Hints based autodiscoveredit
Filebeat supports autodiscover based on hints from the provider. The hints system looks for
hints in Kubernetes Pod annotations or Docker labels that have the prefix co.elastic.logs
. As soon as
the container starts, Filebeat will check if it contains any hints and launch the proper config for
it. Hints tell Filebeat how to get logs for the given container. By default logs will be retrieved
from the container using the docker
input. You can use hints to modify this behavior. This is the full
list of supported hints:
co.elastic.logs/disable
edit
Filebeat gets logs from all containers by default, you can set this hint to true
to ignore
the output of the container. Filebeat won’t read or send logs from it.
co.elastic.logs/multiline.*
edit
Multiline settings. See Manage multiline messages for a full list of all supported options.
co.elastic.logs/include_lines
edit
A list of regular expressions to match the lines that you want Filebeat to include. See Configure inputs for more info.
co.elastic.logs/exclude_lines
edit
A list of regular expressions to match the lines that you want Filebeat to exclude. See Configure inputs for more info.
co.elastic.logs/module
edit
Instead of using raw docker
input, specifies the module to use to parse logs from the container. See
Modules for the list of supported modules.
co.elastic.logs/fileset
edit
When module is configured, map container logs to module filesets. You can either configure a single fileset like this:
co.elastic.logs/fileset: access
Or configure a fileset per stream in the container (stdout and stderr):
co.elastic.logs/fileset.stdout: access co.elastic.logs/fileset.stderr: error
co.elastic.logs/raw
edit
When an entire input/module configuration needs to be completely set the raw
hint can be used. You can provide a
stringified JSON of the input configuration. raw
overrides every other hint and can be used to create bot a single or
a list of configurations.
co.elastic.logs/raw: "[{\"containers\":{\"ids\":[\"${data.container.id}\"]},\"multiline\":{\"negate\":\"true\",\"pattern\":\"^test\"},\"type\":\"docker\"}]"
co.elastic.logs/processors
edit
Define a processor to be added to the Filebeat input/module configuration. See Filter and enhance the exported data for the list of supported processors.
In order to provide ordering of the processor definition, numbers can be provided. If not, the hints builder will do arbitrary ordering:
co.elastic.logs/processors.1.dissect.tokenizer: "%{key1} %{key2}" co.elastic.logs/processors.dissect.tokenizer: "%{key2} %{key1}"
In the above sample the processor definition tagged with 1
would be executed first.
Kubernetesedit
Kubernetes autodiscover provider supports hints in Pod annotations. To enable it just set hints.enabled
:
filebeat.autodiscover: providers: - type: kubernetes hints.enabled: true
You can annotate Kubernetes Pods with useful info to spin up Filebeat inputs or modules:
annotations: co.elastic.logs/multiline.pattern: '^\[' co.elastic.logs/multiline.negate: true co.elastic.logs/multiline.match: after
Multiple containersedit
When a pod has multiple containers, the settings are shared unless you put the container name in the
hint. For example, these hints configure multiline settings for all containers in the pod, but set a
specific exclude_lines
hint for the container called sidecar
.
annotations: co.elastic.logs/multiline.pattern: '^\[' co.elastic.logs/multiline.negate: true co.elastic.logs/multiline.match: after co.elastic.logs.sidecar/exclude_lines: '^DBG'
Dockeredit
Docker autodiscover provider supports hints in labels. To enable it just set hints.enabled
:
filebeat.autodiscover: providers: - type: docker hints.enabled: true
You can label Docker containers with useful info to spin up Filebeat inputs, for example:
co.elastic.logs/module: nginx co.elastic.logs/fileset.stdout: access co.elastic.logs/fileset.stderr: error
The above labels configure Filebeat to use the Nginx module to harvest logs for this container. Access logs will be retrieved from stdout stream, and error logs from stderr.