New

The executive guide to generative AI

Read more
About usPartnersSupport|Login
IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Autodiscover Advanced usage »
Elastic Docs Filebeat Reference [7.4] Configuring Filebeat Autodiscover

Hints based autodiscover

edit

Hints based autodiscover

edit

Filebeat supports autodiscover based on hints from the provider. The hints system looks for hints in Kubernetes Pod annotations or Docker labels that have the prefix co.elastic.logs. As soon as the container starts, Filebeat will check if it contains any hints and launch the proper config for it. Hints tell Filebeat how to get logs for the given container. By default logs will be retrieved from the container using the container input. You can use hints to modify this behavior. This is the full list of supported hints:

co.elastic.logs/enabled

edit

Filebeat gets logs from all containers by default, you can set this hint to false to ignore the output of the container. Filebeat won’t read or send logs from it. If default config is disabled, you can use this annotation to enable log retrieval only for containers with this set to true.

co.elastic.logs/multiline.*

edit

Multiline settings. See Manage multiline messages for a full list of all supported options.

co.elastic.logs/include_lines

edit

A list of regular expressions to match the lines that you want Filebeat to include. See Configure inputs for more info.

co.elastic.logs/exclude_lines

edit

A list of regular expressions to match the lines that you want Filebeat to exclude. See Configure inputs for more info.

co.elastic.logs/module

edit

Instead of using raw docker input, specifies the module to use to parse logs from the container. See Modules for the list of supported modules.

co.elastic.logs/fileset

edit

When module is configured, map container logs to module filesets. You can either configure a single fileset like this:

co.elastic.logs/fileset: access

Or configure a fileset per stream in the container (stdout and stderr):

co.elastic.logs/fileset.stdout: access
co.elastic.logs/fileset.stderr: error

co.elastic.logs/raw

edit

When an entire input/module configuration needs to be completely set the raw hint can be used. You can provide a stringified JSON of the input configuration. raw overrides every other hint and can be used to create both a single or a list of configurations.

co.elastic.logs/raw: "[{\"containers\":{\"ids\":[\"${data.container.id}\"]},\"multiline\":{\"negate\":\"true\",\"pattern\":\"^test\"},\"type\":\"docker\"}]"

co.elastic.logs/processors

edit

Define a processor to be added to the Filebeat input/module configuration. See Filter and enhance the exported data for the list of supported processors.

In order to provide ordering of the processor definition, numbers can be provided. If not, the hints builder will do arbitrary ordering:

co.elastic.logs/processors.1.dissect.tokenizer: "%{key1} %{key2}"
co.elastic.logs/processors.dissect.tokenizer: "%{key2} %{key1}"

In the above sample the processor definition tagged with 1 would be executed first.

Kubernetes

edit

Kubernetes autodiscover provider supports hints in Pod annotations. To enable it just set hints.enabled:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      hints.enabled: true

You can configure the default config that will be launched when a new container is seen, like this:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      hints.enabled: true
      hints.default_config:
        type: container
        paths:
          - /var/log/container/*-${container.id}.log  # CRI path

You can also disable default settings entirely, so only Pods annotated like co.elastic.logs/enabled: true will be retrieved:

filebeat.autodiscover:
  providers:
    - type: kubernetes
      hints.enabled: true
      hints.default_config.enabled: false

You can annotate Kubernetes Pods with useful info to spin up Filebeat inputs or modules:

annotations:
  co.elastic.logs/multiline.pattern: '^\['
  co.elastic.logs/multiline.negate: true
  co.elastic.logs/multiline.match: after

Multiple containers

edit

When a pod has multiple containers, the settings are shared unless you put the container name in the hint. For example, these hints configure multiline settings for all containers in the pod, but set a specific exclude_lines hint for the container called sidecar.

annotations:
  co.elastic.logs/multiline.pattern: '^\['
  co.elastic.logs/multiline.negate: true
  co.elastic.logs/multiline.match: after
  co.elastic.logs.sidecar/exclude_lines: '^DBG'

Docker

edit

Docker autodiscover provider supports hints in labels. To enable it just set hints.enabled:

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true

You can configure the default config that will be launched when a new container is seen, like this:

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
      hints.default_config:
        type: container
        paths:
          - /var/log/container/*-${container.id}.log  # CRI path

You can also disable default settings entirely, so only containers labeled with co.elastic.logs/enabled: true will be retrieved:

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
      hints.default_config.enabled: false

You can label Docker containers with useful info to spin up Filebeat inputs, for example:

  co.elastic.logs/module: nginx
  co.elastic.logs/fileset.stdout: access
  co.elastic.logs/fileset.stderr: error

The above labels configure Filebeat to use the Nginx module to harvest logs for this container. Access logs will be retrieved from stdout stream, and error logs from stderr.

« Autodiscover Advanced usage »