Answer the question
In order to leave comments, you need to log in
V
V
Vladimir Obabkov2021-01-24 14:32:18
Vladimir Obabkov, 2021-01-24 14:32:18
How do I configure Filebeat to write to a file on the host?
Hello
, I am trying to organize logging from many containers to files on the host (Just files, without ELK)
I’ll make a reservation right away that I’m almost the first time with docker and filebeat, I’m floating in linux administration
I take a container with php-fpm for tests
spoiler
and container with filebeat: (Пишет логи в docker/logs[hash]/*.json.logs)
filebeat structure:
spoiler
- Filebeat
|-- Dockerfile
|-- filebeat.yml
|-- Dockerfile
|-- filebeat.yml
Dockerfile:
spoiler
FROM docker.elastic.co/beats/filebeat:6.5.2
COPY ./filebeat.yml /usr/share/filebeat/filebeat.yml
USER root
RUN chown -R root /usr/share/filebeat/
RUN chmod -R go-w /usr/share/filebeat/filebeat.yml
spoiler
filebeat.inputs:
- type: docker
containers.ids:
- 'ac83a2522c7f'
output.file:
path: "/home/iva/filebeat/logs"
filename: filebeat
rotate_every_kb: 10000
permissions: 0600docker-compose:
spoiler
php:
build: ./PHP
container_name: php-fpm
volumes:
- ./Nginx/html:/usr/share/nginx/html
links:
- mysql
filebeat-php:
build: ./Filebeat
container_name: filebeat-phpstdout:filebeat
spoiler
filebeat-php | 2021-01-24T11:13:23.625Z INFO instance/beat.go:592 Home path: [/usr/share/filebeat] Config path: [/usr/share/filebeat] Data path: [/usr/share/filebeat/data] Logs path: [/usr/share/filebeat/logs]
filebeat-php | 2021-01-24T11:13:24.004Z INFO instance/beat.go:599 Beat UUID: e67d8255-e337-49b4-a0b8-a6bea08a05e2
filebeat-php | 2021-01-24T11:13:24.004Z INFO [seccomp] seccomp/seccomp.go:116 Syscall filter successfully installed
filebeat-php | 2021-01-24T11:13:24.004Z INFO [beat] instance/beat.go:825 Beat info {"system_info": {"beat": {"path": {"config": "/usr/share/filebeat", "data": "/usr/share/filebeat/data", "home": "/usr/share/filebeat", "logs": "/usr/share/filebeat/logs"}, "type": "filebeat", "uuid": "e67d8255-e337-49b4-a0b8-a6bea08a05e2"}}}
filebeat-php | 2021-01-24T11:13:24.004Z INFO [beat] instance/beat.go:834 Build info {"system_info": {"build": {"commit": "b48d073b84e874a182c122d8ef2bad867f714a11", "libbeat": "6.5.2", "time": "2018-11-29T23:04:30.000Z", "version": "6.5.2"}}}
filebeat-php | 2021-01-24T11:13:24.004Z INFO [beat] instance/beat.go:837 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.10.3"}}}
filebeat-php | 2021-01-24T11:13:24.006Z INFO [beat] instance/beat.go:841 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-01-24T09:08:26Z","containerized":true,"name":"ec077847b7e7","ip":["127.0.0.1/8","172.24.0.3/16"],"kernel_version":"5.8.0-40-generic","mac":["02:42:ac:18:00:03"],"os":{"family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":5,"patch":1804,"codename":"Core"},"timezone":"UTC","timezone_offset_sec":0}}}
filebeat-php | 2021-01-24T11:13:24.007Z INFO [beat] instance/beat.go:870 Process info {"system_info": {"process": {"capabilities": {"inheritable":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/usr/share/filebeat", "exe": "/usr/share/filebeat/filebeat", "name": "filebeat", "pid": 1, "ppid": 0, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2021-01-24T11:13:21.030Z"}}}
filebeat-php | 2021-01-24T11:13:24.007Z INFO instance/beat.go:278 Setup Beat: filebeat; Version: 6.5.2
filebeat-php | 2021-01-24T11:13:24.007Z INFO fileout/file.go:97 Initialized file output. path=/home/iva/filebeat/logs/filebeat max_size_bytes=10240000 max_backups=7 permissions=-rw-------
filebeat-php | 2021-01-24T11:13:24.008Z INFO [publisher] pipeline/module.go:110 Beat name: ec077847b7e7
filebeat-php | 2021-01-24T11:13:24.009Z INFO instance/beat.go:400 filebeat start running.
