Hints based autodiscoveredit

Filebeat supports autodiscover based on hints from the provider. The hints system looks for hints in Kubernetes Pod annotations or Docker labels that have the prefix co.elastic.logs. As soon as the container starts, Filebeat will check if it contains any hints and launch the proper config for it. Hints tell Filebeat how to get logs for the given container. By default logs will be retrieved from the container using the container input. You can use hints to modify this behavior. This is the full list of supported hints:

co.elastic.logs/enablededit

Filebeat gets logs from all containers by default, you can set this hint to false to ignore the output of the container. Filebeat won’t read or send logs from it. If default config is disabled, you can use this annotation to enable log retrieval only for containers with this set to true.

co.elastic.logs/multiline.*edit

Multiline settings. See Multiline messages for a full list of all supported options.

co.elastic.logs/json.*edit

JSON settings. See json for a full list of all supported options.

co.elastic.logs/include_linesedit

A list of regular expressions to match the lines that you want Filebeat to include. See Inputs for more info.

co.elastic.logs/exclude_linesedit

A list of regular expressions to match the lines that you want Filebeat to exclude. See Inputs for more info.

co.elastic.logs/moduleedit

Instead of using raw docker input, specifies the module to use to parse logs from the container. See Modules for the list of supported modules.

co.elastic.logs/filesetedit

When module is configured, map container logs to module filesets. You can either configure a single fileset like this:

co.elastic.logs/fileset: access

Or configure a fileset per stream in the container (stdout and stderr):

co.elastic.logs/fileset.stdout: access
co.elastic.logs/fileset.stderr: error
co.elastic.logs/rawedit

When an entire input/module configuration needs to be completely set the raw hint can be used. You can provide a stringified JSON of the input configuration. raw overrides every other hint and can be used to create both a single or a list of configurations.

co.elastic.logs/raw: "[{\"containers\":{\"ids\":[\"${data.container.id}\"]},\"multiline\":{\"negate\":\"true\",\"pattern\":\"^test\"},\"type\":\"docker\"}]"
co.elastic.logs/processorsedit

Define a processor to be added to the Filebeat input/module configuration. See Processors for the list of supported processors.

In order to provide ordering of the processor definition, numbers can be provided. If not, the hints builder will do arbitrary ordering:

co.elastic.logs/processors.1.dissect.tokenizer: "%{key1} %{key2}"
co.elastic.logs/processors.dissect.tokenizer: "%{key2} %{key1}"

In the above sample the processor definition tagged with 1 would be executed first.

Kubernetesedit

Kubernetes autodiscover provider supports hints in Pod annotations. To enable it just set hints.enabled:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      hints.enabled: true

You can configure the default config that will be launched when a new container is seen, like this:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      hints.enabled: true
      hints.default_config:
        type: container
        paths:
          - /var/log/containers/*-${data.container.id}.log  # CRI path

You can also disable default settings entirely, so only Pods annotated like co.elastic.logs/enabled: true will be retrieved:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      hints.enabled: true
      hints.default_config.enabled: false

You can annotate Kubernetes Pods with useful info to spin up Filebeat inputs or modules:

annotations:
  co.elastic.logs/multiline.pattern: '^\['
  co.elastic.logs/multiline.negate: true
  co.elastic.logs/multiline.match: after
Multiple containersedit

When a pod has multiple containers, the settings are shared unless you put the container name in the hint. For example, these hints configure multiline settings for all containers in the pod, but set a specific exclude_lines hint for the container called sidecar.

annotations:
  co.elastic.logs/multiline.pattern: '^\['
  co.elastic.logs/multiline.negate: true
  co.elastic.logs/multiline.match: after
  co.elastic.logs.sidecar/exclude_lines: '^DBG'
Multiple sets of hintsedit

When a container needs multiple inputs to be defined on it, sets of annotations can be provided with numeric prefixes. If there are hints that don’t have a numeric prefix then they get grouped together into a single configuration.

annotations:
  co.elastic.logs/exclude_lines: '^DBG'
  co.elastic.logs/1.include_lines: '^DBG'
  co.elastic.logs/1.processors.dissect.tokenizer: "%{key2} %{key1}"

The above configuration would generate two input configurations. The first input handles only debug logs and passes it through a dissect tokenizer. The second input handles everything but debug logs.

Configuring Namespace Defaultsedit

Hints can be configured on the Namespace’s annotations as defaults to use when Pod level annotations are missing. The resultant hints are a combination of Pod annotations and Namespace annotations with the Pod’s taking precedence. To enable Namespace defaults configure the add_resource_metadata for Namespace objects as follows:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      hints.enabled: true
      add_resource_metadata:
        namespace:
          enabled: true

Dockeredit

Docker autodiscover provider supports hints in labels. To enable it just set hints.enabled:

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true

You can configure the default config that will be launched when a new container is seen, like this:

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
      hints.default_config:
        type: container
        paths:
          - /var/log/containers/*-${data.container.id}.log  # CRI path

You can also disable default settings entirely, so only containers labeled with co.elastic.logs/enabled: true will be retrieved:

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
      hints.default_config.enabled: false

You can label Docker containers with useful info to spin up Filebeat inputs, for example:

  co.elastic.logs/module: nginx
  co.elastic.logs/fileset.stdout: access
  co.elastic.logs/fileset.stderr: error

The above labels configure Filebeat to use the Nginx module to harvest logs for this container. Access logs will be retrieved from stdout stream, and error logs from stderr.

You can label Docker containers with useful info to decode logs structured as JSON messages, for example:

  co.elastic.logs/json.keys_under_root: true
  co.elastic.logs/json.add_error_key: true
  co.elastic.logs/json.message_key: log