Home > Software engineering >  Unable to read input logs filebeat
Unable to read input logs filebeat

Time:09-17

I am fairly new to docker and I am trying out the ELK Setup with Filebeat. I have a container for filebeat setup in machine 1 and I am trying to collect the logs from /mnt/logs/temp.log (which are non-container logs) to the ELK containers in machine 2. Here's my filebeat configuration:-

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
      hints.default_config:
        type: container
        paths:
          - /mnt/logs/temp.log

processors:
- add_cloud_metadata: ~

output.elasticsearch:
  hosts: '${ELASTICSEARCH_HOSTS:42.23.12.131:9042}'

Even if I change the filebeat.yml config to the below, it doesn't seem to send any logs to ES:-

filebeat.inputs:
- type: log
  paths:
    - /mnt/logs/temp.log

output.elasticsearch:
  hosts: ["42.23.12.131:9042"]

Can someone please help me out or point me to any site articles or documentation regarding this? Version of filebeat and ELK container is 7.14.0.

Edit: The docker-compose file for ELK is:-

version: '2.2'

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.14.0
    volumes:
      - type: bind
        source: ./elasticsearch/elasticsearch.yml
        target: /usr/share/elasticsearch/config/elasticsearch.yml
        read_only: true
      - type: volume
        source: elasticsearch
        target: /usr/share/elasticsearch/data
    environment:
      ES_JAVA_OPTS: "-Xmx512m -Xms512m"
      discovery.type: single-node
    ports:
      - "9200:9200"
      - "9300:9300"
    networks:
      - elk

  logstash:
    image: docker.elastic.co/logstash/logstash:7.14.0
    volumes:
      - type: bind
        source: ./logstash/config/logstash.yml
        target: /usr/share/logstash/config/logstash.yml
        read_only: true
      - type: bind
        source: ./logstash/pipeline.conf
        target: /usr/share/logstash/pipeline.conf
        read_only: true
    ports:
      - "5044:5044/udp"
      - "9600:9600"
    environment:
      LS_JAVA_OPTS: "-Xmx512m -Xms512m"
    networks:
      - elk
    depends_on:
      - elasticsearch

  kibana:
    image: docker.elastic.co/kibana/kibana:7.14.0
    volumes:
      - type: bind
        source: ./kibana/kibana.yml
        target: /usr/share/kibana/config/kibana.yml
        read_only: true
    ports:
      - "5601:5601"
    networks:
      - elk
    depends_on:
      - elasticsearch

networks:
  elk:
    driver: bridge

volumes:
  elasticsearch:

CodePudding user response:

In your docker-compose file, juste this ports are exposed outside the container (in consideration, the port 9042 is the one you have configured on elasticsearch side) :

ports:
  - "9200:9200"
  - "9300:9300"

So, if you add the targeted port 9042, it must work. So this must looks like this :

ports:
  - "9200:9200"
  - "9300:9300"
  - "9042:9042"

If is not the port 9042 that you have configured into your elasticsearhc, that means you have to change the configuration from your filebeat agent to have the correct port (probably the 9200)

  • Related