Skip to content

Instantly share code, notes, and snippets.

@mchepukov

mchepukov/filebeat.yaml

Last active January 6, 2022 17:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mchepukov/0d773b858e3af790ce356c52d1516a11 to your computer and use it in GitHub Desktop.
Save mchepukov/0d773b858e3af790ce356c52d1516a11 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
filebeat.yaml
---
# Source: filebeat/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: logging-filebeat
annotations:
labels:
app: "logging-filebeat"
chart: "filebeat-7.16.2"
heritage: "Helm"
release: "logging"
---
# Source: filebeat/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: logging-filebeat-daemonset-config
labels:
app: "logging-filebeat"
chart: "filebeat-7.16.2"
heritage: "Helm"
release: "logging"
data:
filebeat.yml: |
logging.level: info
setup.ilm.enabled: false
filebeat.modules:
- module: system
syslog:
enabled: true
var.paths: ["/var/log/syslog"]
auth:
enabled: false
var.paths: ["/var/log/auth"]
- module: elasticsearch
server:
enabled: true
var.paths: ["/var/log/containers/*elasticsearch*.log"]
gc:
enabled: true
var.paths: ["/var/log/containers/*elasticsearch*.log"]
audit:
enabled: true
var.paths: ["/var/log/containers/*elasticsearch*.log"]
slowlog:
enabled: true
var.paths: ["/var/log/containers/*elasticsearch*.log"]
deprecation:
enabled: true
var.paths: ["/var/log/containers/*elasticsearch*.log"]
filebeat.autodiscover:
providers:
- type: kubernetes
hints.enabled: false
exclude_labels:
in_cluster: true
kubernetes.labels.chart: true
templates:
- condition:
equals:
kubernetes.namespace: lora
config:
- type: container
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
- condition:
equals:
kubernetes.namespace: databases
config:
- type: container
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
- condition:
equals:
kubernetes.namespace: transport
config:
- type: container
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
- condition:
equals:
kubernetes.namespace: iotans
config:
- type: container
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
json.keys_under_root: true
json.add_error_key: true
processors:
- drop_fields:
fields:
- "kubernetes.namespace_uid"
- "kubernetes.node.labels.kubernetes_io/arch"
- "kubernetes.node.labels.kubernetes_io/os"
- "kubernetes.node.labels.beta_kubernetes_io/arch"
- "kubernetes.node.labels.beta_kubernetes_io/os"
- "kubernetes.namespace_labels.kubernetes_io/metadata_name"
- "kubernetes.node.labels.kubernetes_io/hostname"
- "kubernetes.node.labels.iotans_io/node-role"
- "kubernetes.node.hostname"
- "kubernetes.node.uid"
- "kubernetes.pod.uid"
- "kubernetes.labels.pod-template-hash"
- "kubernetes.labels.heritage"
- "kubernetes.labels.release"
- "kubernetes.labels.pod-template-generation"
- "kubernetes.labels.statefulset_kubernetes_io"
- "kubernetes.labels.controller-revision-hash"
- "kubernetes.labels.cluster-uid"
- "kubernetes.labels.cluster-name"
- "kubernetes.statefulset.name"
- "kubernetes.replicaset.name"
- "kubernetes.labels.app_kubernetes_io/*"
- "ecs.version"
- "agent.ephemeral_id"
- "agent.id"
- "agent.name"
- "agent.hostname"
- "agent.version"
- "agent.type"
- "container.runtime"
- "container.id"
- "container.image.name"
ignore_missing: true
- drop_event:
when:
or:
- equals:
"kubernetes.labels.app_kubernetes_io/name": "kubernetes-dashboard"
- equals:
"kubernetes.labels.app": "kibana"
- equals:
"kubernetes.namespace": "sentry"
- equals:
"kubernetes.namespace": "argocd"
- drop_event:
when:
and:
- equals:
"kubernetes.labels.app": "logging-filebeat"
- regexp:
"message": "INFO"
output.elasticsearch:
host: '${NODE_NAME}'
hosts: '${ELASTICSEARCH_HOSTS}'
indices:
- index: "filebeat-%{[agent.version]}-%{[event.module]}-%{+yyyy.MM.dd}"
---
# Source: filebeat/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: logging-filebeat-cluster-role
labels:
app: "logging-filebeat"
chart: "filebeat-7.16.2"
heritage: "Helm"
release: "logging"
rules:
- apiGroups:
- ""
resources:
- namespaces
- nodes
- pods
verbs:
- get
- list
- watch
---
# Source: filebeat/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: logging-filebeat-cluster-role-binding
labels:
app: "logging-filebeat"
chart: "filebeat-7.16.2"
heritage: "Helm"
release: "logging"
roleRef:
kind: ClusterRole
name: logging-filebeat-cluster-role
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: logging-filebeat
namespace: monitoring
---
# Source: filebeat/templates/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: logging-filebeat
labels:
app: "logging-filebeat"
chart: "filebeat-7.16.2"
heritage: "Helm"
release: "logging"
spec:
selector:
matchLabels:
app: "logging-filebeat"
release: "logging"
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
configChecksum: dd52c5b5cf7f670a665945fc0670602ed77bfadbb938a9cb9adb57b2ea04e04
name: "logging-filebeat"
labels:
app: "logging-filebeat"
chart: "filebeat-7.16.2"
heritage: "Helm"
release: "logging"
spec:
tolerations:
- operator: Exists
nodeSelector:
{}
affinity:
{}
serviceAccountName: logging-filebeat
terminationGracePeriodSeconds: 30
volumes:
- name: filebeat-config
configMap:
defaultMode: 0600
name: logging-filebeat-daemonset-config
- name: data
hostPath:
path: /var/lib/logging-filebeat-monitoring-data
type: DirectoryOrCreate
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: varlog
hostPath:
path: /var/log
- name: varrundockersock
hostPath:
path: /var/run/docker.sock
containers:
- name: "filebeat"
image: "docker.elastic.co/beats/filebeat:7.16.2"
imagePullPolicy: "IfNotPresent"
args:
- "-e"
- "-E"
- "http.enabled=true"
livenessProbe:
exec:
command:
- sh
- -c
- |
#!/usr/bin/env bash -e
curl --fail 127.0.0.1:5066
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
readinessProbe:
exec:
command:
- sh
- -c
- |
#!/usr/bin/env bash -e
filebeat test output
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
resources:
limits:
cpu: 200m
memory: 300Mi
requests:
cpu: 200m
memory: 300Mi
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: ELASTICSEARCH_HOSTS
value: elasticsearch-balancer.databases
envFrom:
[]
securityContext:
privileged: false
runAsUser: 0
volumeMounts:
- name: filebeat-config
mountPath: /usr/share/filebeat/filebeat.yml
readOnly: true
subPath: filebeat.yml
- name: data
mountPath: /usr/share/filebeat/data
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
- name: varlog
mountPath: /var/log
readOnly: true
# Necessary when using autodiscovery; avoid mounting it otherwise
# See: https://www.elastic.co/guide/en/beats/filebeat/7.16/configuration-autodiscover.html
- name: varrundockersock
mountPath: /var/run/docker.sock
readOnly: true
---
# Source: filebeat/templates/deployment.yaml
# Deploy singleton instance in the whole cluster for some unique data sources, like aws input
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment