Filebeat multiline patter

I would like to configure a multiline pattern for each docker container that are deployed. I know that I can configure different filebeat inputs but the thing is that I don't know which container I am using because the path of the container log is like /var/lib/docker/containers/{id}/[{id}.log

Any ideas?

asked Nov 15 '18 at 14:35

Gorka

719

add a comment |

Any ideas?

asked Nov 15 '18 at 14:35

Gorka

719

add a comment |

Any ideas?

asked Nov 15 '18 at 14:35

Gorka

719

Any ideas?

docker logstash filebeat

asked Nov 15 '18 at 14:35

Gorka

719

asked Nov 15 '18 at 14:35

Gorka

719

asked Nov 15 '18 at 14:35

Gorka

719

asked Nov 15 '18 at 14:35

Gorka

719

asked Nov 15 '18 at 14:35

Gorka

719

add a comment |

1 Answer
1

active

oldest

votes

You can use glob-patterns in your filebeat configuration:

a setting like this

/var/lib/docker/containers/*/*.log

Should match any file you'd be looking for?

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#input-paths

Please make sure that a file is not being matched by multiple path-settings.

Edit below as per added requirements.

So for example you would have these 2 containers running:

CONTAINER ID        IMAGE                                      COMMAND                  CREATED             STATUS              PORTS                    NAMES

77e87b8e772e        yadayada                                   "/hihihi"                 2 weeks ago        Up 19 seconds       0.0.0.0:9080->9080/tcp   container1

99e87b8e772e        blablabla                                  "/hahaha"                 2 weeks ago        Up 19 seconds       0.0.0.0:9080->9080/tcp   container2

based on the provided information, the assumption is then that:

container1 logs in /var/lib/docker/containers/77e87b8e772e/77e87b8e772e.log

container2 logs in /var/lib/docker/containers/99e87b8e772e/99e87b8e772e.log

This might be the config:

filebeat.inputs:

- type: log

  paths: /var/lib/docker/containers/${CONTAINERID1}/${CONTAINERID1}.log

  multiline.pattern: '^=[A-Z]+|^$'

  multiline.negate: true

  multiline.match: after

- type: log

  paths: /var/lib/docker/containers/${CONTAINERID2}/${CONTAINERID2}.log

  multiline.pattern: '^=[1-9]+|^$'

  multiline.negate: true

  multiline.match: after

So when starting filebeat, you do some additional things before actually running filebeat:

export CONTAINERID1=$(docker ps|grep "container1$" | cut -d ' ' -f1)

export CONTAINERID2=$(docker ps|grep "container2$" | cut -d ' ' -f1)

./filebeat

This way, as long and the container name remains the same, the ID can be different and will still work. Please note though that when you spin up a new (version of a)
container, you will have to restart Filebeat to pick up the new path.

Also please note that if you run Filebeat in a docker container itself, exporting the variable will most likely not be enough, you will have to edit the file using
sed or something before you pass it into the filebeat-container

edited Nov 21 '18 at 15:18

answered Nov 15 '18 at 14:46

Jimmy

163

I want to analyze all the docker containers but each one could have a different multiline pattern. /var/lib/docker/containers/*/*.log is the one that I am using...

– Gorka
Nov 15 '18 at 15:00

Ah okay, that changes things. Perhaps you could update your initial post to "a different multiline pattern for each docker container"? That being said, you could utilize environment variables in the config at startup? elastic.co/guide/en/beats/filebeat/1.2/using-environ-vars.html Use docker ps | grep something to fill the variables before executing filebeat and use those variables in the config.

– Jimmy
Nov 16 '18 at 8:26

I am not really sure how an env var would help me to configure a different multiline pattern...the only way I see is to configure different inputs type for each id container...but I don't want to do it with ids because I do not know the connection between id and container name...

– Gorka
Nov 19 '18 at 10:23

Besides multiline option is configured for filebeat input section not for each type..

– Gorka
Nov 19 '18 at 13:35

1

As for the relation between id and name: that's what the grep is for. I'll update my initial answer.

– Jimmy
Nov 21 '18 at 15:11

add a comment |

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53321785%2ffilebeat-multiline-patter%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

You can use glob-patterns in your filebeat configuration:

a setting like this

/var/lib/docker/containers/*/*.log

Should match any file you'd be looking for?

