In my last article I described how I used ElasticSearch, Fluentd and Kibana (EFK). Besides log aggregation (getting log information available at a centralized location), I also described how I created some visualizations within a dashboard.
_{[https://technology.amis.nl/2019/05/06/using-elasticsearch-fluentd-and-kibana-for-log-aggregation/]}

In a new series of articles, I will dive into using Filebeat and Logstash (from the Elastic Stack) to do the same.

In this article I will talk about the installation and use of Filebeat (without Logstash).

EFK

One popular centralized logging solution is the Elasticsearch, Fluentd, and Kibana (EFK) stack.

Fluentd
Fluentd is an open source data collector, which lets you unify the data collection and consumption for a better use and understanding of data.
_{[https://www.fluentd.org/]}

ELK Stack

“ELK” is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana.
_{[https://www.elastic.co/what-is/elk-stack]}

In my previous article I already spoke about Elasticsearch (a search and analytics engine) ^{<Store, Search, and Analyze>} and Kibana (which lets users visualize data with charts and graphs in Elasticsearch) ^{<Explore, Visualize, and Share>}.

Elastic Stack

The Elastic Stack is the next evolution of the ELK Stack.
_{[https://www.elastic.co/what-is/elk-stack]}

Logstash
Logstash ^{<Collect, Enrich, and Transport>} is a server-side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a “stash” like Elasticsearch.
_{[https://www.elastic.co/what-is/elk-stack]}

Beats
In 2015, a family of lightweight, single-purpose data shippers were introduced into the ELK Stack equation. They are called Beats ^{<Collect, Parse, and Ship>}.
_{[https://www.elastic.co/what-is/elk-stack]}

Filebeat
Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them to either to Elasticsearch or Logstash for indexing.
_{[https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html]}

This time I won’t be using Fluentd for log aggregation. I leave it up to you to decide which product is most suitable for (log) data collection in your situation.

In a previous series of articles, I talked about an environment, I prepared on my Windows laptop, with a guest Operating System, Docker and Minikube available within an Oracle VirtualBox appliance , with the help of Vagrant. And now also I will be using that environment.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 1

Log aggregation

In a containerized environment like Kubernetes, Pods and the containers within them, can be created and deleted automatically via ReplicaSet’s. So, it’s not always easy to now where in your environment, you can find the log file that you need, to analyze a problem that occurred in a particular application. Via log aggregation, the log information becomes available at a centralized location.

In the table below, you can see an overview of the booksservice Pods that are present in the demo environment, including the labels that are used:

Spring Boot application		Service endpoint	Pod	Namespace	Label key
Environment	Database				app	version	environment
DEV	H2 in memory	http://localhost:9010/books	booksservice-v1.0-*	nl-amis-development	booksservice	1.0	development
DEV	H2 in memory	http://localhost:9020/books	booksservice-v2.0-*	nl-amis-development	booksservice	2.0	development
TST	MySQL	http://localhost:9110/books	booksservice-v1.0-*	nl-amis-testing	booksservice	1.0	testing

Labels are key/value pairs that are attached to objects, such as pods. Labels are intended to be used to specify identifying attributes of objects that are meaningful and relevant to users, but do not directly imply semantics to the core system. Labels can be used to organize and to select subsets of objects. Labels can be attached to objects at creation time and subsequently added and modified at any time. Each object can have a set of key/value labels defined. Each Key must be unique for a given object.
_{[https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/]}

Elastic Stack installation order

Install the Elastic Stack products you want to use in the following order:

Elasticsearch (install instructions)
Kibana (install)
Logstash (install)
Beats (install instructions)

_{[https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html]}

When installing Filebeat, installing Logstash (for parsing and enhancing the data) is optional.

I wanted to start simple, so I started with the installation of Filebeat (without Logstash).

Installing Filebeat

You can use Filebeat Docker images on Kubernetes to retrieve and ship the container logs.

You deploy Filebeat as a DaemonSet to ensure there’s a running instance on each node of the cluster.

The Docker logs host folder (/var/lib/docker/containers) is mounted on the Filebeat container. Filebeat starts an input for the files and begins harvesting them as soon as they appear in the folder.

I found an example Kubernetes manifest file in order to setup Filebeat, in the Elastic Filebeat documentation:

curl -L -O https://raw.githubusercontent.com/elastic/beats/7.3/deploy/kubernetes/filebeat-kubernetes.yaml

_{[https://www.elastic.co/guide/en/beats/filebeat/7.3/running-on-kubernetes.html]}

In line with how a previously set up my environment , from this example manifest file, I created the following manifest files (with my own namespace and labels):

configmap-filebeat.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-configmap
  namespace: nl-amis-logging
  labels:
    app: filebeat
    version: "1.0"
    environment: logging
data:
  filebeat.yml: |-
    filebeat.inputs:
    - type: container
      paths:
        - /var/log/containers/*.log
      processors:
        - add_kubernetes_metadata:
            in_cluster: true
            host: ${NODE_NAME}
            matchers:
            - logs_path:
                logs_path: "/var/log/containers/"

    # To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this:
    #filebeat.autodiscover:
    #  providers:
    #    - type: kubernetes
    #      host: ${NODE_NAME}
    #      hints.enabled: true
    #      hints.default_config:
    #        type: container
    #        paths:
    #          - /var/log/containers/*${data.kubernetes.container.id}.log

    processors:
      - add_cloud_metadata:
      - add_host_metadata:

    cloud.id: ${ELASTIC_CLOUD_ID}
    cloud.auth: ${ELASTIC_CLOUD_AUTH}

    output.elasticsearch:
      hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
      username: ${ELASTICSEARCH_USERNAME}
      password: ${ELASTICSEARCH_PASSWORD}

Remark about using a ConfigMap:
By using a ConfigMap, you can provide configuration data to an application without storing it in the container image or hardcoding it into the pod specification.
_{[https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/]}

The data field (with key-value pairs) contains the configuration data. In our case the ConfigMap holds information in the form of the content of a configuration file (filebeat.yml).

