- Filebeat Reference: other versions:
- Overview
- Getting Started With Filebeat
- Step 1: Install Filebeat
- Step 2: Configure Filebeat
- Step 3: Configure Filebeat to use Logstash
- Step 4: Load the index template in Elasticsearch
- Step 5: Set up the Kibana dashboards
- Step 6: Start Filebeat
- Step 7: View the sample Kibana dashboards
- Quick start: modules for common log formats
- Repositories for APT and YUM
- Setting up and running Filebeat
- Upgrading Filebeat
- How Filebeat works
- Configuring Filebeat
- Specify which modules to run
- Configure inputs
- Manage multiline messages
- Specify general settings
- Load external configuration files
- Configure the internal queue
- Configure the output
- Set up index lifecycle management
- Load balance the output hosts
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Enrich events with geoIP information
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- Autodiscover
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- filebeat.reference.yml
- Beats central management
- Modules
- Exported fields
- Alias fields
- Apache2 fields
- Auditd fields
- Beat fields
- Cloud provider metadata fields
- Docker fields
- elasticsearch fields
- haproxy fields
- Host fields
- Icinga fields
- IIS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- mongodb fields
- MySQL fields
- Nginx fields
- Osquery fields
- PostgreSQL fields
- Redis fields
- System fields
- Traefik fields
- Monitoring Filebeat
- Securing Filebeat
- Troubleshooting
- Migrating from Logstash Forwarder to Filebeat
- Contributing to Beats
IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Add Docker metadata
editAdd Docker metadata
editThe add_docker_metadata processor annotates each event with relevant metadata
from Docker containers:
- Container ID
- Name
- Image
- Labels
When running Filebeat in a container, you need to provide access to
Docker’s unix socket in order for the add_docker_metadata processor to work.
You can do this by mounting the socket inside the container. For example:
docker run -v /var/run/docker.sock:/var/run/docker.sock ...
To avoid privilege issues, you may also need to add --user=root to the
docker run flags. Because the user must be part of the docker group in order
to access /var/run/docker.sock, root access is required if Filebeat is
running as non-root inside the container.
processors: - add_docker_metadata: host: "unix:///var/run/docker.sock" #match_fields: ["system.process.cgroup.id"] #match_pids: ["process.pid", "process.ppid"] #match_source: true #match_source_index: 4 #match_short_id: true #cleanup_timeout: 60 #labels.dedot: false # To connect to Docker over TLS you must specify a client and CA certificate. #ssl: # certificate_authority: "/etc/pki/root/ca.pem" # certificate: "/etc/pki/client/cert.pem" # key: "/etc/pki/client/cert.key"
It has the following settings:
-
host -
(Optional) Docker socket (UNIX or TCP socket). It uses
unix:///var/run/docker.sockby default. -
ssl - (Optional) SSL configuration to use when connecting to the Docker socket.
-
match_fields - (Optional) A list of fields to match a container ID, at least one of them should hold a container ID to get the event enriched.
-
match_pids -
(Optional) A list of fields that contain process IDs. If the
process is running in Docker then the event will be enriched. The default value
is
["process.pid", "process.ppid"]. -
match_source -
(Optional) Match container ID from a log path present in the
sourcefield. Enabled by default. -
match_short_id -
(Optional) Match container short ID from a log path present
in the
sourcefield. Disabled by default. This allows to match directories names that have the first 12 characters of the container ID. For example,/var/log/containers/b7e3460e2b21/*.log. -
match_source_index -
(Optional) Index in the source path split by
/to look for container ID. It defaults to 4 to match/var/lib/docker/containers/<container_id>/*.log -
cleanup_timeout - (Optional) Time of inactivity to consider we can clean and forget metadata for a container, 60s by default.
-
labels.dedot -
(Optional) Default to be false. If set to true, replace dots in
labels with
_.
Was this helpful?
Thank you for your feedback.