I created a docker compose for educational purposes to explore the Filebeat Logging capabilities, but I do not get Filebeat to log the logs a specific container.
I create an elastic process with certificate security, then a Kibana container on top of that. I configure the Kibana/Elastic Setup with a Filebeat container and then I would have expected the Logs in the "Discover" Tab in Kibana, but nothing is visible, no logs.
Here is my docker-compose:
services:
elastic-setup:
image: docker.elastic.co/elasticsearch/elasticsearch:8.12.1
user: "0"
volumes:
- ./elasticsearch/certs:/usr/share/elasticsearch/config/certs
command: >
bash -c '
if [ ! -f config/certs/ca.zip ]; then
echo "Creating CA";
bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
unzip config/certs/ca.zip -d config/certs;
fi;
if [ ! -f config/certs/certs.zip ]; then
echo "Creating certs";
echo -ne \
"instances:\n"\
" - name: search\n"\
" dns:\n"\
" - search\n"\
" - localhost\n"\
" ip:\n"\
" - 127.0.0.1\n"\
> config/certs/instances.yml;
bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
unzip config/certs/certs.zip -d config/certs;
fi;
echo "Setting file permissions"
chown -R root:root config/certs;
find . -type d -exec chmod 750 \{\} \;;
find . -type f -exec chmod 640 \{\} \;;
echo "Waiting for Elasticsearch availability";
until curl -s --cacert config/certs/ca/ca.crt https://search:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
echo "Setting kibana_system password";
until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:elastic" -H "Content-Type: application/json" https://search:9200/_security/user/kibana_system/_password -d "{\"password\":\"kibana\"}" | grep -q "^{}"; do sleep 10; done;
echo "All done!";
'
networks:
- elasticnet
healthcheck:
test: ["CMD-SHELL", "[ -f config/certs/search/search.crt ]"]
interval: 1s
timeout: 5s
retries: 120
search:
depends_on:
elastic-setup:
condition: service_healthy
image: docker.elastic.co/elasticsearch/elasticsearch:8.12.1
volumes:
- ./elasticsearch/certs:/usr/share/elasticsearch/config/certs
ports:
- 9200:9200
environment:
- node.name=search
- cluster.name=search-cluster
- discovery.type=single-node
- ELASTIC_PASSWORD=elastic
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/search/search.key
- xpack.security.http.ssl.certificate=certs/search/search.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/search/search.key
- xpack.security.transport.ssl.certificate=certs/search/search.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=basic
mem_limit: 1GB
ulimits:
memlock:
soft: -1
hard: -1
networks:
- elasticnet
healthcheck:
test:
[
"CMD-SHELL",
"curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
]
interval: 10s
timeout: 10s
retries: 120
kibana:
image: docker.elastic.co/kibana/kibana:8.12.1
volumes:
- ./elasticsearch/certs:/usr/share/kibana/config/certs
ports:
- "5601:5601"
environment:
- SERVERNAME=kibana
- ELASTICSEARCH_HOSTS=https://search:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=kibana
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
networks:
- elasticnet
mem_limit: 1GB
healthcheck:
test:
[
"CMD-SHELL",
"curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
]
interval: 10s
timeout: 5s
retries: 30
depends_on:
search:
condition: service_healthy
filebeat-setup:
image: docker.elastic.co/beats/filebeat:8.12.1
command: "--strict.perms=false setup"
user: root
networks:
- elasticnet
volumes:
- ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml
- ./elasticsearch/certs:/usr/share/filebeat/config/certs
environment:
- ELASTICSEARCH_HOST=https://search:9200
- KIBANA_HOST=https://kibana:5601
- ELASTICSEARCH_USERNAME=elastic
- ELASTICSEARCH_PASSWORD=elastic
depends_on:
search:
condition: service_healthy
kibana:
condition: service_healthy
filebeat:
image: docker.elastic.co/beats/filebeat:8.12.1
command: "--strict.perms=false -e"
user: root
volumes:
- ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
- ./elasticsearch/certs:/usr/share/filebeat/config/certs
- /var/lib/docker/containers:/var/lib/docker/containers:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- ELASTICSEARCH_HOST=https://search:9200
- KIBANA_HOST=https://kibana:5601
- ELASTICSEARCH_USERNAME=elastic
- ELASTICSEARCH_PASSWORD=elastic
networks:
- elasticnet
depends_on:
filebeat-setup:
condition: service_completed_successfully
logger:
image: alpine:latest
command: >
sh -c '
while true
do
echo "Log $(date)"
sleep 1
done
'
labels:
co.elastic.logs/enabled: true
networks:
- elasticnet
depends_on:
filebeat-setup:
condition: service_completed_successfully
networks:
elasticnet:
name: elasticnet
The Filebeat Setup (I save in a filebeat subfolder, see volumes) is pretty simple:
filebeat.inputs:
- type: filestream
id: my-filestream-id
enabled: false
# ============================== Filebeat modules ==============================
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
#reload.period: 10s
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
hints.default_config.enabled: false
# ======================= Elasticsearch template setting =======================
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "kibana:5601"
username: elastic
password: elastic
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["search:9200"]
# Performance preset - one of "balanced", "throughput", "scale",
# "latency", or "custom".
preset: balanced
# Protocol - either `http` (default) or `https`.
protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "elastic"
ssl.certificate_authorities: ["/usr/share/filebeat/config/certs/ca/ca.crt"]
ssl.certificate: "/usr/share/filebeat/config/certs/search/search.crt"
ssl.key: "/usr/share/filebeat/config/certs/search/search.key"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_docker_metadata: ~
Everything is more or less copied from the Elastic Documentation but:
- Although I get some installed Dashboards in Kibana, during Filebeat initialiazation I get a lot of "kibana-1 | [2024-02-19T01:10:10.966+00:00][ERROR][http] 400 Bad Request" Logs and
- As mentioned, no Logs from my Test "Logger" Container visible in the Kibana Discover Tab
I think you should use "container" filebeat input type instead of filestream.
Filebeat Input Container