Hi all,
I have an Azure AKS (Kubernetes 1.11.2), and a filebeat 6.3.2 on each node.
filebeat.yml :
filebeat.prospectors: - type: docker containers.ids: - "*" multiline.pattern: '^{' multiline.negate: true multiline.match: after processors: - add_kubernetes_metadata: in_cluster: true output.file.enabled: false output.elasticsearch.enabled: false output.logstash: hosts: - graylog.monitoring.svc.cluster.local:5044
The filebeat is sending the kubernetes metadata but I don’t see them in Graylog :
{
"@timestamp": "2018-09-26T12:41:48.373Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.3.2"
},
"message": "{2018-09-26T12:41:48+00:00} [DEBUG] [LOG] is4_ip_da_presentation \u0026$ Technical \u0026$ end consuming event 92ae0ac3-0be0-4d23-9977-9
2b1fc713a2e - no subscription corresponding (msg/expected) : GloubiDeclared/TechnicalReferentialCreated \u0026$ null \u0026$ To be defined \u0026$ nul
l \u0026$ E:\\agent\\_work\\57\\s\\src\\Component.Bus\\Subscribe\\AzureSubscriptions.cs 91 \u0026$ null \u0026$ null",
"source": "/var/lib/docker/containers/c248ed867de4382b8957984da62fc81547a725856d91bd6559de971ef2fc2f63/c248ed867de4382b8957984da62fc81547a725856d91b
d6559de971ef2fc2f63-json.log",
"kubernetes": {
"pod": {
"name": "ip-da-7749d86858-crbk2"
},
"node": {
"name": "aks-agentpool-xxx"
},
"namespace": "ci",
"labels": {
"pod-template-hash": "3305842414",
"app": "ip-da"
},
"container": {
"name": "ip-da"
}
},
"meta": {
"cloud": {
"instance_id": "xxx",
"instance_name": "aks-agentpool-xxx",
"machine_type": "Standard_D2s_v3",
"region": "northeurope",
"provider": "az"
}
},
"offset": 111659,
"stream": "stdout",
"input": {
"type": "docker"
},
"prospector": {
"type": "docker"
},
"beat": {
"name": "filebeat-nd5l4",
"hostname": "filebeat-nd5l4",
"version": "6.3.2"
},
"host": {
"name": "filebeat-nd5l4"
}
I configured a beats input in Graylog with this Grok pattern :
{%{TIMESTAMP_ISO8601:time}} [%{DATA:logLevel}] [%{DATA:code}] %{DATA:caller} &$ %{DATA:logMessageType} &$ %{DATA:message} &$ %{DATA:correlationId} &$ %{DATA:userId} &$ %{DATA:data} &$ %{DATA:operation} &$ %{DATA:error} &$ (?.*)
It splits the fields just fine, I just miss the kubernetes metadata fields.
Graylog : graylog/graylog:2.4.6-1
ES : docker.elastic.co/elasticsearch/elasticsearch:5.6.3
MongoDB : mongo:3
Each deployed as a deployment + ClusterIP service, so each one as its pod.
Graylog yml of the deployment (graylog.conf let as is) :
spec: containers: - image: "graylog/graylog:2.4.6-1" name: graylog ports: - containerPort: 9000 name: http - containerPort: 5044 name: tcp - containerPort: 12201 name: gelf env: - name: GRAYLOG_PASSWORD_SECRET value: "redacted" - name: GRAYLOG_ROOT_PASSWORD_SHA2 value: redacted - name: GRAYLOG_WEB_ENDPOINT_URI value: https :// my-company-dns-graylog-pointing-to-ingress/api - name: "GRAYLOG_ELASTICSEARCH_HOSTS" value: "h t t p : // elasticsearch-discovery.monitoring.svc.cluster.local : 9200/" - name: "GRAYLOT_ELASTICSEARCH_DISCOVERY_ENABLED" value: "true" - name: "GRAYLOG_MONGODB_URI" value: "mongodb :// mongo.monitoring.svc.cluster.local : 27017/graylog"
I saw in a github issue that the beats plugin in Graylog should handle the kubernetes metadata. What is wrong with my conf ?
Thanks.