Comments (14)
Hi,
Just move to elastic-agent with Fleet management.
And yes, that's something missin the "autodiscovery" feature to retrive all logs from docker and at same time having an option in different integrations to map the discovered logs to them (thinking MySQL, Traefik, Apache, Nginx ...)
I think an integration "Docker Logs" with the autodiscovery options configurable in the fleet management will be a starting point and ability for any integration that request a log file to use this instead as index.
from elastic-agent.
Hi all.
Sorry for resurrecting such an old thread, but I think it's not resolved yet.
I think it could be a good idea to be able to call modules as if they where processors.
Something like this:
- id: container-log-${kubernetes.pod.name}-${kubernetes.container.id}
type: filestream
use_output: default
meta:
package:
name: kubernetes
version: 1.29.2
data_stream:
namespace: default
streams:
- id: container-log-${kubernetes.pod.name}-${kubernetes.container.id}
data_stream:
dataset: kubernetes.container_logs
type: logs
prospector.scanner.symlinks: true
paths:
- /var/log/containers/*${kubernetes.container.id}.log
processors:
- module:
name: nginx
when: ${kubernetes.labels.app} == "nginx"
from elastic-agent.
Pinging @elastic/ingest-management (Team:Ingest Management)
from elastic-agent.
/cc @ruflin @michalpristas @ph
from elastic-agent.
I don't think we are quite there yet with the Docker/Kubernetes story with Agent. This really comes down to dynamic configurations and the ability for Agent to interact directly with Docker and Kubernetes.
from elastic-agent.
This really comes down to dynamic configurations and the ability for Agent to interact directly with Docker and Kubernetes.
This is the effort being tracked in elastic/beats#19225, yes?
from elastic-agent.
I understand. Thanks for responding! The reason why am I asking is because we'll need to somehow fetch logs from containers and wouldn't like to enforce a nasty workaround if there is a sophisticated method available.
EDIT:
There were few options on the table (rather quick wins, workarounds):
- Install an agent on top of the other Docker image (with product like nginx, apache, etc.) or merge two images.
- Expose via FUSE logs between Docker containers.
from elastic-agent.
@ycombinator elastic/beats#19255 is the one.
At the moment in 7.9 there is no sophisticated method.
from elastic-agent.
elastic/beats#19225 is part of the solution. @mtojek I assume we just beats, you solve this with autodiscovery? If you want all logs, I would assume the "old" trick around mounting volumes should still work? https://www.elastic.co/guide/en/beats/filebeat/master/running-on-docker.html#_volume_mounted_configuration It assumes the nginx logs are not stored inside the container but written to file by docker.
from elastic-agent.
Not sure if I follow your idea.
The Elastic Agent runs as binary in a Docker container, together with filebeat and metricbeat. My question is: how can I expose directories with logs to these processes?
According to what @blakerouse confirmed, there is no specific method, hence I'm asking for some official recommendation :)
from elastic-agent.
The way it is done today (see link I provided) is that the Container in which Filebeat is running (in your case the Agent), it mounts volumes from the Docker Host where these logs are stored. Now Filebeat (Agent) must be pointed to these directories with the logs and tail them. The above follows the assumption that you can the default json-file logging driver and nginx container writes to it (not the log file inside your container).
I think I miss something on why what is possible with Filebeat should not be possible with Agent?
from elastic-agent.
I think I miss something on why what is possible with Filebeat should not be possible with Agent?
Most likely that's possible, but I didn't measure performance here. I'm not sure if there were similar tests executed. I'm looking for the method which causes less problems, e.g. docker container restarts, suddenly unmounted volumes, missing permissions.
There are couple of follow up questions:
Which container exposes the volume (host vs guest)? What if Elastic Agent or Nginx got restarted?
from elastic-agent.
As this is a way we recommended for quite some time I would expect it to work fairly well. @exekias Perhaps you can chime in here?
For your follow up questions:
- Nginx does not need any volume as the logging driver writes it to the right place
- Agent container needs to mount the volume from the host machine. It is not that the 2 containers share volumes with each other
- This should also solve the problem around restarting. All container logs are shipped, so if it is a new container, it has a new id and on disk a new directory, but agent will just ship it too.
from elastic-agent.
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)
from elastic-agent.
Related Issues (20)
- [Flaky Test]: TestEndpointSecurityNonDefaultBasePath, TestEndpointSecurityUnprivileged – version conflict, document already exists HOT 7
- Error while enrolling unprivileged agent [mac] HOT 4
- Actionable error message when attempting to `inspect` an unprivileged Agent as a privileged user HOT 4
- Actionable error message when attempting to `enroll` an unprivileged Agent as a privileged user HOT 7
- Detect and fail early if user attempts to upgrade Fleet-managed Agent using the CLI HOT 4
- [Flaky Test]: TestRepeatedInstallUninstall – failed to set user elastic-agent-user password for service HOT 8
- `--insecure` flag should not be required during enroll/install because we have an `http` FLeet URL HOT 7
- Agent/beats gRPC over domain sockets/named pipes HOT 1
- Make `kubeletstatsreceiver` available in `otel` mode HOT 1
- Improve test proxy/mock fleet server to support further elastic-agent TLS tests HOT 3
- Fleet client configuration validation should take http status code into account HOT 5
- crash when logging empty line HOT 4
- [Windows] TestProxyURL fails with `access denied` error on `fleet.enc` HOT 8
- Can I customize the "agent.name" when sending data to ES instead of using hostname? HOT 1
- [Flaky Test]: TestRpmLogIngestFleetManaged/Monitoring_logs_are_shipped – failed to evaluate all symlinks HOT 3
- Integration tests framework creates more OGC VMs than needed HOT 2
- Extract creating of ESS deployment for integration tests in a separate mage target HOT 5
- Run Elastic Agent in `otel` mode as a service HOT 3
- [Integration Test Framework] Dump process list on first failure HOT 1
- [Flaky Test]: TestActionDispatcher/Dispatch_multiples_events_returns_one_error – Expected error HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from elastic-agent.