Later on, I will change this and create the ConfigMap from a file, as I also did when I used Fluentd (see previous article).
_{[https://technology.amis.nl/2019/04/23/using-vagrant-and-shell-scripts-to-further-automate-setting-up-my-demo-environment-from-scratch-including-elasticsearch-fluentd-and-kibana-efk-within-minikube/]}

daemonset-filebeat.yaml

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: filebeat-daemonset
  namespace: nl-amis-logging
  labels:
    app: filebeat
    version: "1.0"
    environment: logging
spec:
  template:
    metadata:
      labels:
        app: filebeat
        version: "1.0"
        environment: logging
    spec:
      serviceAccountName: filebeat-serviceaccount
      terminationGracePeriodSeconds: 30
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      containers:
      - name: filebeat
        image: docker.elastic.co/beats/filebeat:7.3.1
        args: [
          "-c", "/etc/filebeat.yml",
          "-e",
        ]
        env:
        - name: ELASTICSEARCH_HOST
          value: elasticsearch
        - name: ELASTICSEARCH_PORT
          value: "9200"
        - name: ELASTICSEARCH_USERNAME
          value: elastic
        - name: ELASTICSEARCH_PASSWORD
          value: changeme
        - name: ELASTIC_CLOUD_ID
          value:
        - name: ELASTIC_CLOUD_AUTH
          value:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
          runAsUser: 0
          # If using Red Hat OpenShift uncomment this:
          #privileged: true
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: config
          mountPath: /etc/filebeat.yml
          readOnly: true
          subPath: filebeat.yml
        - name: data
          mountPath: /usr/share/filebeat/data
        - name: varlibdockercontainers
          mountPath: /var/lib/docker/containers
          readOnly: true
        - name: varlog
          mountPath: /var/log
          readOnly: true
      volumes:
      - name: config
        configMap:
          defaultMode: 0600
          name: filebeat-configmap
      - name: varlibdockercontainers
        hostPath:
          path: /var/lib/docker/containers
      - name: varlog
        hostPath:
          path: /var/log
      # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
      - name: data
        hostPath:
          path: /var/lib/filebeat-data
          type: DirectoryOrCreate

clusterrolebinding-filebeat.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: filebeat-clusterrolebinding
  namespace: nl-amis-logging
subjects:
- kind: ServiceAccount
  name: filebeat-serviceaccount
  namespace: nl-amis-logging
roleRef:
  kind: ClusterRole
  name: filebeat-clusterrole
  apiGroup: rbac.authorization.k8s.io

clusterrole-filebeat.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: filebeat-clusterrole
  namespace: nl-amis-logging
rules:
- apiGroups: [""] # "" indicates the core API group
  resources:
  - namespaces
  - pods
  verbs:
  - get
  - watch
  - list

serviceaccount-filebeat.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: filebeat-serviceaccount
  namespace: nl-amis-logging

Vagrantfile

I changed the content of Vagrantfile to:
[in bold, I highlighted the changes]

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/xenial64"
  
  config.vm.define "ubuntu_minikube_helm_elastic" do |ubuntu_minikube_helm_elastic|
  
    config.vm.network "forwarded_port",
      guest: 8001,
      host:  8001,
      auto_correct: true
      
    config.vm.network "forwarded_port",
      guest: 5601,
      host:  5601,
      auto_correct: true
      
    config.vm.network "forwarded_port",
      guest: 9200,
      host:  9200,
      auto_correct: true  
      
    config.vm.network "forwarded_port",
      guest: 9010,
      host:  9010,
      auto_correct: true
      
    config.vm.network "forwarded_port",
      guest: 9020,
      host:  9020,
      auto_correct: true
      
    config.vm.network "forwarded_port",
      guest: 9110,
      host:  9110,
      auto_correct: true
      
    config.vm.provider "virtualbox" do |vb|
        vb.name = "Ubuntu Minikube Helm Elastic Stack"
        vb.memory = "8192"
        vb.cpus = "1"
        
    args = []
    config.vm.provision "shell",
        path: "scripts/docker.sh",
        args: args
        
    args = []
    config.vm.provision "shell",
        path: "scripts/minikube.sh",
        args: args
        
    args = []
    config.vm.provision "shell",
        path: "scripts/kubectl.sh",
        args: args
        
    args = []
    config.vm.provision "shell",
        path: "scripts/helm.sh",
        args: args
        
    args = []
    config.vm.provision "shell",
        path: "scripts/namespaces.sh",
        args: args
        
        args = []
    config.vm.provision "shell",
        path: "scripts/elasticsearch.sh",
        args: args
        
    args = []
    config.vm.provision "shell",
        path: "scripts/kibana.sh",
        args: args
        
    args = []
    config.vm.provision "shell",
        path: "scripts/filebeat.sh",
        args: args
        
    args = []
    config.vm.provision "shell",
        path: "scripts/mysql.sh",
        args: args
        
    args = []
    config.vm.provision "shell",
        path: "scripts/booksservices.sh",
        args: args
    end
    
  end

end

In the scripts directory I created a file filebeat.sh with the following content:

#!/bin/bash
echo "**** Begin installing Filebeat"

#Create Helm chart
echo "**** Create Helm chart"
cd /vagrant
cd helmcharts
rm -rf /vagrant/helmcharts/filebeat-chart/*
helm create filebeat-chart

rm -rf /vagrant/helmcharts/filebeat-chart/templates/*
cp /vagrant/yaml/*filebeat.yaml /vagrant/helmcharts/filebeat-chart/templates

#Exiting: error loading config file: config file ("/etc/filebeat.yaml") can only be writable by the owner but the permissions are "-rwxrwxrwx" (to fix the permissions use: 'chmod go-w /etc/filebeat.yaml')

# Install Helm chart
cd /vagrant
cd helmcharts
echo "**** Install Helm chart filebeat-chart"
helm install ./filebeat-chart --name filebeat-release

# Wait 1 minute
echo "**** Waiting 1 minute ..."
sleep 60

echo "**** Check if a certain action (list) on a resource (pods) is allowed for a specific user (system:serviceaccount:nl-amis-logging:filebeat-serviceaccount) ****"
kubectl auth can-i list pods --as="system:serviceaccount:nl-amis-logging:filebeat-serviceaccount" --namespace nl-amis-logging

#List helm releases
echo "**** List helm releases"
helm list -d

#List pods
echo "**** List pods with namespace nl-amis-logging"
kubectl get pods --namespace nl-amis-logging

#echo "**** Determine the pod name of the filebeat-* pod in namespace nl-amis-logging"
#podName=$(kubectl get pods --namespace nl-amis-logging | grep filebeat- | grep -E -o "^\S*")
#echo "---$podName---"
#echo "**** Check the log file of the $podName pod in namespace nl-amis-logging"
#log=$(kubectl logs $podName --namespace nl-amis-logging | grep "Connection opened to Elasticsearch cluster")
#echo "---$log---"

echo "**** End installing Filebeat"

From the subdirectory named env on my Windows laptop, I opened a Windows Command Prompt (cmd) and typed: vagrant up

This command creates and configures guest machines according to your Vagrantfile.
_{[https://www.vagrantup.com/docs/cli/up.html]}

My demo environment now looks like:

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 2

Via the Kubernetes Web UI (Dashboard) I checked that the Filebeat components were created (in the nl-amis-logging namespace):

http://127.0.0.1:8001/api/v1/namespaces/kube-system/services/http:kubernetes-dashboard:/proxy/#!/pod?namespace=nl-amis-logging

configmap-filebeat.yaml

Navigate to Config and Storage | Config Maps:

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 3

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 4

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 5

As mentioned earlier, the data field (with key-value pairs) contains the configuration data. In our case the ConfigMap holds information in the form of the content of a configuration file (filebeat.yml).

I tried another way to check the content of the configuration file.

I started a shell to the running container:

kubectl exec -it filebeat-daemonset-q5pb2 --namespace nl-amis-logging -- cat /etc/filebeat.yml

With the following output:

filebeat.inputs:
– type: container
paths:
– /var/log/containers/*.log
processors:
– add_kubernetes_metadata:
in_cluster: true
host: ${NODE_NAME}
matchers:
– logs_path:
logs_path: “/var/log/containers/”

# To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this:
#filebeat.autodiscover:
#  providers:
#    – type: kubernetes
#      host: ${NODE_NAME}
#      hints.enabled: true
#      hints.default_config:
#        type: container
#        paths:
#          – /var/log/containers/*${data.kubernetes.container.id}.log

processors:
– add_cloud_metadata:
– add_host_metadata:

cloud.id: ${ELASTIC_CLOUD_ID}
cloud.auth: ${ELASTIC_CLOUD_AUTH}

output.elasticsearch:
hosts: [‘${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}’]
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}

Remark:
The double dash symbol “–” is used to separate the arguments you want to pass to the command from the kubectl arguments.
_{[https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/]}

daemonset-filebeat.yaml

Navigate to Workloads | Daemons Sets:

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 6

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 7

clusterrolebinding-filebeat.yaml

Not applicable.

clusterrole-filebeat.yaml

Navigate to Cluster | Roles:

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 8

serviceaccount-filebeat.yaml

Navigate to Config and Storage | Secrets:

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 9

Docker container log files

Every Docker container has a folder “/var/lib/docker/containers/<containerID>” on the host machine, which contains the log file “<containerID>-json.log”.

So, I needed to know the containerID for the Pods, related to the booksservice, in my demo environment.

I got the information using several kubectl commands, leading to the following result:

Pod	Namespace	Label key			Container
		app	version	environment	containerID	name
booksservice-v1.0-68785bc6ff-cq769	nl-amis-development	booksservice	1.0	development	docker://b234de2b689187f94792d45ac59fda0f2f6f6969c679d6a6ca5d8323ab8fd1c9	booksservice-v1-0-container
booksservice-v1.0-68785bc6ff-x7mf8	nl-amis-development	booksservice	1.0	development	docker://bff91eb16a15d0a2058919d7ce7b5077ea9d3f0542c7930f48b29ca1099a54ae	booksservice-v1-0-container
booksservice-v2.0-869c5bb47d-bwdc5	nl-amis-development	booksservice	2.0	development	docker://4344b9a63ac54218dac88148203b2394ac973fe5d1f201a1a870f213e417122c	booksservice-v2-0-container
booksservice-v2.0-869c5bb47d-nwfgf	nl-amis-development	booksservice	2.0	development	docker://6b0e9a44932986cc6ae2353f28d4c9aff32e249abd0ac38ee22a27614aecb30f	booksservice-v2-0-container
booksservice-v1.0-5bcd5fddbd-cklsw	nl-amis-testing	booksservice	1.0	testing	docker://171b2526ae9d147dab7fb2180764d55c03c7ad706eca605ad5c849aafef5d38d	booksservice-v1-0-container
booksservice-v1.0-5bcd5fddbd-n9qkx	nl-amis-testing	booksservice	1.0	testing	docker://f7a9b8a4021073f8c7daba0000482f9f9356495beec7c8d49b9b45f0055f9c20	booksservice-v1-0-container

Command to list all Pods

kubectl get pods --all-namespaces

Command to get the YAML (with object information) for a particular Pod:

kubectl get pod -n nl-amis-development booksservice-v1.0-68785bc6ff-cq769 -o yaml

With the following output:

apiVersion: v1
kind: Pod
metadata:
creationTimestamp: “2019-09-04T19:49:37Z”
generateName: booksservice-v1.0-68785bc6ff-
labels:
app: booksservice
environment: development
pod-template-hash: 68785bc6ff
version: “1.0”
name: booksservice-v1.0-68785bc6ff-cq769
namespace: nl-amis-development
ownerReferences:
– apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: booksservice-v1.0-68785bc6ff
uid: 207a1cd7-cf4d-11e9-95ef-023e591c269a
resourceVersion: “1711”
selfLink: /api/v1/namespaces/nl-amis-development/pods/booksservice-v1.0-68785bc6ff-cq769
uid: 208017d3-cf4d-11e9-95ef-023e591c269a
spec:
containers:
– env:
– name: spring.profiles.active
value: development
image: booksservice:v1.0
imagePullPolicy: IfNotPresent
name: booksservice-v1-0-container
ports:
– containerPort: 9090
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
– mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-4kz7x
readOnly: true
dnsPolicy: ClusterFirst
nodeName: minikube
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
– effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
– effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
– name: default-token-4kz7x
secret:
defaultMode: 420
secretName: default-token-4kz7x
status:
conditions:
– lastProbeTime: null
lastTransitionTime: “2019-09-04T19:49:37Z”
status: “True”
type: Initialized
– lastProbeTime: null
lastTransitionTime: “2019-09-04T19:49:42Z”
status: “True”
type: Ready
– lastProbeTime: null
lastTransitionTime: “2019-09-04T19:49:42Z”
status: “True”
type: ContainersReady
– lastProbeTime: null
lastTransitionTime: “2019-09-04T19:49:37Z”
status: “True”
type: PodScheduled
containerStatuses:
– containerID: docker://b234de2b689187f94792d45ac59fda0f2f6f6969c679d6a6ca5d8323ab8fd1c9
image: booksservice:v1.0
imageID: docker://sha256:296bfc231d3bbbe6954ad9a18c3fdfe2d6dcb81a84ee450d433449a63dda4928
lastState: {}
name: booksservice-v1-0-container
ready: true
restartCount: 0
state:
running:
startedAt: “2019-09-04T19:49:41Z”
hostIP: 10.0.2.15
phase: Running
podIP: 172.17.0.12
qosClass: BestEffort
startTime: “2019-09-04T19:49:37Z”

Command which uses JSONPath expressions to filter on specific fields in the JSON object and format the output:

_{[https://kubernetes.io/docs/tasks/access-application-cluster/list-all-running-container-images/#list-all-containers-in-all-namespaces]}

kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}[{.metadata.name}{"\t"},{.metadata.namespace}{"\t"},{.metadata.labels.app}{"\t"},{.metadata.labels.environment}{"\t"},{.metadata.labels.version}{"\t"},{range .status.containerStatuses[*]}{.containerID}{"\t"},{.name}]{"\n"}{end}{end}' |\sort

_{[https://kubernetes.io/docs/reference/kubectl/jsonpath/]}

Investigating the content of the log file for a particular Pod

There are several ways in which you can have a look at the content of the log file for a particular Pod (let’s say for the first Pod in the table shown earlier). For example:

Via kubectl

kubectl --namespace=nl-amis-development logs booksservice-v1.0-68785bc6ff-cq769 --tail=20

Via the Kubernetes Web UI (Dashboard)

Navigate to Workloads | Pods:

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 10

Select Pod booksservice-v1.0-68785bc6ff-cq769 and click on Logs (hamburger menu)

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 11

Via the directory /var/lib/docker/containers

Every Docker container has a folder “/var/lib/docker/containers/<containerID>” on the host machine, which contains the log file “<containerID>-json.log”.

