-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace container input with filestream input in hints' default config #34354
Comments
We will need testing with docker and kubernetes containers (just adding it as a note) cc @gsantoro |
@gizas do you mean that we need to cover the beats/libbeat/autodiscover/providers/docker/docker.go Lines 343 to 346 in edcba33
Other than this, if the |
Yes indeed. As long as this change affects both (docker and k8s autodiscovery) that is why I would like to see tests for both scenarios, to be on safe side. And we should update our doc examples for that. It needs to be part of the goals of this story |
Adding some context about the reason this was raised #13140 (comment) |
I have already run some quick tests about using filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints.enabled: true
hints.default_config:
type: filestream
paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
parsers:
- container:
stream: all
format: auto and I got the following errors {"log.level":"error","@timestamp":"2023-01-13T15:26:33.794Z","log.logger":"input","log.origin":{"file.name":"input-logfile/manager.go","file.line":182},"message":"filestream input with ID '' already exists, this will lead to data duplication, please use a different ID","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-01-13T15:26:37.520Z","log.logger":"input","log.origin":{"file.name":"input-logfile/manager.go","file.line":176},"message":"filestream input ID without ID might lead to data duplication, please add an ID and restart Filebeat","service.name":"filebeat","ecs.version":"1.6.0"} If I understand correctly, @gizas was suggesting yesterday that similarly to how we have an id field at https:/elastic/integrations/blob/main/packages/kubernetes/data_stream/container_logs/agent/stream/stream.yml.hbs maybe we should have something similar in the default config. I haven't tested any of this but it is worth keeping truck of this here. |
Yes that's a known "issue"/"feature". We will need an |
@gsantoro Yes, that is not a bug it is a misconfiguration. Every filestream input needs a unique ID field. From https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html:
Agent takes this even further and requires a unique ID for every input in the policy, not just filestream. If we fix this problem, does it work? |
I have no idea. That's a good question for who is picking up this ticket. |
Please don't forget to put See #34292 |
FYI, in case anyone else wants to transition to filestream for auto-discovery, here is a working config: filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints:
enabled: true
default_config:
type: filestream
id: kubernetes-container-logs-${data.kubernetes.pod.name}-${data.kubernetes.container.id}
paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
prospector.scanner.symlinks: true: # Optional, but most people probably use symlinks
parsers:
- container:
stream: all
format: auto Doesn't include the |
I'm closing this issue because it's going to be solved by the container input migration. |
Does this make "Hints annotations based autodiscover" function? |
Reopening for now based on #34393 (comment) and the open questions we have at #34393 (comment). |
Closing in honor of #35984. |
In filebeat's hints based autodiscovery the raw
container
input is the default configuration that will be used if there is nomodule
specified in the hints. Seebeats/filebeat/autodiscover/builder/hints/config.go
Line 29 in 25786cd
I think we need to adjust it properly and adopt the usage of filestreams instead, which is now the recommended log input framework.
The text was updated successfully, but these errors were encountered: