Skip to content

Filebeat

Filebeat Sidecar to ship logs to Elastic

The important thing is to have a common VolumeMount between the two containers, and to have the FileBeat sidecar use the configmap. It would also be good to find a way to use a secret instead of a hard coded password in the configmap.

Filebeat Configmap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-configmap
  namespace: your-namespace
  labels:
    app: your-app
data:
  filebeat.yml: |
    filebeat:
      config:
        modules:
          path: /usr/share/filebeat/modules.d/*.yml
          reload:
            enabled: true
      modules:
      - module: nginx
        access:
          var.paths: ["/var/log/nginx/access.log*"]
        error:
          var.paths: ["/var/log/nginx/error.log*"]
      - module: apache
        access:
          enabled: true
          var.paths: ["/usr/local/apache2/logs/access.log"]
        error:
          enabled: true
          var.paths: ["/usr/local/apache2/logs/error.log"]
    output:
      elasticsearch:
        hosts: ["<YOUR_ELASTIC_IP>:9200"]
        username: elastic
        password: <YOUR_GOOD_PASSWORD_HERE>

Deployment Config (Your App's deployment, not a new one for Filebeat. Sidecars attach to existing pods):

spec:
...
      containers:
      - name: your-app
...
        volumeMounts:
          - name: apache-logs
            mountPath: /usr/local/apache2/logs/
...
      - name: filebeat-sidecar
        image: docker.elastic.co/beats/filebeat:7.15.0
        volumeMounts:
          - name: apache-logs
            mountPath: /usr/local/apache2/logs/
          - name: filebeat-config
            mountPath: /usr/share/filebeat/filebeat.yml
            subPath: filebeat.yml
      volumes:
        - name: apache-logs
        - name: filebeat-config
          configMap:
            name: filebeat-configmap
            items:
              - key: filebeat.yml
                path: filebeat.yml
...