NOAUDITLOG
flag to true in the .env
file or in docker secrets.docker-compose.yml
:MY_WORKDIR
with the path of your working directory./usr/share/filebeat/filebeat.yml:ro
. FileBeat also needs to have access to docker log files. They can usually be found in /var/lib/docker/containers
but that might depend on your docker installation. The docker socket /var/run/docker.sock
is also shared with the container. That allows FileBeat to use the docker daemon to retrieve information and enrich the logs with things that are not directly in the log files, such as the name of the image or the name of the container./MY_WORKDIR/filebeat.yml
container
is needed to import logs from docker. /var/lib/docker/containers/*/*.log
is the location of the log files inside the FileBeat container.elasticsearch
setting allows you to configure the ElasticSearch address as well as the indexes where the logs are imported. The template index filebeat-%{[agent.version]}-%{+yyyy.MM.dd}
includes a date. This means that docker logs are imported into the index corresponding to the date they appeared.add_docker_metadata
is needed in order to add useful information to the logs, such as the name of the image or the name of the container. Only ids are displayed by default.decode_json_fields
lets to parse logs encoded in JSON. The logs in FileBeat, ElasticSearch and Kibana consists of multiple fields. The message
field is what the application (running inside a docker container) writes to the standard output.docker-compose
filebeat-*
(to include all logs from FileBeat) and @timestamp
.