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#input-paths

Please make sure that a file is not being matched by multiple path-settings.

Edit below as per added requirements.

So for example you would have these 2 containers running:

CONTAINER ID        IMAGE                                      COMMAND                  CREATED             STATUS              PORTS                    NAMES

77e87b8e772e        yadayada                                   "/hihihi"                 2 weeks ago        Up 19 seconds       0.0.0.0:9080->9080/tcp   container1

99e87b8e772e        blablabla                                  "/hahaha"                 2 weeks ago        Up 19 seconds       0.0.0.0:9080->9080/tcp   container2

based on the provided information, the assumption is then that:

container1 logs in /var/lib/docker/containers/77e87b8e772e/77e87b8e772e.log

container2 logs in /var/lib/docker/containers/99e87b8e772e/99e87b8e772e.log

This might be the config:

filebeat.inputs:

- type: log

  paths: /var/lib/docker/containers/${CONTAINERID1}/${CONTAINERID1}.log

  multiline.pattern: '^=[A-Z]+|^$'

  multiline.negate: true

  multiline.match: after

- type: log

  paths: /var/lib/docker/containers/${CONTAINERID2}/${CONTAINERID2}.log

  multiline.pattern: '^=[1-9]+|^$'

  multiline.negate: true

  multiline.match: after

So when starting filebeat, you do some additional things before actually running filebeat:

export CONTAINERID1=$(docker ps|grep "container1$" | cut -d ' ' -f1)

export CONTAINERID2=$(docker ps|grep "container2$" | cut -d ' ' -f1)

./filebeat

edited Nov 21 '18 at 15:18

answered Nov 15 '18 at 14:46

Jimmy

163

I want to analyze all the docker containers but each one could have a different multiline pattern. /var/lib/docker/containers/*/*.log is the one that I am using...

– Gorka
Nov 15 '18 at 15:00

Ah okay, that changes things. Perhaps you could update your initial post to "a different multiline pattern for each docker container"? That being said, you could utilize environment variables in the config at startup? elastic.co/guide/en/beats/filebeat/1.2/using-environ-vars.html Use docker ps | grep something to fill the variables before executing filebeat and use those variables in the config.

– Jimmy
Nov 16 '18 at 8:26

I am not really sure how an env var would help me to configure a different multiline pattern...the only way I see is to configure different inputs type for each id container...but I don't want to do it with ids because I do not know the connection between id and container name...

– Gorka
Nov 19 '18 at 10:23

Besides multiline option is configured for filebeat input section not for each type..

– Gorka
Nov 19 '18 at 13:35

1

As for the relation between id and name: that's what the grep is for. I'll update my initial answer.

– Jimmy
Nov 21 '18 at 15:11

add a comment |

You can use glob-patterns in your filebeat configuration:

a setting like this

/var/lib/docker/containers/*/*.log

Should match any file you'd be looking for?

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#input-paths

Please make sure that a file is not being matched by multiple path-settings.

Edit below as per added requirements.

So for example you would have these 2 containers running:

CONTAINER ID        IMAGE                                      COMMAND                  CREATED             STATUS              PORTS                    NAMES

77e87b8e772e        yadayada                                   "/hihihi"                 2 weeks ago        Up 19 seconds       0.0.0.0:9080->9080/tcp   container1

99e87b8e772e        blablabla                                  "/hahaha"                 2 weeks ago        Up 19 seconds       0.0.0.0:9080->9080/tcp   container2

based on the provided information, the assumption is then that:

container1 logs in /var/lib/docker/containers/77e87b8e772e/77e87b8e772e.log

container2 logs in /var/lib/docker/containers/99e87b8e772e/99e87b8e772e.log

This might be the config:

filebeat.inputs:

- type: log

  paths: /var/lib/docker/containers/${CONTAINERID1}/${CONTAINERID1}.log

  multiline.pattern: '^=[A-Z]+|^$'

  multiline.negate: true

  multiline.match: after

- type: log

  paths: /var/lib/docker/containers/${CONTAINERID2}/${CONTAINERID2}.log

  multiline.pattern: '^=[1-9]+|^$'

  multiline.negate: true

  multiline.match: after

So when starting filebeat, you do some additional things before actually running filebeat:

export CONTAINERID1=$(docker ps|grep "container1$" | cut -d ' ' -f1)

export CONTAINERID2=$(docker ps|grep "container2$" | cut -d ' ' -f1)

./filebeat

edited Nov 21 '18 at 15:18

answered Nov 15 '18 at 14:46

Jimmy

163

I want to analyze all the docker containers but each one could have a different multiline pattern. /var/lib/docker/containers/*/*.log is the one that I am using...

