the container.

mohammed.sabil · September 13, 2021, 5:49am

@warkolm Thank you so much!

Let me try mounting the log path as volume in the filebeat container. Just to cross check, I will be executing the following command to mount the volumes.

Hopefully is the correct way to do it. Please correct me if I am wrong.

docker run -d \
  --name=filebeat \
  --user=root \
  --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" \
  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
  --volume="/var/log/apache2/error.log:/var/log/apache2/error.log:ro"
  --volume="/var/log/apache2/access.log:/var/log/apache2/xyz.log:ro"
  --volume="/var/log/apache2/dispatcher.log:/var/log/apache2/abc.log:ro"

Thank you.
Sabil.

mohammed.sabil · September 13, 2021, 7:03am

@warkolm I can see the volumes have been mounted by executing the above command. However, I am not getting that data in the Kibana dashboard.

I am referring log.file.path in kibana dashboard. I can see only /var/lib/containers.

Following info I am getting in filebeat logs.
INFO [input.harvester] log/harvester.go:340 File is inactive. Closing because close_inactive of 5m0s reached.

Any suggestion and help would be appreciated.

Thank you.
Sabil.

warkolm · September 13, 2021, 7:19am

What does your Filebeat config look like?

mohammed.sabil · September 13, 2021, 7:21am

Here is a filebeat-docker.yml file.

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true

processors:
- add_cloud_metadata: ~

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/apache2/error.log
    - /var/log/apache2/access.log
    - /var/log/apache2/dispatcher.log
    - /var/log/aem/error.log
  include_lines: ['^ERR', '^WARN']

output.elasticsearch:
  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'

warkolm · September 13, 2021, 7:23am

You're probably better off using the Apache module if you can - Apache module | Filebeat Reference [7.14] | Elastic

mohammed.sabil · September 13, 2021, 7:32am

Sure, let me try adding apache module to config.

Thank you!

mohammed.sabil · September 13, 2021, 7:47am

@warkolm Sorry, but still getting the same.

here is config file.

filebeat.config:
- modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false

- module: apache
  access:
    enabled: true
    var.paths: ["/path/to/log/apache/access.log*"]
  error:
    enabled: true
    var.paths: ["/path/to/log/apache/error.log*"]

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true

processors:
- add_cloud_metadata: ~

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/apache2/error.log
    - /var/log/apache2/access.log
    - /var/log/apache2/dispatcher.log
    - /var/log/aem/error.log
  include_lines: ['^ERR', '^WARN']

output.elasticsearch:
  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'

thank you.

mohammed.sabil · September 14, 2021, 5:29am

@warkolm Any suggestion would be highly appreciated. Thank you.

warkolm · September 14, 2021, 6:11am

Can you try running with debug and seeing if that says anything?

mohammed.sabil · September 14, 2021, 12:15pm

@warkolm I am running the following command and not getting debug option while executing the following command.

docker run -d \
  --name=filebeat \
  --user=root \
  --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" \
  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
  docker-public.docker.devstack.vwgroup.com/elastic/filebeat:7.14.1 -e -strict.perms=false

mohammed.sabil · September 22, 2021, 10:44am

@warkolm I am able to get the logs on kinbana dashboard.

Can you please suggest on how to filter the log data ?

system · October 20, 2021, 12:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Collecting logfiles of Docker containers with filebeat running as Docker container Beats filebeat	6	20863	April 18, 2017
Filebeat running as a container not displaying logs in Kibana Beats docker , filebeat	12	706	January 4, 2023
Filebeat not collecting docker logs Beats filebeat	5	4599	January 17, 2020
Docker Beat with Docker ELK Beats filebeat	5	2851	October 4, 2017
ELK no read logs from docker containers Beats filebeat	2	403	June 25, 2019

Need to gather the host logs , filebeat running as a container

Related topics