docker-filebeat/filebeat-kubernetes.yml

115 lines
3.5 KiB
YAML

#filebeat.config:
# modules:
# path: ${path.config}/modules.d/*.yml
# reload.enabled: false
filebeat.autodiscover:
providers:
- type: kubernetes
node: '${NODE_NAME}'
hints.enabled: true
#templates:
# - config:
# - type: container
# paths:
# - /var/log/containers/*-${data.kubernetes.container.id}.log
# kubernetes pod annotation example
# annotations:
# co.elastic.logs.json-logging/json.keys_under_root: "true"
# co.elastic.logs.json-logging/json.add_error_key: "true"
# co.elastic.logs.json-logging/json.message_key: "message"
hints.default_config:
type: container
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
ignore_older: 24h
processors:
- add_cloud_metadata: ~
- add_locale:
format: offset
- add_kubernetes_metadata:
- add_host_metadata: ~
- decode_json_fields:
fields: [ "message" ]
target: "message_json"
when:
or:
- equals:
kubernetes.container.name: etcd
- equals:
kubernetes.container.name: kilo
- equals:
kubernetes.container.name: cfssl-issuer
- rename:
fields:
- from: "kubernetes.container.name"
to: "container.name"
ignore_missing: true
fail_on_error: false
- dissect:
tokenizer: '%{nginx.remote_addr} - %{nginx.remote_user} [%{nginx.time}] %{nginx.host} "%{nginx.request}" %{nginx.status|integer} %{nginx.http_referer} "%{nginx.http_user_agent}" %{nginx.http_x_real_ip} %{nginx.http_x_forwarded_for} %{nginx.request_id} "%{nginx.geoip_country_name}" %{nginx.geoip_country_code} "%{nginx.geoip_asn_name}" %{nginx.geoip_asn_number|integer} location:"%{nginx.geoip.lat|double}" "%{nginx.geoip.lon|double}" req_header:"%{nginx.header.req}" resp_header:"%{nginx.header.resp}"'
trim_values: all
target_prefix: ""
field: "message"
when:
equals:
container.name: nginxfront
- dissect:
tokenizer: '%{php.time} [%{php.status}] %{php.info}: %{php.message}, client: %{php.client}, server: %{php.server}, request: "%{php.request}", host: "%{php.host}"'
target_prefix: ""
field: "message"
when:
equals:
container.name: nginxfront
- timestamp:
field: nginx.time
target_field: nginx.time
layouts:
- '02/Jan/2006:15:04:05 -0700'
test:
- '27/May/2022:21:41:02 +0000'
when:
equals:
container.name: nginxfront
- drop_event:
when:
equals:
container.name: filebeat
setup:
kibana:
host: '${KIBANA_HOSTS:kibana:5601}'
ssl:
verification_mode: none
template:
enabled: true
name: "filebeat-%{[agent.version]}"
pattern: "filebeat-%{[beat.version]}-*"
settings:
index.number_of_shards: 1
index.number_of_replicas: 0
append_fields:
- name: container.name
type: keyword
- name: kubernetes.container.name
type: keyword
- name: nginx.geoip
type: geo_point
dashboards:
enabled: false
output.elasticsearch:
hosts: '[${ELASTICSEARCH_HOSTS:elasticsearch:9200}]'
username: '${ELASTICSEARCH_USERNAME:}'
password: '${ELASTICSEARCH_PASSWORD:}'
ssl:
verification_mode: none
indices:
#- index: "filebeat-%{[agent.version]}-%{[container.name]:common}-%{+yyyy.MM.dd}"
- index: "filebeat-%{[agent.version]}-%{[container.name]:common}"
#logging.json: true
#logging.metrics.enabled: false