So, in my case, the log file can be found in the directory:

/var/lib/docker/containers/b234de2b689187f94792d45ac59fda0f2f6f6969c679d6a6ca5d8323ab8fd1c9

I listed the files in the directory:

sudo ls -latr /var/lib/docker/containers/b234de2b689187f94792d45ac59fda0f2f6f6969c679d6a6ca5d8323ab8fd1c9

With the following output:

total 40
drwx——  2 root root  4096 Sep  4 19:49 checkpoints
drwx——  2 root root  4096 Sep  4 19:49 mounts
drwx—— 45 root root  4096 Sep  4 19:49 ..
-rw-r–r–  1 root root  2015 Sep  4 19:49 hostconfig.json
-rw——-  1 root root  6009 Sep  4 19:49 config.v2.json
drwx——  4 root root  4096 Sep  4 19:49 .
-rw-r—–  1 root root 10078 Sep  4 19:51 b234de2b689187f94792d45ac59fda0f2f6f6969c679d6a6ca5d8323ab8fd1c9-json.log
I showed the last 20 lines of the content of the log file:

sudo tail -n 20 /var/lib/docker/containers/b234de2b689187f94792d45ac59fda0f2f6f6969c679d6a6ca5d8323ab8fd1c9/b234de2b689187f94792d45ac59fda0f2f6f6969c679d6a6ca5d8323ab8fd1c9-json.log

Via the directory /var/log/containers

I listed the files in the directory:

sudo ls -latr /var/log/containers

I showed the last 20 lines of the content of the log file:

sudo tail -n 20 /var/log/containers/booksservice-v1.0-68785bc6ff-cq769_nl-amis-development_booksservice-v1-0-container-b234de2b689187f94792d45ac59fda0f2f6f6969c679d6a6ca5d8323ab8fd1c9.log

Via the directory /var/log/pods

I listed the files in the directory:

sudo ls -latr /var/log/pods

I showed the last 20 lines of the content of the log file:

sudo tail -n 20 /var/log/pods/208017d3-cf4d-11e9-95ef-023e591c269a/booksservice-v1-0-container/0.log

Creating the ConfigMap from a file

In line with what I did when I used Fluentd (see previous article), I wanted to create the ConfigMap from a file. So, I changed the default configuration file location ( /etc/filebeat.yml) to: /etc/custom-config/filebeat.yml.
_{[https://technology.amis.nl/2019/04/23/using-vagrant-and-shell-scripts-to-further-automate-setting-up-my-demo-environment-from-scratch-including-elasticsearch-fluentd-and-kibana-efk-within-minikube/]}

There for, in the vagrant directory I created a subdirectory structure configmaps/configmap-filebeat with a file filebeat.yml with the following content:

filebeat.inputs:
- type: container
  paths:
    - /var/log/containers/*.log
  processors:
    - add_kubernetes_metadata:
        in_cluster: true
        host: ${NODE_NAME}
        matchers:
        - logs_path:
            logs_path: "/var/log/containers/"

# To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this:
#filebeat.autodiscover:
#  providers:
#    - type: kubernetes
#      host: ${NODE_NAME}
#      hints.enabled: true
#      hints.default_config:
#        type: container
#        paths:
#          - /var/log/containers/*${data.kubernetes.container.id}.log

processors:
  - add_cloud_metadata:
  - add_host_metadata:

cloud.id: ${ELASTIC_CLOUD_ID}
cloud.auth: ${ELASTIC_CLOUD_AUTH}

output.elasticsearch:
  hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

Remark:
For more information about the content of this config file, I kindly refer you to the FileBeat documentation, for example:

https://www.elastic.co/guide/en/beats/filebeat/master/add-kubernetes-metadata.html

I created a ConfigMap that holds the filebeat config file using:

kubectl create configmap filebeat-configmap --from-file=/vagrant/configmaps/configmap-filebeat --namespace nl-amis-logging

Next, I added labels to the ConfigMap using:

kubectl label configmap filebeat-configmap --namespace nl-amis-logging app=filebeat
kubectl label configmap filebeat-configmap --namespace nl-amis-logging version="1.0"
kubectl label configmap filebeat-configmap --namespace nl-amis-logging environment=logging

A ConfigMap can be created via a yaml file, but not if you want to use the from-file option, because kubernetes isn’t aware of the local file’s path.
_{[https://stackoverflow.com/questions/51268488/kubernetes-configmap-set-from-file-in-yaml-configuration]}

You must create a ConfigMap before referencing it in a Pod specification (unless you mark the ConfigMap as “optional”). If you reference a ConfigMap that doesn’t exist, the Pod won’t start.
ConfigMaps reside in a specific namespace. A ConfigMap can only be referenced by pods residing in the same namespace.
_{[https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/]}

When you create a ConfigMap using –from-file, the filename becomes a key stored in the data section of the ConfigMap. The file contents become the key’s value.
_{[https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#add-configmap-data-to-a-volume]}

On my Windows laptop, in the yaml directory, I deleted the file configmap-filebeat.yaml.

In the scripts directory I changed the file filebeat.sh to have the following content:

#!/bin/bash
echo "**** Begin installing Filebeat"

#Create ConfigMap before creating DaemonSet
kubectl create configmap filebeat-configmap --from-file=/vagrant/configmaps/configmap-filebeat --namespace nl-amis-logging

#Label ConfigMap
kubectl label configmap filebeat-configmap --namespace nl-amis-logging app=filebeat
kubectl label configmap filebeat-configmap --namespace nl-amis-logging version="1.0"
kubectl label configmap filebeat-configmap --namespace nl-amis-logging environment=logging

#List configmaps
echo "**** List configmap filebeat-configmap with namespace nl-amis-logging"
#kubectl describe configmaps filebeat-configmap --namespace nl-amis-logging
kubectl get configmaps filebeat-configmap --namespace nl-amis-logging -o yaml

#Create Helm chart
echo "**** Create Helm chart"
cd /vagrant
cd helmcharts
rm -rf /vagrant/helmcharts/filebeat-chart/*
helm create filebeat-chart

rm -rf /vagrant/helmcharts/filebeat-chart/templates/*
cp /vagrant/yaml/*filebeat.yaml /vagrant/helmcharts/filebeat-chart/templates
#Exiting: error loading config file: config file ("/etc/filebeat.yaml") can only be writable by the owner but the permissions are "-rwxrwxrwx" (to fix the permissions use: 'chmod go-w /etc/filebeat.yaml')

# Install Helm chart
cd /vagrant
cd helmcharts
echo "**** Install Helm chart filebeat-chart"
helm install ./filebeat-chart --name filebeat-release

# Wait 1 minute
echo "**** Waiting 1 minute ..."
sleep 60

echo "**** Check if a certain action (list) on a resource (pods) is allowed for a specific user (system:serviceaccount:nl-amis-logging:filebeat-serviceaccount) ****"
kubectl auth can-i list pods --as="system:serviceaccount:nl-amis-logging:filebeat-serviceaccount" --namespace nl-amis-logging

#List helm releases
echo "**** List helm releases"
helm list -d

#List pods
echo "**** List pods with namespace nl-amis-logging"
kubectl get pods --namespace nl-amis-logging

#echo "**** Determine the pod name of the filebeat-* pod in namespace nl-amis-logging"
#podName=$(kubectl get pods --namespace nl-amis-logging | grep filebeat- | grep -E -o "^\S*")
#echo "---$podName---"
#echo "**** Check the log file of the $podName pod in namespace nl-amis-logging"
#log=$(kubectl logs $podName --namespace nl-amis-logging | grep "Connection opened to Elasticsearch cluster")
#echo "---$log---"

echo "**** End installing Filebeat"

In the yaml directory I changed the file daemonset-filebeat.yaml to have the following content:

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: filebeat-daemonset
  namespace: nl-amis-logging
  labels:
    app: filebeat
    version: "1.0"
    environment: logging
spec:
  template:
    metadata:
      labels:
        app: filebeat
        version: "1.0"
        environment: logging
    spec:
      serviceAccountName: filebeat-serviceaccount
      terminationGracePeriodSeconds: 30
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      containers:
      - name: filebeat
        image: docker.elastic.co/beats/filebeat:7.3.1
        args: [
          "-c", " /etc/custom-config/filebeat.yml",
          "-e",
        ]
        env:
        - name: ELASTICSEARCH_HOST
          value: "elasticsearch-service.nl-amis-logging"
        - name: ELASTICSEARCH_PORT
          value: "9200"
        - name: ELASTICSEARCH_USERNAME
          value: elastic
        - name: ELASTICSEARCH_PASSWORD
          value: changeme
        - name: ELASTIC_CLOUD_ID
          value:
        - name: ELASTIC_CLOUD_AUTH
          value:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
          runAsUser: 0
          # If using Red Hat OpenShift uncomment this:
          #privileged: true
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: filebeat-config-volume
          mountPath: /etc/custom-config
        - name: data
          mountPath: /usr/share/filebeat/data
        - name: varlibdockercontainers
          mountPath: /var/lib/docker/containers
          readOnly: true
        - name: varlog
          mountPath: /var/log
          readOnly: true
      volumes:
      - name: filebeat-config-volume
        configMap:
          name: filebeat-configmap
      - name: varlibdockercontainers
        hostPath:
          path: /var/lib/docker/containers
      - name: varlog
        hostPath:
          path: /var/log
      # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
      - name: data
        hostPath:
          path: /var/lib/filebeat-data
          type: DirectoryOrCreate

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 12

So, because I made some changes, I deleted and re-installed the release of Filebeat (via Helm, the package manager for Kubernetes).

helm del --purge filebeat-release

release "filebeat-release" deleted

Next, I started the shell script:

cd /vagrant/scripts
./filebeat.sh

With the following output:

**** Begin installing Filebeat
configmap/filebeat-configmap created
configmap/filebeat-configmap labeled
configmap/filebeat-configmap labeled
configmap/filebeat-configmap labeled
**** List configmap filebeat-configmap with namespace nl-amis-logging
apiVersion: v1
data:
filebeat.yml: “filebeat.inputs:\r\n- type: container\r\n  paths:\r\n    – /var/log/containers/*.log\r\n
\ processors:\r\n    – add_kubernetes_metadata:\r\n        in_cluster: true\r\n
\       host: ${NODE_NAME}\r\n        matchers:\r\n        – logs_path:\r\n            logs_path:
\”/var/log/containers/\”\r\n\r\n# To enable hints based autodiscover, remove `filebeat.inputs`
configuration and uncomment this:\r\n#filebeat.autodiscover:\r\n#  providers:\r\n#
\   – type: kubernetes\r\n#      host: ${NODE_NAME}\r\n#      hints.enabled: true\r\n#
\     hints.default_config:\r\n#        type: container\r\n#        paths:\r\n#
\         – /var/log/containers/*${data.kubernetes.container.id}.log\r\n\r\nprocessors:\r\n
\ – add_cloud_metadata:\r\n  – add_host_metadata:\r\n\r\ncloud.id: ${ELASTIC_CLOUD_ID}\r\ncloud.auth:
${ELASTIC_CLOUD_AUTH}\r\n\r\noutput.elasticsearch:\r\n  hosts: [‘${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}’]\r\n
\ username: ${ELASTICSEARCH_USERNAME}\r\n  password: ${ELASTICSEARCH_PASSWORD}”
kind: ConfigMap
metadata:
creationTimestamp: “2019-09-08T14:34:28Z”
labels:
app: filebeat
environment: logging
version: “1.0”
name: filebeat-configmap
namespace: nl-amis-logging
resourceVersion: “42432”
selfLink: /api/v1/namespaces/nl-amis-logging/configmaps/filebeat-configmap
uid: c381e4bd-d245-11e9-95ef-023e591c269a
**** Create Helm chart
Creating filebeat-chart
**** Install Helm chart filebeat-chart
NAME:   filebeat-release
LAST DEPLOYED: Sun Sep  8 14:34:31 2019
NAMESPACE: default
STATUS: DEPLOYED

RESOURCES:
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
filebeat-daemonset-bzz86 0/1 ContainerCreating 0 0s

==> v1/ServiceAccount
NAME SECRETS AGE
filebeat-serviceaccount 1 0s

==> v1beta1/ClusterRole
NAME AGE
filebeat-clusterrole 0s

==> v1beta1/ClusterRoleBinding
NAME AGE
filebeat-clusterrolebinding 0s

==> v1beta1/DaemonSet
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
filebeat-daemonset 1 1 0 1 0 0s

**** Waiting 1 minute …
**** Check if a certain action (list) on a resource (pods) is allowed for a specific user (system:serviceaccount:nl-amis-logging:filebeat-serviceaccount) ****
yes
**** List helm releases
NAME                    REVISION        UPDATED                         STATUS          CHART                           APP VERSION     NAMESPACE
namespace-release       1               Wed Sep  4 19:38:32 2019        DEPLOYED        namespace-chart-0.1.0           1.0             default
elasticsearch-release   1               Wed Sep  4 19:39:03 2019        DEPLOYED        elasticsearch-chart-0.1.0       1.0             default
kibana-release          1               Wed Sep  4 19:41:35 2019        DEPLOYED        kibana-chart-0.1.0              1.0             default
mysql-release           1               Wed Sep  4 19:45:16 2019        DEPLOYED        mysql-chart-0.1.0               1.0             default
booksservice-release    1               Wed Sep  4 19:49:37 2019        DEPLOYED        booksservice-chart-0.1.0        1.0             default
filebeat-release        1               Sun Sep  8 14:34:31 2019        DEPLOYED        filebeat-chart-0.1.0            1.0             default
**** List pods with namespace nl-amis-logging
NAME                             READY   STATUS    RESTARTS   AGE
elasticsearch-6b46c44f7c-v569h   1/1     Running   0          3d18h
filebeat-daemonset-bzz86         1/1     Running   0          62s
kibana-6f96d679c4-kb5qw          1/1     Running   0          3d18h
**** End installing Filebeat

As can be seen in daemonset-filebeat.yaml, Filebeat uses the hostPath /var/lib/filebeat-data to persist internal data.

