A newer version is available. For the latest information, see the
current release documentation.
Quickstart
editQuickstart
edit-
Apply the following specification to deploy Filebeat and collect the logs of all containers running in the Kubernetes cluster. ECK automatically configures the secured connection to an Elasticsearch cluster named
quickstart, created in the Elasticsearch quickstart.cat <<EOF | kubectl apply -f - apiVersion: beat.k8s.elastic.co/v1beta1 kind: Beat metadata: name: quickstart spec: type: filebeat version: 8.16.1 elasticsearchRef: name: quickstart config: filebeat.inputs: - type: container paths: - /var/log/containers/*.log daemonSet: podTemplate: spec: dnsPolicy: ClusterFirstWithHostNet hostNetwork: true securityContext: runAsUser: 0 containers: - name: filebeat volumeMounts: - name: varlogcontainers mountPath: /var/log/containers - name: varlogpods mountPath: /var/log/pods - name: varlibdockercontainers mountPath: /var/lib/docker/containers volumes: - name: varlogcontainers hostPath: path: /var/log/containers - name: varlogpods hostPath: path: /var/log/pods - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers EOF
See Configuration Examples for more ready-to-use manifests.
-
Monitor Beats
Retrieve details about the Filebeat:
kubectl get beat
NAME HEALTH AVAILABLE EXPECTED TYPE VERSION AGE quickstart green 3 3 filebeat 8.16.1 2m
List all the Pods belonging to a given Beat:
kubectl get pods --selector='beat.k8s.elastic.co/name=quickstart-beat-filebeat'
NAME READY STATUS RESTARTS AGE quickstart-beat-filebeat-tkz65 1/1 Running 0 3m45s quickstart-beat-filebeat-kx5jt 1/1 Running 0 3m45s quickstart-beat-filebeat-nb6qh 1/1 Running 0 3m45s
-
Access logs for one of the Pods
kubectl logs -f quickstart-beat-filebeat-tkz65
-
Access logs ingested by Filebeat