Skip to content

Filebeat Basic

Config for docker containers

`docker-compose.yml' 

services:
  filebeat:
    image: elastic/filebeat:${FILEBEAT_VERSION}
    container_name: filebeat
    restart: unless-stopped
    user: root
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "/var/lib/docker/containers:/var/lib/docker/containers:ro"
      - "./etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro"

filebeat.yml 

setup.ilm.enabled: false
logging.level: info
setup.template.enabled: false
logging.metrics.enabled: false

filebeat.autodiscover:
  providers:
    - type: docker
      templates:
        - condition:
            equals:
              docker.container.labels.filebeat_collect: "true"
          config:
            - type: container
              containers.ids:
                - "${data.docker.container.id}"
              paths:
                - "/var/lib/docker/containers/${data.docker.container.id}/*.log"
              fields:
                event.dataset: "${data.docker.container.image}"
              fields_under_root: true

processors:
- drop_fields:
    fields:
      - "/log.*/"
      - "/agent.*/"
      - "stream"

- decode_json_fields:
    fields: ["message"]
    target: ""
    overwrite_keys: true
    add_error_key: false

output.logstash:
  hosts: [ ${LOGSTASH_ADDRESS} ]