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: filebeat-daemonset
  namespace: nl-amis-logging
  labels:
    app: filebeat
    version: "1.0"
    environment: logging
spec:
…
# data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
      - name: data
        hostPath:
          path: /var/lib/filebeat-data
          type: DirectoryOrCreate

On the host (my virtual machine), I listed the files in the directory:

vagrant@ubuntu-xenial:/vagrant/scripts$ cd /var/lib/filebeat-data
vagrant@ubuntu-xenial:/var/lib/filebeat-data$ ls -latr

With the following output:

total 16
drwxr-xr-x 47 root root 4096 Sep  4 19:44 ..
-rw——-  1 root root   48 Sep  4 19:44 meta.json
drwxr-x—  3 root root 4096 Sep  4 19:44 registry
drwxr-xr-x  3 root root 4096 Sep  4 19:44 .

I started a shell to the running container:

kubectl exec -it filebeat-daemonset-bzz86 --namespace nl-amis-logging -- ls -latr

I changed the directory:

kubectl exec -it filebeat-daemonset-bzz86 --namespace nl-amis-logging -- cd data

I listed the files in the directory:

vagrant@ubuntu-xenial:/var/lib/filebeat-data$ ls -latr

Elasticsearch index

In the Kibana Dashboard via Management | Kibana | Index Patterns you can create an index pattern.
Kibana uses index patterns to retrieve data from Elasticsearch indices for things like visualizations.
_{[http://localhost:5601/app/kibana#/management/kibana/index_pattern?_g=()]}

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 13

In the field “Index pattern” I entered filebeat*. The index pattern matched 1 index. Next, I clicked on button “Next step”.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 14

In the field “Time Filter field name” I entered @timestamp.
The Time Filter will use this field to filter your data by time.
You can choose not to have a time field, but you will not be able to narrow down your data by a time range.
_{[http://localhost:5601/app/kibana#/management/kibana/index_pattern?_g=()]}

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 15

Next, I clicked on button “Create index pattern”.

The Kibana index pattern filebeat* was created, with 1019 fields.
This page lists every field in the filebeat* index and the field’s associated core type as recorded by Elasticsearch. To change a field type, use the Elasticsearch Mapping API.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 16

Kibana Dashboard, Discover

In the Kibana Dashboard via Discover you can see the log files.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 17

Let’s shortly focus on the first hit.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 18

Via a click on icon “>”, the document is expanded.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 19

Kibana Dashboard, Visualize, creating a visualization

In the Kibana Dashboard via Visualize you can create a visualization.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 20

I clicked on button “Create a visualization” and selected “Pie” as the type for the visualization.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 21

As a source I chose the Index pattern, I created earlier.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 22

After I selected filebeat* the following became visible.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 23

In tab “Data”, in the Split Slices part, in the field “Aggregation” I selected Terms and in “Field” I selected kubernetes.container.name and left the other default settings as they were.
Then I clicked on the icon “Apply changes”, with the following result:

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 24

In tab “Options”, I selected the checkbox “Show Labels” and left the other default settings as they were.
Then I clicked on the icon “Apply changes”, with the following result:

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 25

So, the container names from the log files from the last 15 minutes are shown.

Postman

Remember that on my Windows laptop, I also wanted to be able to use Postman (for sending requests), via port forwarding this was made possible.
So, I used Postman to add books to and retrieve books from the book catalog. I did this for version 1.0 and 2.0 of the BooksService application.

From Postman I invoked a request named “GetAllBooksRequest” (with method “POST” and URL “http://locahost:9010/books”).
This concerns version 1.0 in the DEV environment.
A response with “Status 200 OK” was shown (with 4 books being retrieved):

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 26

From Postman I invoked a request named “GetAllBooksRequest” (with method “POST” and URL http://locahost:9020/books).
This concerns version 2.0 in the DEV environment.
A response with “Status 200 OK” was shown (with 4 books being retrieved):

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 27

From Postman I invoked a request named “GetAllBooksRequest” (with method “POST” and URL “http://locahost:9110/books”).
This concerns version 1.0 in the TST environment.
A response with “Status 200 OK” was shown (with 4 books being retrieved):

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 28

Remember, each time the getAllBooks method is called, this becomes visible in the container log file.

Kibana Dashboard, Visualize, creating a visualization

In the previously created visualization, I clicked on button “Refresh”. Then the booksservice containers became visible also.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 29

Then I saved this Visualization, via a click on button “Save”.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 30

In the pop-up “Save visualization”, in the field “Title” I entered containers_visualization_1. Next, I clicked on button “Confirm Save”.
In the left top of the screen this title then becomes visible.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 31

Remark:
All the Saved Objects can be seen in the Kibana Dashboard via Management | Kibana | Saved Objects.

Filtering and enhancing the exported data

Filebeat provides a couple of options for filtering and enhancing exported data.
You can configure each input to include or exclude specific lines or files. This allows you to specify different filtering criteria for each input.
_{[https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html]}

Filtering the exported data

I wanted to focus on the log files from the mysql and booksservice containers, so I needed to change the filter.

Based on this output, in the subdirectory configmaps/configmap-filebeat, I changed the file filebeat.yml to the following content:

filebeat.inputs:
- type: container
  paths:
    - /var/log/containers/mysql*.log
    - /var/log/containers/booksservice*.log
  processors:
    - add_kubernetes_metadata:
        in_cluster: true
        host: ${NODE_NAME}
        matchers:
        - logs_path:
            logs_path: "/var/log/containers/"

# To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this:
#filebeat.autodiscover:
#  providers:
#    - type: kubernetes
#      host: ${NODE_NAME}
#      hints.enabled: true
#      hints.default_config:
#        type: container
#        paths:
#          - /var/log/containers/*${data.kubernetes.container.id}.log

processors:
  - add_cloud_metadata:
  - add_host_metadata:

cloud.id: ${ELASTIC_CLOUD_ID}
cloud.auth: ${ELASTIC_CLOUD_AUTH}

output.elasticsearch:
  hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

So, because I made some changes, I deleted and re-installed the release of Filebeat (via Helm, the package manager for Kubernetes) and the ConfigMap.

helm del --purge filebeat-release

release "filebeat-release" deleted

kubectl --namespace=nl-amis-logging delete configmap filebeat-configmap

configmap "filebeat-configmap" deleted

Next, I started the shell script:

cd /vagrant/scripts
./filebeat.sh

With the following output:

