doronshai
March 16, 2021, 10:02pm
1
Hi Team,
I am using this configuration for logstash:
input
{
beats {port => 6600
type => "K4"
codec => "json"
}
}
filter
{
if [type] == "K4"
{ json {source => "message"} }
}
output
{
if [type] == "K4"
{ elasticsearch
{ hosts => ["very.nice.url:9200"]
index => "%{[kubernetes][namespace]}-%{+YYYY.MM.dd}"
cacert => "/etc/elasticsearch/root-ca.pem"
user => "great_user_name"
password => "great_password"
ssl => true
ssl_certificate_verification => false
}
}
}
and here is the filebeat configuration
filebeat.inputs:
- type: container
paths:
- /var/log/containers/*.log
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
processors:
- add_cloud_metadata:
- add_host_metadata:
cloud.id: ${ELASTIC_CLOUD_ID}
cloud.auth: ${ELASTIC_CLOUD_AUTH}
output.logstash:
hosts: ['logstash-prod.service.consul:6600']
# username: ${ELASTICSEARCH_USERNAME}
# password: ${ELASTICSEARCH_PASSWORD}
many indexes are created correctly, but also many indexes are created like these:
%{[kubernetes][namespace]}-2021.03.14
%{[kubernetes][namespace]}-2021.03.15
%{[kubernetes][namespace]}-2021.03.16
any idea what is the reason here?
I wanted to comment this topic but it was closed
Hi Team
Setup:
ELK cluster is setup using docker-compose on one beefy bare metal server.
On the kubernetes side I am running filebeat as a DaemonSet to ship container logs to logstash.
Our K8S cluster will have around 50 namespaces and each namespace will have around 10 pods running.
Question:
I want to have a separate index created for each kubernetes namespace. Also whenever a new namespace is added, an index has to be auto-created as well. How do i achieve it ?
Configurations below.
F…
Badger
March 17, 2021, 12:23am
2
Look at the documents in that index. Do any of them have a field called [kubernetes][namespace]? If not, that is what causes them to be named that way.
The indentation of the second processors: option looks wrong to me, and yaml is notoriously picky about indentation. In fact the existence of a second processors: option looks wrong.
doronshai
March 17, 2021, 6:27am
3
Badger:
ok at the documents in that index. Do any of them have a field called [kubernetes][namespace]? If not, that is what causes them to be named that way.
The indentation of the second processors: o
look like removing the 2nd processors and make its content indented correctly solved it
Thanks!!!
doronshai
March 18, 2021, 4:52pm
4
I thought it solved the issue, but it didn't.
here is the updated filebeat.yaml
apiVersion: v1
data:
filebeat.yml: |-
filebeat.inputs:
- type: container
paths:
- /var/log/containers/*.log
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
- add_cloud_metadata:
- add_host_metadata:
cloud.id: ${ELASTIC_CLOUD_ID}
cloud.auth: ${ELASTIC_CLOUD_AUTH}
output.logstash:
hosts: ['10.16.14.31:6600','10.16.14.36:6600','10.16.14.43:6600','10.16.14.45:6600']
any idea what could it be?
system
April 15, 2021, 4:52pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.