Replace container input with filestream input in hints' default config #34354
Comments
ChrsMark
added
the
Team:Cloudnative-Monitoring
ChrsMark
changed the title
|
We will need testing with docker and kubernetes containers (just adding it as a note) cc @gsantoro |
@gizas do you mean that we need to cover the beats/libbeat/autodiscover/providers/docker/docker.go Lines 343 to 346 in edcba33 Other than this, if the |
Yes indeed. As long as this change affects both (docker and k8s autodiscovery) that is why I would like to see tests for both scenarios, to be on safe side. And we should update our doc examples for that. It needs to be part of the goals of this story |
|
Adding some context about the reason this was raised #13140 (comment) |
|
I have already run some quick tests about using filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints.enabled: true
hints.default_config:
type: filestream
paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
parsers:
- container:
stream: all
format: autoand I got the following errors {"log.level":"error","@timestamp":"2023-01-13T15:26:33.794Z","log.logger":"input","log.origin":{"file.name":"input-logfile/manager.go","file.line":182},"message":"filestream input with ID '' already exists, this will lead to data duplication, please use a different ID","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-01-13T15:26:37.520Z","log.logger":"input","log.origin":{"file.name":"input-logfile/manager.go","file.line":176},"message":"filestream input ID without ID might lead to data duplication, please add an ID and restart Filebeat","service.name":"filebeat","ecs.version":"1.6.0"}If I understand correctly, @gizas was suggesting yesterday that similarly to how we have an id field at https:/elastic/integrations/blob/main/packages/kubernetes/data_stream/container_logs/agent/stream/stream.yml.hbs maybe we should have something similar in the default config. I haven't tested any of this but it is worth keeping truck of this here. |
Yes that's a known "issue"/"feature". We will need an |
|
@gsantoro Yes, that is not a bug it is a misconfiguration. Every filestream input needs a unique ID field. From https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html:
Agent takes this even further and requires a unique ID for every input in the policy, not just filestream. If we fix this problem, does it work? |
I have no idea. That's a good question for who is picking up this ticket. |
|
Please don't forget to put See #34292 |
|
FYI, in case anyone else wants to transition to filestream for auto-discovery, here is a working config: filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints:
enabled: true
default_config:
type: filestream
id: kubernetes-container-logs-${data.kubernetes.pod.name}-${data.kubernetes.container.id}
paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
prospector.scanner.symlinks: true: # Optional, but most people probably use symlinks
parsers:
- container:
stream: all
format: autoDoesn't include the |
|
I'm closing this issue because it's going to be solved by the container input migration. |
Does this make "Hints annotations based autodiscover" function? |
|
Reopening for now based on #34393 (comment) and the open questions we have at #34393 (comment). |
|
Closing in honor of #35984. |
In filebeat's hints based autodiscovery the raw
containerinput is the default configuration that will be used if there is nomodulespecified in the hints. Seebeats/filebeat/autodiscover/builder/hints/config.go
Line 29 in 25786cd
I think we need to adjust it properly and adopt the usage of filestreams instead, which is now the recommended log input framework.
The text was updated successfully, but these errors were encountered: