thedubo
February 12, 2020, 4:09pm
1
Hi all,
I’m running Graylog 3.0.2 with Graylog Sidecars and Filebeat on my nodes.
I want to collect logs from a specific docker container and stumbled on the filebeat autodiscovery feature for doing this: https://www.elastic.co/guide/en/beats/filebeat/7.x/configuration-autodiscover.html
So I’ve tried to setup a collector configration as shown:
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
filebeat.autodiscover:
providers:
- type: docker
templates:
- condition:
contains:
docker.container.image: nginx
config:
- type: container
paths:
- "/var/lib/docker/containers/${data.docker.container.id}/*.log"
exclude_lines: ["^\\s+[\\-`('.|_]"] # drop asciiart lines
output.logstash:
hosts: ["xxxxx:5044"]
path:
data: /appl/graylog-sidecar/collectors/filebeat/data
logs: /appl/graylog-sidecar/collectors/filebeat/log
But the configration pages throws this error:
Am I missing something?
Is it possible to use the autodiscover feature with sidecars?
Best regards
tmacgbay
February 12, 2020, 6:18pm
2
your line 15:
- "/var/lib/docker/containers/${data.docker.container.id}/*.log"
Elastic’s “Line 15”
- /var/lib/docker/containers/${data.docker.container.id}/*.log
rarely are you NOT supposed to use quotes in a path, but this is one of them.
thedubo
February 12, 2020, 8:34pm
3
Thanks for answering!
But removing quotes doesn’t help:
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
filebeat.autodiscover:
providers:
- type: docker
templates:
- condition:
contains:
docker.container.image: nginx
config:
- type: container
paths:
- /var/lib/docker/containers/${data.docker.container.id}/*.log
exclude_lines: ["^\\s+[\\-`('.|_]"] # drop asciiart lines
output.logstash:
hosts: ["xxxxx:5044"]
path:
data: /appl/graylog-sidecar/collectors/filebeat/data
logs: /appl/graylog-sidecar/collectors/filebeat/log
Template error: - Failed at: ${data.docker.container.id} [in template “326e8a12-0448-46df-ba87-19904b2d5e93” at line 15, column 46]
tmacgbay
February 12, 2020, 9:36pm
4
Well dammit. Here is another thing I noticed… the documentation you are referencing is for Elasticsearch 7.0 but Graylog doesn’t work with that level (yet) when I looked at the 6.8 version of autodiscover documentation it is a little different…
https://www.elastic.co/guide/en/beats/filebeat/6.8/configuration-autodiscover.html
Also of note - 6.8 has quotes on the path
And lastly… the config type (on line 13) would be “log” not “container” which is MUCH more likely to be what the error is.
thedubo
February 13, 2020, 8:52am
5
Ha!
First of all, you were correct about the config type.
And after fixing that i figured out that I have to escape the ${data.docker.container.id} as mentioned on the Variables tab:
If your configuration format needs to use literals like ${foo}, which shall not act as a variable, you will have to write it as ${‘$’}{foo}.
So my config looks like this now:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
filebeat.autodiscover:
providers:
- type: docker
templates:
- condition:
contains:
docker.container.image: nginx
config:
- type: log
paths:
- "/var/lib/docker/containers/${'$'}{data.docker.container.id}/*.log"
exclude_lines: ["^\\s+[\\-`('.|_]"] # drop asciiart lines
output.logstash:
hosts: ["xxxx:5044"]
path:
data: /appl/graylog-sidecar/collectors/filebeat/data
logs: /appl/graylog-sidecar/collectors/filebeat/log
Thank you for your help!
Have a nice day!
Best regards
1 Like
system
February 27, 2020, 8:52am
6
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
