I am setting up pipeline to send the kubernetes pods log to elastic cluster. I have installed filebeat as deamonset (stream: stdout) in my cluster and connected output to logstash. Beats is connected with logstash without an issue, now i want logs from application namespaces not from all namespaces in cluster. can someone guide me how to filter this in beat adn also how can to see the source message from json in es?
This is my config:
data:
kubernetes.yml: |-
- type: docker
containers:
path: "/var/lib/docker/containers"
stream: "stdout"
ids: "*"
multiline.pattern: '^\s'
multiline.match: after
fields:
logtype: container
multiline:
pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
negate: true
match: after
ignore_older: 1h
processors:
- add_kubernetes_metadata:
in_cluster: true
- decode_json_fields:
fields: ["log"]
overwrite_keys: true
target: ""
Output in kibana:
{
"_index": "filebeat-6.8.4-2020.03.06",
"_type": "doc",
"_id": "vHkzsHABJ57Tsdxxxxx",
"_version": 1,
"_score": null,
"_source": {
"log": {
"file": {
"path": "/var/lib/docker/containers/aa54562be9448183d69d8d2e1953e74560309176f044aed23484ac9e3260982c/sdnksdsdlsdnfsdlfslfnsdslfnsnlnflksdnflkdsfnsdflsdfndslffndslf-json.log"
}
},
"tags": [
"beats_input_codec_plain_applied",
"_grokparsefailure"
],
"input": {
"type": "docker"
},
"@version": "1",
"prospector": {
"type": "docker"
},
"beat": {
"version": "6.8.4",
"name": "filebeat-vtp2f",
"hostname": "filebeat-vtp2f"
},
"host": {
"name": "filebeat-vtp2f"
},
"offset": 5798785,
"stream": "stdout",
"fields": {
"logtype": "container"
},
"kubernetes": {
"node": {
"name": "k8-test-22313607-0"
},
"labels": {
"version": "v1",
"kubernetes": {
"io/cluster-service": "true"
},
"controller-revision-hash": "6b56cfcb69",
"pod-template-generation": "1",
"k8s-app": "fluent"
},
"container": {
"name": "fluentd"
},
"pod": {
"uid": "72c50b54-5ef0-11ea-83e1-26018882335d",
"name": "fluent-4lft2"
},
"namespace": "fluentd"
},
"source": "/var/lib/docker/containers/aa54562be9448183d69d8d2e1953e74560309176f044aed23484ac9e3260982c/aa54562be9448183d69d8d2e1953e74560309176f044aed23484ac9e3260982c-json.log",
"@timestamp": "2020-03-06T14:15:18.561Z"
},
"fields": {
"@timestamp": [
"2020-03-06T14:15:18.561Z"
]
},
"highlight": {
"prospector.type": [
"@kibana-highlighted-field@docker@/kibana-highlighted-field@"
]
},
"sort": [
1583504118561
]
}
