filebeat autodiscover podman container missing variable for path

[borisboetzel]

I would like to reach logs inside an autodiscovered podman container. Filebeat autodiscover offer several variables to configure the template. I am missing the layer-id to reach the right path to the logs.

https://www.elastic.co/guide/en/beats/filebeat/7.17/configuration-autodiscover.html#_docker_2

• host
• port
• docker.container.id
• docker.container.image
• docker.container.name
• docker.container.labels

extract of filebeat.yml

filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
      templates:
        - condition:
            contains:
              docker.container.image: zookeeper
          config:
            - module: zookeeper
              audit:
                enabled: false
                input:
                  type: container
                  paths:
                    - '{{docker_overlay_root_path}}/${data.docker.container.id}/diff/*.log'
              log:
                enabled: true
                input:
                  type: container
                  paths:
                    - '{{docker_overlay_root_path}}/${data.docker.container.id}/diff/var/log/kafka/zookeeper-gc.log' # path of container.layer not available!!!!

extract of /var/lib/docker/containers/containers.json

    {
        "id": "dbc3e1514adf940c6850bb7312c54462d51ef10ffcda371f34ac9bdf3bbbeb5f",
        "names": [
            "kafka_zk1_lab"
        ],
        "image": "ae425c0d807e6ac4df94b510a234f006bcebc51d9eb9c3d6d24e7ad9948e2af8",
        "layer": "0cb4143217edf5082553ed97cafa58bf74b56717c961d1fb5b47ef76a44dd72b",
        "metadata": "{\"image-name\":\"docker.io/confluentinc/cp-zookeeper:7.2.2\",\"image-id\":\"ae425c0d807e6ac4df94b510a234f006bcebc51d9eb9c3d6d24e7ad9948e2af8\",\"name\":\"kafka_zk1_lab\",\"created-at\":1685620373}",
        "created": "2023-06-01T11:52:53.108023255Z",
        "flags": {
            "MountLabel": "system_u:object_r:container_file_t:s0:c314,c608",
            "ProcessLabel": "system_u:system_r:container_t:s0:c314,c608"
        }
    }

extract of filebeat log

2023-06-02T08:00:14.217Z        INFO    [input] log/input.go:164        Configured paths: [/var/lib/docker/overlay/dbc3e1514adf940c6850bb7312c54462d51ef10ffcda371f34ac9bdf3bbbeb5f/diff/var/log/kafka/zookeeper-gc.log]        {"input_id": "8277102a-5eaa-46c4-9883-84903b1e7c7e"}
2023-06-02T08:00:14.246Z        INFO    [input] log/input.go:164        Configured paths: [/var/lib/docker/overlay/dbc3e1514adf940c6850bb7312c54462d51ef10ffcda371f34ac9bdf3bbbeb5f/diff/var/log/kafka/zookeeper-gc.log]        {"input_id": "2856664b-fb5b-4443-abc9-5317ed4306da"}
2023-06-02T08:00:14.260Z        INFO    [input] log/input.go:164        Configured paths: [/var/lib/docker/overlay/dbc3e1514adf940c6850bb7312c54462d51ef10ffcda371f34ac9bdf3bbbeb5f/diff/var/log/kafka/zookeeper-gc.log]        {"input_id": "8a5f55df-a5f4-4c5f-b46a-817444a1fd95"}
2023-06-02T08:00:14.261Z        INFO    [input] log/input.go:164        Configured paths: [/var/lib/docker/overlay/dbc3e1514adf940c6850bb7312c54462d51ef10ffcda371f34ac9bdf3bbbeb5f/diff/var/log/kafka/zookeeper-gc.log]        {"input_id": "bf4fccd5-04bc-4de0-8afc-f7d120b96ca8"}

wrong path with ${data.docker.container.id}

ls: cannot access /var/lib/docker/overlay/dbc3e1514adf940c6850bb7312c54462d51ef10ffcda371f34ac9bdf3bbbeb5f/diff/var/log/kafka/zookeeper-gc.log: No such file or directorynon-zero return code

path should be. Variable ${data.docker.container.layer} missing

-rw-r--r--. 1 filebeat filebeat 15742 Jun  2 05:58 /var/lib/docker/overlay/0cb4143217edf5082553ed97cafa58bf74b56717c961d1fb5b47ef76a44dd72b/diff/var/log/kafka/zookeeper-gc.log

[borisboetzel]

any help from the community? Nobody with filebeat autodiscover with podman-containers?

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!