**** Begin installing Filebeat
configmap/filebeat-configmap created
configmap/filebeat-configmap labeled
configmap/filebeat-configmap labeled
configmap/filebeat-configmap labeled
**** List configmap filebeat-configmap with namespace nl-amis-logging
apiVersion: v1
data:
filebeat.yml: “filebeat.inputs:\r\n- type: container\r\n  paths:\r\n    – /var/log/containers/mysql*.log \r\n
\   – /var/log/containers/booksservice*.log \r\n  processors:\r\n    – add_kubernetes_metadata:\r\n
\       in_cluster: true\r\n        host: ${NODE_NAME}\r\n        matchers:\r\n
\       – logs_path:\r\n            logs_path: \”/var/log/containers/\”\r\n\r\n#
To enable hints based autodiscover, remove `filebeat.inputs` configuration and
uncomment this:\r\n#filebeat.autodiscover:\r\n#  providers:\r\n#    – type: kubernetes\r\n#
\     host: ${NODE_NAME}\r\n#      hints.enabled: true\r\n#      hints.default_config:\r\n#
\       type: container\r\n#        paths:\r\n#          – /var/log/containers/*${data.kubernetes.container.id}.log\r\n\r\nprocessors:\r\n
\ – add_cloud_metadata:\r\n  – add_host_metadata:\r\n\r\ncloud.id: ${ELASTIC_CLOUD_ID}\r\ncloud.auth:
${ELASTIC_CLOUD_AUTH}\r\n\r\noutput.elasticsearch:\r\n  hosts: [‘${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}’]\r\n
\ username: ${ELASTICSEARCH_USERNAME}\r\n  password: ${ELASTICSEARCH_PASSWORD}”
kind: ConfigMap
metadata:
creationTimestamp: “2019-09-12T12:28:26Z”
labels:
app: filebeat
environment: logging
version: “1.0”
name: filebeat-configmap
namespace: nl-amis-logging
resourceVersion: “53891”
selfLink: /api/v1/namespaces/nl-amis-logging/configmaps/filebeat-configmap
uid: d1f26a17-d558-11e9-95ef-023e591c269a
**** Create Helm chart
Creating filebeat-chart
**** Install Helm chart filebeat-chart
NAME:   filebeat-release
LAST DEPLOYED: Thu Sep 12 12:28:27 2019
NAMESPACE: default
STATUS: DEPLOYED

RESOURCES:
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
filebeat-daemonset-hpxtl 0/1 ContainerCreating 0 0s

==> v1/ServiceAccount
NAME SECRETS AGE
filebeat-serviceaccount 1 0s

==> v1beta1/ClusterRole
NAME AGE
filebeat-clusterrole 0s

==> v1beta1/ClusterRoleBinding
NAME AGE
filebeat-clusterrolebinding 0s

==> v1beta1/DaemonSet
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
filebeat-daemonset 1 1 0 1 0 0s

**** Waiting 1 minute …
**** Check if a certain action (list) on a resource (pods) is allowed for a specific user (system:serviceaccount:nl-amis-logging:filebeat-serviceaccount) ****
yes
**** List helm releases
NAME                    REVISION        UPDATED                         STATUS          CHART                           APP VERSION     NAMESPACE
namespace-release       1               Wed Sep  4 19:38:32 2019        DEPLOYED        namespace-chart-0.1.0           1.0             default
elasticsearch-release   1               Wed Sep  4 19:39:03 2019        DEPLOYED        elasticsearch-chart-0.1.0       1.0             default
kibana-release          1               Wed Sep  4 19:41:35 2019        DEPLOYED        kibana-chart-0.1.0              1.0             default
mysql-release           1               Wed Sep  4 19:45:16 2019        DEPLOYED        mysql-chart-0.1.0               1.0             default
booksservice-release    1               Wed Sep  4 19:49:37 2019        DEPLOYED        booksservice-chart-0.1.0        1.0             default
filebeat-release        1               Thu Sep 12 12:28:27 2019        DEPLOYED        filebeat-chart-0.1.0            1.0             default
**** List pods with namespace nl-amis-logging
NAME                             READY   STATUS    RESTARTS   AGE
elasticsearch-6b46c44f7c-v569h   1/1     Running   0          7d16h
filebeat-daemonset-hpxtl         1/1     Running   0          61s
kibana-6f96d679c4-kb5qw          1/1     Running   0          7d16h
**** End installing Filebeat

Kibana Dashboard, Discover

After a while (longer than 15 minutes), when I looked in the Kibana Dashboard via Discover there were no results found.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 32

So, the filter seemed to work. To check this out, I used Postman to add books and retrieve books from the book catalog. I did this for version 1.0 and 2.0 of the BooksService application.

Again, I looked in the Kibana Dashboard via Discover, clicked on button “Refresh” and then there were results found.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 33

In the previously created visualization, I clicked on button “Refresh”. Then the booksservice containers became visible.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 34

The log files from the other containers are filtered out by Filebeat as I expected. But what happened to the log file from the mysql container?

I checked the content of that log file.

sudo tail -n 20 /var/log/containers/mysql-64846c7974-w7mz9_nl-amis-testing_mysql-3d6ce5328e7ebcbdf012791fc87d45374afe137439ff13c28fa75ff5fc408f1d.log

So, the last time something was written to this log file, was a while ago. That’s why it didn’t turn up in the Kibana visualization for the last 15 minutes.

But, let’s check out if we can find the same information in Kibana.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 35

In the visualization, I clicked on button “Show dates” and change the period to Sep 4, 2019 21:30 – 22:00 (taking in account the time zone) and then I clicked on button “Refresh”.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 36

And then the mysql container became visible.

Next, I looked in the Kibana Dashboard via Discover, clicked on button “Refresh” and then there were lots of results found.

I clicked on button “Add filter” and in the field “Field” I entered kubernetes.container.name, as “Operator” I chose is and as “Value” I chose mysql. I then added another filter. In the field “Field” I entered message, as “Operator” I chose is and as “Value” I chose mysqld: ready for connections. .

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 37

I selected the first hit.

Remark:
The second hit is not visible in the listing of the content of the mysql log file, shown earlier, because there I only showed the last 20 lines!

Via a click on icon “>”, the document is expanded.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 38

In this expanded document you can see the following value for message:

2019-09-04 19:45:46 1 [Note] mysqld: ready for connections.

Enhancing the exported data

I wanted to try out some form of enhancing the exported log files. So, I decided to add some extra fields in order to add additional information to the output.

When using the log input to read lines from log files, you can, for example, use the following configuration options, which are supported by all inputs.

fields

Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a fields sub-dictionary in the output document. To store the custom fields as top-level fields, set the fields_under_root option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.
_{[https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#filebeat-input-log-fields]}
_{[https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-input-container.html#filebeat-input-container-fields]}

fields_under_root

If this option is set to true, the custom fields are stored as top-level fields in the output document instead of being grouped under a fields sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.
_{[https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#fields-under-root-log]}
_{[https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-input-container.html#fields-under-root-container]}

You can define processors in your configuration to process events before they are sent to the configured output.
_{[https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html#using-processors]}

The add_fields processor adds additional fields to the event. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify will be grouped under the fields sub-dictionary in the event. To group the fields under a different sub-dictionary, use the target setting. To store the fields as top-level fields, set target: ”.

target
(Optional) Sub-dictionary to put all fields into. Defaults to fields.
fields
Fields to be added.