– Gorka
Nov 15 '18 at 15:00

Ah okay, that changes things. Perhaps you could update your initial post to "a different multiline pattern for each docker container"? That being said, you could utilize environment variables in the config at startup? elastic.co/guide/en/beats/filebeat/1.2/using-environ-vars.html Use docker ps | grep something to fill the variables before executing filebeat and use those variables in the config.

– Jimmy
Nov 16 '18 at 8:26

I am not really sure how an env var would help me to configure a different multiline pattern...the only way I see is to configure different inputs type for each id container...but I don't want to do it with ids because I do not know the connection between id and container name...

– Gorka
Nov 19 '18 at 10:23

Besides multiline option is configured for filebeat input section not for each type..

– Gorka
Nov 19 '18 at 13:35

1

As for the relation between id and name: that's what the grep is for. I'll update my initial answer.

– Jimmy
Nov 21 '18 at 15:11

add a comment |

You can use glob-patterns in your filebeat configuration:

a setting like this

/var/lib/docker/containers/*/*.log

Should match any file you'd be looking for?

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#input-paths

Please make sure that a file is not being matched by multiple path-settings.

Edit below as per added requirements.

So for example you would have these 2 containers running:

CONTAINER ID        IMAGE                                      COMMAND                  CREATED             STATUS              PORTS                    NAMES

77e87b8e772e        yadayada                                   "/hihihi"                 2 weeks ago        Up 19 seconds       0.0.0.0:9080->9080/tcp   container1

99e87b8e772e        blablabla                                  "/hahaha"                 2 weeks ago        Up 19 seconds       0.0.0.0:9080->9080/tcp   container2

based on the provided information, the assumption is then that:

container1 logs in /var/lib/docker/containers/77e87b8e772e/77e87b8e772e.log

container2 logs in /var/lib/docker/containers/99e87b8e772e/99e87b8e772e.log

This might be the config:

filebeat.inputs:

- type: log

  paths: /var/lib/docker/containers/${CONTAINERID1}/${CONTAINERID1}.log

  multiline.pattern: '^=[A-Z]+|^$'

  multiline.negate: true

  multiline.match: after

- type: log

  paths: /var/lib/docker/containers/${CONTAINERID2}/${CONTAINERID2}.log

  multiline.pattern: '^=[1-9]+|^$'

  multiline.negate: true

  multiline.match: after

So when starting filebeat, you do some additional things before actually running filebeat:

export CONTAINERID1=$(docker ps|grep "container1$" | cut -d ' ' -f1)

export CONTAINERID2=$(docker ps|grep "container2$" | cut -d ' ' -f1)

./filebeat

edited Nov 21 '18 at 15:18

answered Nov 15 '18 at 14:46

Jimmy

163

You can use glob-patterns in your filebeat configuration:

a setting like this

/var/lib/docker/containers/*/*.log

Should match any file you'd be looking for?

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#input-paths

Please make sure that a file is not being matched by multiple path-settings.

Edit below as per added requirements.

So for example you would have these 2 containers running:

CONTAINER ID        IMAGE                                      COMMAND                  CREATED             STATUS              PORTS                    NAMES

77e87b8e772e        yadayada                                   "/hihihi"                 2 weeks ago        Up 19 seconds       0.0.0.0:9080->9080/tcp   container1

99e87b8e772e        blablabla                                  "/hahaha"                 2 weeks ago        Up 19 seconds       0.0.0.0:9080->9080/tcp   container2

based on the provided information, the assumption is then that:

container1 logs in /var/lib/docker/containers/77e87b8e772e/77e87b8e772e.log

container2 logs in /var/lib/docker/containers/99e87b8e772e/99e87b8e772e.log

This might be the config:

filebeat.inputs:

