filebeat + kubernetes + elasticsearch not save specific fields

1/23/2020

I created a namespace to get logs with filebeats and save to elasticsearch. Why not save on elasticsearch the fields about Kubernetes how to example follow?

Kubernetes fields

        "kubernetes" : {
            "labels" : {
              "app" : "MY-APP",
              "pod-template-hash" : "959f54cd",
              "serving" : "true",
              "version" : "1.0",
              "visualize" : "true"
            },
            "pod" : {
              "uid" : "e20173cb-3c5f-11ea-836e-02c1ee65b375",
              "name" : "MY-APP-959f54cd-lhd5p"
            },
            "node" : {
              "name" : "ip-xxx-xx-xx-xxx.ec2.internal"
            },
            "container" : {
              "name" : "istio"
            },
            "namespace" : "production",
            "replicaset" : {
              "name" : "MY-APP-959f54cd"
            }
          }

Currently is being saved like this:

      "_source" : {
          "@timestamp" : "2020-01-23T12:33:14.235Z",
          "ecs" : {
            "version" : "1.0.0"
          },
          "host" : {
            "name" : "worker-node1"
          },
          "agent" : {
            "hostname" : "worker-node1",
            "id" : "xxxxx-xxxx-xxx-xxxx-xxxxxxxxxxxxxx",
            "version" : "7.1.1",
            "type" : "filebeat",
            "ephemeral_id" : "xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
          },
          "log" : {
            "offset" : xxxxxxxx,
            "file" : {
              "path" : "/var/lib/docker/containers/xxxx96ec2bfd9a3e4f4ac83581ad90/7fd55e1249aa009df3f8e3250c967bbe541c9596xxxxxac83581ad90-json.log"
            }
          },
          "stream" : "stdout",
          "message" : "xxxxxxxx",
          "input" : {
            "type" : "docker"
          }
        }

To follow my filebeat.config:

apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: kube-system
  labels:
    k8s-app: filebeat
data:
  filebeat.yml: |-
    filebeat.config:
      inputs:
        # Mounted `filebeat-inputs` configmap:
        path: ${path.config}/inputs.d/*.yml
        # Reload inputs configs as they change:
        reload.enabled: false
        multiline.pattern: '^[[:space:]]'
        multiline.negate: false
        multiline.match: after
      modules:
        path: ${path.config}/modules.d/*.yml
        # Reload module configs as they change:
        reload.enabled: false

    # To enable hints based autodiscover, remove `filebeat.config.inputs` configuration and uncomment this:
    #filebeat.autodiscover:
    #  providers:
    #    - type: kubernetes
    #      hints.enabled: true

    processors:
      - add_cloud_metadata:
      - add_kubernetes_metadata:

    cloud.id: ${ELASTIC_CLOUD_ID}
    cloud.auth: ${ELASTIC_CLOUD_AUTH}

    output.elasticsearch:
      hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
      protocol: "http"
    setup.ilm.enabled: false
    ilm.enabled: false
    xpack.monitoring:
      enabled: true

DamemonSet is shown below:

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: filebeat
  namespace: kube-system
  labels:
    k8s-app: filebeat
spec:
  template:
    metadata:
      labels:
        k8s-app: filebeat
    spec:
      serviceAccountName: filebeat
      hostNetwork: true
      terminationGracePeriodSeconds: 30
      containers:
        - name: filebeat
          image: docker.elastic.co/beats/filebeat-oss:7.1.1
          args: [
            "-c", "/etc/filebeat.yml",
            "-e",
          ]
          env:
            - name: ELASTICSEARCH_HOST
              value: xxxxxxxxxxxxx
            - name: ELASTICSEARCH_PORT
              value: "9200"
          securityContext:
            runAsUser: 0
            # If using Red Hat OpenShift uncomment this:
            #privileged: true
          resources:
            limits:
              memory: 200Mi
            requests:
              cpu: 100m
              memory: 100Mi
          volumeMounts:
            - name: config
              mountPath: /etc/filebeat.yml
              readOnly: true
              subPath: filebeat.yml
            - name: inputs
              mountPath: /usr/share/filebeat/inputs.d
              readOnly: true
            - name: data
              mountPath: /usr/share/filebeat/data
            - name: varlibdockercontainers
              mountPath: /var/lib/docker/containers
              readOnly: true
      volumes:
        - name: config
          configMap:
            defaultMode: 0600
            name: filebeat-config
        - name: varlibdockercontainers
          hostPath:
            path: /var/lib/docker/containers
        - name: inputs
          configMap:
            defaultMode: 0600
            name: filebeat-inputs
        # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
        - name: data
          hostPath:
            path: /var/lib/filebeat-data
            type: DirectoryOrCreate

Before to apply config into kubernetes, I did remove ever registry filebeats of elasticsearch.

-- Matheus Warmeling Matias
docker
elasticsearch
filebeat
kibana
kubernetes

1 Answer

2/5/2020

As already stated in my comment. It looks like your ConfigMap is missing the paths: to containers' logs. It should be something like this:

       type: container
       paths:
         - /var/log/containers/*${data.kubernetes.container.id}.log

Compare your config file with this one.

I hope it helps.

-- OhHiMark
Source: StackOverflow