filebeat-php | 2021-01-24T11:13:24.009Z INFO [monitoring] log/log.go:117 Starting metrics logging every 30s
filebeat-php | 2021-01-24T11:13:24.009Z INFO registrar/registrar.go:97 No registry file found under: /usr/share/filebeat/data/registry. Creating a new registry file.
filebeat-php | 2021-01-24T11:13:24.492Z INFO registrar/registrar.go:134 Loading registrar data from /usr/share/filebeat/data/registry
filebeat-php | 2021-01-24T11:13:24.492Z INFO registrar/registrar.go:141 States Loaded from registrar: 0
filebeat-php | 2021-01-24T11:13:24.492Z WARN beater/filebeat.go:374 Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
filebeat-php | 2021-01-24T11:13:24.492Z INFO crawler/crawler.go:72 Loading Inputs: 1
filebeat-php | 2021-01-24T11:13:24.494Z INFO log/input.go:138 Configured paths: [/var/lib/docker/containers/ac83a2522c7f/*.log]
filebeat-php | 2021-01-24T11:13:24.494Z INFO input/input.go:114 Starting input of type: docker; ID: 9369672533464162401
filebeat-php | 2021-01-24T11:13:24.494Z INFO crawler/crawler.go:106 Loading and starting Inputs completed. Enabled inputs: 1Once every 30 seconds gives:
spoiler
filebeat-php | 2021-01-24T11:13:54.027Z INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":20,"time":{"ms":23}},"total":{"ticks":80,"time":{"ms":90},"value":0},"user":{"ticks":60,"time":{"ms":67}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":5},"info":{"ephemeral_id":"68cf6fab-fac6-4917-aa19-d248b2b1ee59","uptime":{"ms":30463}},"memstats":{"gc_next":4194304,"memory_alloc":2366904,"memory_total":4242952,"rss":23302144}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"type":"file"},"pipeline":{"clients":1,"events":{"active":0}}},"registrar":{"states":{"current":0},"writes":{"success":1,"total":1}},"system":{"cpu":{"cores":4},"load":{"1":1.7,"15":1.49,"5":1.46,"norm":{"1":0.425,"15":0.3725,"5":0.365}}}}}}At the same time, he does not write any logs (
Thanks in advance for any hint where to dig
UPD: I mounted the docker log directory for reading:
spoiler
filebeat-php:
build: ./Filebeat
container_name: filebeat-php
volumes:
- /var/lib/docker/containers:/var/lib/docker/containers:ro
- /var/run/docker.sock:/var/run/docker.sock:rostdout filebeat now includes Harvester and successful read/write messages, but it's not clear where exactly it writes.
pastebin
UPD2: Mounted the docker logs and directories and the exit point from filebeat.yml, after which everything worked.
spoiler
filebeat-php:
build: ./Filebeat
container_name: filebeat-php
volumes:
- /var/lib/docker/containers:/var/lib/docker/containers:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/iva/filebeat/logs/:/home/iva/filebeat/logs/ 1 answer(s)
@Enroller
�
Владимир Обабков, 2021-01-24 @Enroller
Вопрос решили совместно с Дмитрий Шицков , в комментариях.
Чтобы Filebeat мог писать в режиме docker в файлы, нужно примонтировать на чтение директории логов докера и полностью примонтировать путь, указанный в output.file.
Подробнее можно посмотреть в UPD внутри поста.
Similar questions
B
K
kot25662018-04-01 20:59:23
Docker toolbox, how to execute commands from a new console window?
2Reply
I
D
Dimetriy2020-05-19 11:54:51
Vmware + debian + docker + hgfs hgfs disk access problem. What to do?
0Reply
H
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question