- type: log

  paths: /var/lib/docker/containers/${CONTAINERID1}/${CONTAINERID1}.log

  multiline.pattern: '^=[A-Z]+|^$'

  multiline.negate: true

  multiline.match: after

- type: log

  paths: /var/lib/docker/containers/${CONTAINERID2}/${CONTAINERID2}.log

  multiline.pattern: '^=[1-9]+|^$'

  multiline.negate: true

  multiline.match: after

So when starting filebeat, you do some additional things before actually running filebeat:

export CONTAINERID1=$(docker ps|grep "container1$" | cut -d ' ' -f1)

export CONTAINERID2=$(docker ps|grep "container2$" | cut -d ' ' -f1)

./filebeat

edited Nov 21 '18 at 15:18

answered Nov 15 '18 at 14:46

Jimmy

163

edited Nov 21 '18 at 15:18

answered Nov 15 '18 at 14:46

Jimmy

163

answered Nov 15 '18 at 14:46

Jimmy

163

answered Nov 15 '18 at 14:46

Jimmy

163

I want to analyze all the docker containers but each one could have a different multiline pattern. /var/lib/docker/containers/*/*.log is the one that I am using...

– Gorka
Nov 15 '18 at 15:00

Ah okay, that changes things. Perhaps you could update your initial post to "a different multiline pattern for each docker container"? That being said, you could utilize environment variables in the config at startup? elastic.co/guide/en/beats/filebeat/1.2/using-environ-vars.html Use docker ps | grep something to fill the variables before executing filebeat and use those variables in the config.

– Jimmy
Nov 16 '18 at 8:26

I am not really sure how an env var would help me to configure a different multiline pattern...the only way I see is to configure different inputs type for each id container...but I don't want to do it with ids because I do not know the connection between id and container name...

– Gorka
Nov 19 '18 at 10:23

Besides multiline option is configured for filebeat input section not for each type..

– Gorka
Nov 19 '18 at 13:35

1

As for the relation between id and name: that's what the grep is for. I'll update my initial answer.

– Jimmy
Nov 21 '18 at 15:11

add a comment |

I want to analyze all the docker containers but each one could have a different multiline pattern. /var/lib/docker/containers/*/*.log is the one that I am using...

– Gorka
Nov 15 '18 at 15:00

Ah okay, that changes things. Perhaps you could update your initial post to "a different multiline pattern for each docker container"? That being said, you could utilize environment variables in the config at startup? elastic.co/guide/en/beats/filebeat/1.2/using-environ-vars.html Use docker ps | grep something to fill the variables before executing filebeat and use those variables in the config.

– Jimmy
Nov 16 '18 at 8:26

I am not really sure how an env var would help me to configure a different multiline pattern...the only way I see is to configure different inputs type for each id container...but I don't want to do it with ids because I do not know the connection between id and container name...

– Gorka
Nov 19 '18 at 10:23

Besides multiline option is configured for filebeat input section not for each type..

– Gorka
Nov 19 '18 at 13:35

1

As for the relation between id and name: that's what the grep is for. I'll update my initial answer.

– Jimmy
Nov 21 '18 at 15:11

I want to analyze all the docker containers but each one could have a different multiline pattern. /var/lib/docker/containers/*/*.log is the one that I am using...

– Gorka
Nov 15 '18 at 15:00

Ah okay, that changes things. Perhaps you could update your initial post to "a different multiline pattern for each docker container"? That being said, you could utilize environment variables in the config at startup? elastic.co/guide/en/beats/filebeat/1.2/using-environ-vars.html Use docker ps | grep something to fill the variables before executing filebeat and use those variables in the config.

– Jimmy
Nov 16 '18 at 8:26

I am not really sure how an env var would help me to configure a different multiline pattern...the only way I see is to configure different inputs type for each id container...but I don't want to do it with ids because I do not know the connection between id and container name...

– Gorka
Nov 19 '18 at 10:23

Besides multiline option is configured for filebeat input section not for each type..

– Gorka
Nov 19 '18 at 13:35

As for the relation between id and name: that's what the grep is for. I'll update my initial answer.

– Jimmy
Nov 21 '18 at 15:11

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Ndtyjky