Beats: Filebeat: collect log file that inside containers

Created on 23 Dec 2018  路  5Comments  路  Source: elastic/beats

Describe the enhancement:

Filebeat can collect container stdout logs now, but many application not only ouput logs to stdout, it also write logs to file inside this container. Filebeat could not collect this section logs.

Describe a specific use case for the enhancement or feature:

In my case, many C++ or Java applications deploy on the Kubernetes, and these applications write logs to files, a few logs output stdout, so i hope Filebeat can collect this section logs, not only stdout logs.

Filebeat Integrations containers
Source
picture pytimer

Most helpful comment

Some C++ applications write log to multiple files, and some log files created in runtime. In this case, filebeat can setting watch log paths when application running without container. If application running in container, how should i configure?

picture pytimer on 14 Jan 2019
👍8

All 5 comments

My question is similar to this issue, https://github.com/elastic/beats/issues/4766.

pytimer picture pytimer on 23 Dec 2018

Hi @pytimer, as per Kubernetes docs, we recommend using a streaming sidecar container. See https://kubernetes.io/docs/concepts/cluster-administration/logging/#streaming-sidecar-container for more details.

In a nutshell, you create a shared volume for your application logs, then run tail -F in a sidecar container, which will stream these logs to its stdout, allowing Filebeat to retrieve them.

Closing this issue as the proposed solution should be enough, please let me know if that's not the case.

Best regards

exekias picture exekias on 14 Jan 2019

@exekias Thanks for you reply.

In my Kubernetes cluster, some applications hope use many host resource, such as cpu, memory. If use sidecar container, many pod should add filebeat container, it will take up more resources. If filebeat can collect log file that inside container, every node only need one filebeat pod.

pytimer picture pytimer on 14 Jan 2019

You don't need to add a filebeat agent as a sidecar. You can just a lightweight tail process to stream the logs to the sidecar stdout. See the example:

apiVersion: v1
kind: Pod
metadata:
  name: counter
spec:
  containers:
  - name: count
    image: busybox
    args:
    - /bin/sh
    - -c
    - >
      i=0;
      while true;
      do
        echo "$i: $(date)" >> /var/log/1.log;
        echo "$(date) INFO $i" >> /var/log/2.log;
        i=$((i+1));
        sleep 1;
      done
    volumeMounts:
    - name: varlog
      mountPath: /var/log
  - name: count-log-1
    image: busybox
    args: [/bin/sh, -c, 'tail -n+1 -F /var/log/1.log']
    volumeMounts:
    - name: varlog
      mountPath: /var/log
  - name: count-log-2
    image: busybox
    args: [/bin/sh, -c, 'tail -n+1 -F /var/log/2.log']
    volumeMounts:
    - name: varlog
      mountPath: /var/log
  volumes:
  - name: varlog
    emptyDir: {}
exekias picture exekias on 14 Jan 2019
👍2

Some C++ applications write log to multiple files, and some log files created in runtime. In this case, filebeat can setting watch log paths when application running without container. If application running in container, how should i configure?

pytimer picture pytimer on 14 Jan 2019
👍8
Was this page helpful?
0 / 5 - 0 ratings

Related issues

musayev-io picture musayev-io  路  3Comments
ptrlv picture ptrlv  路  3Comments
andrewkroh picture andrewkroh  路  3Comments
EndlessTundra picture EndlessTundra  路  3Comments
TomaszKlosinski picture TomaszKlosinski  路  3Comments