_{[https://www.elastic.co/guide/en/beats/filebeat/current/add-fields.html]}

Based on the information above, in the subdirectory configmaps/configmap-filebeat, I changed the file filebeat.yml to the following content:

filebeat.inputs:
- type: container
  paths:
    - /var/log/containers/mysql*.log
    - /var/log/containers/booksservice*.log
  fields:
    my_custom_field1: 'value_of_my_custom_field1'
  fields_under_root: true
  processors:
    - add_kubernetes_metadata:
        in_cluster: true
        host: ${NODE_NAME}
        matchers:
        - logs_path:
            logs_path: "/var/log/containers/"
    - add_fields:
        target: my-custom-sub-dictionary1
        fields:
          my_custom_field2: 'value_of_my_custom_field2'
          my_custom_field3: 'value_of_my_custom_field3'
    - add_fields:
        target: my-custom-sub-dictionary2
        fields:
          my_custom_field4: 'value_of_my_custom_field4'
    - add_fields:
        fields:
          my_custom_field5: 'value_of_my_custom_field5'
        
# To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this:
#filebeat.autodiscover:
#  providers:
#    - type: kubernetes
#      host: ${NODE_NAME}
#      hints.enabled: true
#      hints.default_config:
#        type: container
#        paths:
#          - /var/log/containers/*${data.kubernetes.container.id}.log

processors:
  - add_cloud_metadata:
  - add_host_metadata:

cloud.id: ${ELASTIC_CLOUD_ID}
cloud.auth: ${ELASTIC_CLOUD_AUTH}

output.elasticsearch:
  hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

So, because I made some changes, I deleted and re-installed the release of Filebeat (via Helm, the package manager for Kubernetes) and the ConfigMap.

I used Postman to retrieve books from the book catalog. I did this for version 1.0 in the TST enviroment of the BooksService application.

Again, I looked in the Kibana Dashboard via Discover, clicked on button “Refresh” and then there were results found.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 39

I selected the first hit. Via a click on icon “>”, the document is expanded.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 40

On the discover pane, fields with missing index-pattern-fields show hazard icons and display a warning.

To get rid of these, in the Kibana Dashboard via Management | Kibana | Index Patterns, I clicked on the icon “Refresh field list”.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 41

Again, I looked in the Kibana Dashboard via Discover, I selected the first hit and expanded the document.

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 42

Using Elastic Stack, Filebeat (for log aggregation) lameriks 201909 43

Then I chose to view the expanded document in JSON:

{
“_index”: “filebeat-7.3.1-2019.09.08-000001”,
“_type”: “_doc”,
“_id”: “eer6JW0B1Kd52CkbpGMs”,
“_version”: 1,
“_score”: null,
“_source”: {
“@timestamp”: “2019-09-12T14:57:18.195Z”,
“message”: “2019-09-12 14:57:18.188 INFO 1 — [nio-9091-exec-2] n.a.d.s.b.application.BookService : “,
“input”: {
“type”: “container”
},
“my-custom-sub-dictionary2”: {
“my_custom_field4”: “value_of_my_custom_field4”
},
“fields”: {
“my_custom_field5”: “value_of_my_custom_field5”
},
“agent”: {
“hostname”: “ubuntu-xenial”,
“id”: “6fc91322-3f72-494f-9b52-12df04833853”,
“version”: “7.3.1”,
“type”: “filebeat”,
“ephemeral_id”: “870554f1-30be-4e9f-9e1f-e288c37c6971”
},
“ecs”: {
“version”: “1.0.1”
},
“log”: {
“offset”: 13538,
“file”: {
“path”: “/var/log/containers/booksservice-v1.0-5bcd5fddbd-cklsw_nl-amis-testing_booksservice-v1-0-container-171b2526ae9d147dab7fb2180764d55c03c7ad706eca605ad5c849aafef5d38d.log”
}
},
“stream”: “stdout”,
“my_custom_field1”: “value_of_my_custom_field1”,
“kubernetes”: {
“container”: {
“name”: “booksservice-v1-0-container”
},
“namespace”: “nl-amis-testing”,
“replicaset”: {
“name”: “booksservice-v1.0-5bcd5fddbd”
},
“labels”: {
“version”: “1.0”,
“app”: “booksservice”,
“environment”: “testing”,
“pod-template-hash”: “5bcd5fddbd”
},
“pod”: {
“name”: “booksservice-v1.0-5bcd5fddbd-cklsw”,
“uid”: “20936e0c-cf4d-11e9-95ef-023e591c269a”
},
“node”: {
“name”: “minikube”
}
},
“my-custom-sub-dictionary1”: {
“my_custom_field3”: “value_of_my_custom_field3”,
“my_custom_field2”: “value_of_my_custom_field2”
},
“host”: {
“architecture”: “x86_64”,
“os”: {
“kernel”: “4.4.0-142-generic”,
“codename”: “Core”,
“platform”: “centos”,
“version”: “7 (Core)”,
“family”: “redhat”,
“name”: “CentOS Linux”
},
“name”: “ubuntu-xenial”,
“containerized”: false,
“hostname”: “ubuntu-xenial”
}
},
“fields”: {
“@timestamp”: [
“2019-09-12T14:57:18.195Z”
],
“suricata.eve.timestamp”: [
“2019-09-12T14:57:18.195Z”
]
},
“sort”: [
1568300238195
]
}

This meant that, enhancing the export data, by adding some extra fields worked.

So now it’s time to conclude this article. I tried out some of the functionality of Elastic Filebeat. Besides log aggregation (getting log information available at a centralized location), I also described how I used filtering and enhancing the exported log data with Filebeat.

In a next article I will also be using Logstash between Filebeat and ElasticSearch.

EFK

ELK Stack

Elastic Stack

Log aggregation

Spring Boot application

Service endpoint

Pod

Namespace

Label key

Environment

Database

app

version

environment

DEV

H2 in memory

http://localhost:9010/books

booksservice-v1.0-*

nl-amis-development

booksservice

1.0

development

http://localhost:9020/books

booksservice-v2.0-*

nl-amis-development

booksservice

2.0

development

TST

MySQL

http://localhost:9110/books

booksservice-v1.0-*

nl-amis-testing

booksservice

1.0

testing

Elastic Stack installation order

Installing Filebeat

Vagrantfile

Docker container log files

Investigating the content of the log file for a particular Pod

Creating the ConfigMap from a file

Elasticsearch index

Kibana Dashboard, Discover

Kibana Dashboard, Visualize, creating a visualization

Postman

Kibana Dashboard, Visualize, creating a visualization

Filtering and enhancing the exported data

Filtering the exported data

Kibana Dashboard, Discover

Enhancing the exported data

Share this:

Like this:

Related Posts

About The Author

Marc Lameriks