Filebeat is a lightweight, open source shipper for log file data. As the next-generation Logstash Forwarder, Filebeat tails logs and quickly sends this information to Logstash for further parsing and enrichment.
https://www.elastic.co/products/beats/filebeat
This image uses the Docker API to collect the logs of all the running containers on the same machine and ship them to a Logstash. No need to install Filebeat manually on your host or inside your images. Just use this image to create a container that's going to handle everything for you :-)
Start Filebeat as follows:
$ docker run -d
-v /var/run/docker.sock:/tmp/docker.sock
-e LOGSTASH_HOST=monitoring.xyz -e LOGSTASH_PORT=5044 -e SHIPPER_NAME=$(hostname)
bargenson/filebeat
Three environment variables are needed:
LOGSTASH_HOST: to specify on which server runs your LogstashLOGSTASH_PORT: to specify on which port listens your Logstash for beats inputsSHIPPER_NAME: to specify the Filebeat shipper name (deafult: the container ID)
The docker-compose service definition should look as follows:
filebeat:
image: bargenson/filebeat
restart: unless-stopped
volumes:
- /var/run/docker.sock:/tmp/docker.sock
environment:
- LOGSTASH_HOST=monitoring.xyz
- LOGSTASH_PORT=5044
- SHIPPER_NAME=aWonderfulName
Configure the Beats input plugin as follows:
input {
beats {
port => 5044
}
}
In order to have a containerName field and a cleaned message field, you have to declare the following filter:
filter {
if [type] == "filebeat-docker-logs" {
grok {
match => {
"message" => "\[%{WORD:containerName}\] %{GREEDYDATA:message_remainder}"
}
}
mutate {
replace => { "message" => "%{message_remainder}" }
}
mutate {
remove_field => [ "message_remainder" ]
}
}
}
If you have any problems with or questions about this image, please contact me through a GitHub issue.
You are invited to the GitHub repo to contribute new features, fixes, or updates, large or small.