I am trying to setup elk stack with filebeat and unable to send any logs to elasticsearch or logstash using filebeat .
I am not sure if I am missing something simple - if I use gelf input (ie myapp is shipped to elasticsearch but not nginx2 in the docker-compose mentioned below), by the way the elk stack is running by another docker-compose.yml.
OS : CentOS VM
filebeat.yml
filebeat.inputs:
- type: container
paths:
- '/var/lib/docker/containers/*/*.log'
processors:
- add_docker_metadata:
host: "unix:///var/run/docker.sock"
- decode_json_fields:
fields: ["message"]
target: "json"
overwrite_keys: true
output.elasticsearch:
hosts: ["hostname:9200"]
indices:
- index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
#output.logstash:
# hosts: ["hostname:5044"]
logging.json: true
logging.metrics.enabled: false
docker-comopse.yml
version: '3'
services:
app:
image: docker-logs-elk/dummy-app:1.0.0
container_name: myapp
build:
context: dummy-app
dockerfile: Dockerfile
volumes:
- /var/lib/docker/containers:/var/lib/docker/containers:ro
logging:
driver: gelf
options:
gelf-address: "udp://localhost:12201"
filebeat:
image: "docker.elastic.co/beats/filebeat:7.9.0"
container_name: filebeat
build:
context: .
dockerfile: Dockerfile
command: filebeat -e -d "publish"
user: root
volumes:
- f_data:/usr/share/filebeat/data:rw
- ./filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
- /var/lib/docker/containers:/var/lib/docker/containers:ro
- /var/run/docker.sock:/var/run/docker.sock
nginx:
image: nginx:latest
container_name: nginx2
ports:
- 8081:80
volumes:
# create a persistent volume for Filebeat
f_data:
Please let me know whats missing.