search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.16k stars 4.91k forks source link

[Filebeat] Journald input doesn't work in container #41278

Open SlavikCA opened 2 days ago

SlavikCA commented 2 days ago

I'm running filebeat on the Harvester Kubernetes cluster:

helm repo add elastic https://helm.elastic.co
helm repo update
helm install filebeat elastic/filebeat -n elk-stack -f logs/beats-values.yaml

with following values:

daemonset:
  enabled: true

  extraVolumes:
    - name: journald-logs
      hostPath:
        path: /run/log/journal/
        type: Directory
  extraVolumeMounts:
    - name: journald-logs
      mountPath: /run/log/journal/

  hostNetworking: true

  # Allows you to add any config files in /usr/share/filebeat such as filebeat.yml for daemonset
  filebeatConfig:
    filebeat.yml: |
      filebeat.inputs:

      - type: journald
        seek: head
        paths:
          - /var/log/journal/
          - /run/log/journal/

      output.elasticsearch:
        hosts: 'es01:9200'
        username: '${ELASTICSEARCH_USERNAME}'
        password: '${ELASTICSEARCH_PASSWORD}'
        protocol: http

  secretMounts: []

  securityContext:
    # - User that the container will execute as. Typically necessary to run as root (0) in order to properly collect host container logs.
    runAsUser: 0
    # - Whether to execute the Filebeat containers as privileged containers. Typically not necessarily unless running within environments such as OpenShift.
    privileged: true

deployment:
  enabled: false

Nothing sent. What am I missing?

botelastic[bot] commented 2 days ago

This issue doesn't have a Team:<team> label.

SlavikCA commented 2 days ago

I confirmed, that journal files are present inside the container:

kubectl exec -it filebeat-filebeat-w6wkx  -n elk-stack -- ls -lhR /run/log/journal
...
-rw-r----- 1 root 483 8.0M Oct  2 02:46 system.journal
 kubectl exec -it filebeat-filebeat-w6wkx  -n elk-stack -- ls -lhR /var/log/journal
...
/var/log/journal/f93c751c5aa9e98da8a607da66d82d3c:
-rw-r----- 1 root 483 32M Oct 17 02:58 system.journal
-rw-r----- 1 root 483 32M Oct  2 02:46 system@0006237573a77e33-64d319708639609b.journal~

Is it expected, that I should be able to run journalctl inside the container? Because I can't:

kubectl exec -it filebeat-filebeat-w6wkx  -n elk-stack --  journalctl 
error: Internal error occurred: error executing command in container: 
failed to exec in container: failed to start exec "b215f1d5ca6d80bc52f2d1b0221ad3a262b803dd15709e7f181c5b00386085ed": 
OCI runtime exec failed: exec failed: unable to start container process: 
exec: "journalctl": executable file not found in $PATH: unknown