#filebeat.config: # modules: # path: ${path.config}/modules.d/*.yml # reload.enabled: false filebeat.autodiscover: providers: - type: kubernetes node: '${NODE_NAME}' hints.enabled: true #templates: # - config: # - type: container # paths: # - /var/log/containers/*-${data.kubernetes.container.id}.log # kubernetes pod annotation example # annotations: # co.elastic.logs.json-logging/json.keys_under_root: "true" # co.elastic.logs.json-logging/json.add_error_key: "true" # co.elastic.logs.json-logging/json.message_key: "message" hints.default_config: type: container paths: - /var/log/containers/*-${data.kubernetes.container.id}.log ignore_older: 24h processors: - add_cloud_metadata: ~ - add_locale: format: offset - add_kubernetes_metadata: - add_host_metadata: ~ - decode_json_fields: fields: [ "message" ] target: "message_json" when: or: - equals: kubernetes.container.name: etcd - equals: kubernetes.container.name: kilo - equals: kubernetes.container.name: cfssl-issuer - rename: fields: - from: "kubernetes.container.name" to: "container.name" ignore_missing: true fail_on_error: false - dissect: tokenizer: '%{nginx.remote_addr} - %{nginx.remote_user} [%{nginx.time}] %{nginx.host} "%{nginx.request}" %{nginx.status|integer} %{nginx.http_referer} "%{nginx.http_user_agent}" %{nginx.http_x_real_ip} %{nginx.http_x_forwarded_for} %{nginx.request_id} "%{nginx.geoip_country_name}" %{nginx.geoip_country_code} "%{nginx.geoip_asn_name}" %{nginx.geoip_asn_number|integer} location:"%{nginx.geoip.lat|double}" "%{nginx.geoip.lon|double}" req_header:"%{nginx.header.req}" resp_header:"%{nginx.header.resp}"' trim_values: all target_prefix: "" field: "message" when: equals: container.name: nginxfront - dissect: tokenizer: '%{php.time} [%{php.status}] %{php.info}: %{php.message}, client: %{php.client}, server: %{php.server}, request: "%{php.request}", host: "%{php.host}"' target_prefix: "" field: "message" when: equals: container.name: nginxfront - timestamp: field: nginx.time target_field: nginx.time layouts: - '02/Jan/2006:15:04:05 -0700' test: - '27/May/2022:21:41:02 +0000' when: equals: container.name: nginxfront - drop_event: when: equals: container.name: filebeat setup: kibana: host: '${KIBANA_HOSTS:kibana:5601}' ssl: verification_mode: none template: enabled: true name: "filebeat-%{[agent.version]}" pattern: "filebeat-%{[beat.version]}-*" settings: index.number_of_shards: 1 index.number_of_replicas: 0 append_fields: - name: container.name type: keyword - name: kubernetes.container.name type: keyword - name: nginx.geoip type: geo_point dashboards: enabled: false # Internal queue configuration for buffering events to be published. queue: # Queue type by name (default 'mem') # The memory queue will present all available events (up to the outputs # bulk_max_size) to the output, the moment the output is ready to server # another batch of events. mem: # Max number of events the queue can buffer. events: 4096 # Hints the minimum number of events stored in the queue, # before providing a batch of events to the outputs. # The default value is set to 2048. # A value of 0 ensures events are immediately available # to be sent to the outputs. flush.min_events: 0 # Maximum duration after which events are available to the outputs, # if the number of events stored in the queue is < `flush.min_events`. flush.timeout: 0s output.elasticsearch: hosts: '[${ELASTICSEARCH_HOSTS:elasticsearch:9200}]' username: '${ELASTICSEARCH_USERNAME:}' password: '${ELASTICSEARCH_PASSWORD:}' ssl: verification_mode: none indices: #- index: "filebeat-%{[agent.version]}-%{[container.name]:common}-%{+yyyy.MM.dd}" - index: "filebeat-%{[agent.version]}-%{[container.name]:common}" #logging.json: true #logging.metrics.enabled: false