-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filebeat coredns module #11200
Merged
alakahakai
merged 24 commits into
elastic:master
from
alakahakai:filebeat-coredns-module
Mar 26, 2019
Merged
Filebeat coredns module #11200
Changes from 16 commits
Commits
Show all changes
24 commits
Select commit
Hold shift + click to select a range
6199c1e
Add coredns module
20dc52f
Add coredns module
3440037
Add fileset kubernetes for coredns module to handle Kubernetes deploy…
2229a53
Add fileset kubernetes for coredns module to support Kubernetes deplo…
475da9b
Update README and docs
469c013
Update docs for coredns
6f0c4f8
Merge with master
ba43d40
Add Coredns Overview Dashboard
27e36d8
Update dashboard to add NXDOMAIN visualization
a1b051c
Update fields
a520e02
Merge remote-tracking branch 'upstream/master' into filebeat-coredns-…
af1ed61
Merge remote-tracking branch 'upstream/master' into filebeat-coredns-…
c1aeaea
Rebuild filebeat.test, so it generates ecs version 1.0.0 instead of 1…
a93a8cc
Update CHANGELOG.next.asciidoc
fc0bddf
Remove changes to kubernetes fields.yml since it has been addressed i…
a25bc3d
Fix pipeline to support bracketed IPv6 address and address some bugs.…
717d079
Merge branch 'master' into filebeat-coredns-module
27d35a3
Merge branch 'master' into filebeat-coredns-module
f32bc05
Merge two filesets into one
bcaa67a
Fix fileset name in README
a3b3a31
use message field for coredns part of the original log
ae6ba52
Merge branch 'master' into filebeat-coredns-module
4eb67b7
Merge with master and update CHANGELOG.next.asciidoc
4b406c6
Fix an indentation error in README
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| //// | ||
| This file is generated! See scripts/docs_collector.py | ||
| //// | ||
|
|
||
| [[filebeat-module-coredns]] | ||
| [role="xpack"] | ||
|
|
||
| :modulename: coredns | ||
| :has-dashboards: true | ||
|
|
||
| == Coredns Module | ||
|
|
||
| This is a filebeat module for coredns. It supports both standalone coredns deployment and | ||
| coredns deployment in Kubernetes. Standalone coredns deployment uses the log fileset, while | ||
| Kubernetes coredns deployment uses the kubernetes fileset. | ||
|
|
||
| [float] | ||
| === Compatibility | ||
|
|
||
| Although this module has been developed against Kubernetes v1.13.x, it is expected to work | ||
| with other versions of Kubernetes. | ||
|
|
||
| [float] | ||
| === Example dashboard | ||
|
|
||
| This module comes with a sample dashboard. | ||
|
|
||
| [role="screenshot"] | ||
| image::./images/Coredns_Overview_Dashboard.jpg[] | ||
|
|
||
|
|
||
| [float] | ||
| === Fields | ||
|
|
||
| For a description of each field in the module, see the | ||
| <<exported-fields-coredns,exported fields>> section. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,160 @@ | ||
| # Coredns Module | ||
|
|
||
| This is a filebeat module for coredns. It supports both standalone coredns deployment and | ||
| coredns deployment in Kubernetes. | ||
|
|
||
| ## Caveats | ||
|
|
||
| * Module is to be considered _beta_. | ||
|
|
||
| ## Download and install Filebeat | ||
|
|
||
| Grab the filebeat binary from elastic.co, and install it by following the instructions. | ||
|
|
||
| ## Deployment Scenario #1: coredns native deployment | ||
|
|
||
| Make sure to update coredns configuration to enable log plugin. This module assumes that coredns log | ||
| entries will be written to /var/log/coredns.log. Should it be not the case, please point the module | ||
| log path to the path of the log file. | ||
|
|
||
| Update filebeat.yml to point to Elasticsearch and Kibana. | ||
| Setup Filebeat. | ||
| ``` | ||
| ./filebeat setup --modules coredns -e | ||
| ``` | ||
|
|
||
| Enable the Filebeat coredns module | ||
| ``` | ||
| ./filebeat modules enable coredns | ||
| ``` | ||
|
|
||
| Start Filebeat | ||
| ``` | ||
| ./filebeat -e | ||
| ``` | ||
|
|
||
| Now, the Coredns logs and dashboard should appear in Kibana. | ||
|
|
||
|
|
||
| ## Deployment Scenario #2: coredns for kubernetes | ||
|
|
||
| For Kubernetes deployment, the filebeat daemon-set yaml file needs to be deployed to the | ||
| Kubernetes cluster. Sample configuration files is provided under the `beats/deploy/filebeat` | ||
| directory, and can be deployed by doing the following: | ||
| ``` | ||
| kubectl apply -f filebeat | ||
| ``` | ||
|
|
||
| #### Note the following section in the ConfigMap, make changes to the yaml file if necessary | ||
| ``` | ||
| filebeat.autodiscover: | ||
| providers: | ||
| - type: kubernetes | ||
| hints.enabled: true | ||
| default.disable: true | ||
|
|
||
| processors: | ||
| - add_kubernetes_metadata: | ||
| in_cluster: true | ||
| ``` | ||
|
|
||
| This enables auto-discovery and hints for filebeat. When default.disable is set to true (default value is false), it will disable log harvesting for the pod/container, unless it has specific annotations enabled. This gives users more granular control on kubernetes log ingestion. The `add_kubernetes_metadata` processor will add enrichment data for Kubernetes to the ingest logs. | ||
|
|
||
| #### Note the following section in the DaemonSet, make changes to the yaml file if necessary | ||
| ``` | ||
| apiVersion: extensions/v1beta1 | ||
| kind: DaemonSet | ||
| metadata: | ||
| name: filebeat | ||
| namespace: kube-system | ||
| labels: | ||
| k8s-app: filebeat | ||
| spec: | ||
| template: | ||
| metadata: | ||
| labels: | ||
| k8s-app: filebeat | ||
| spec: | ||
| serviceAccountName: filebeat | ||
| terminationGracePeriodSeconds: 30 | ||
| containers: | ||
| - name: filebeat | ||
| image: docker.elastic.co/beats/filebeat:%VERSION% | ||
| args: [ | ||
| "sh", "-c", "filebeat setup -e --modules coredns -c /etc/filebeat.yml && filebeat -e -c /etc/filebeat.yml" | ||
| ] | ||
| env: | ||
| # Edit the following values to reflect your setup accordingly | ||
| - name: ELASTICSEARCH_HOST | ||
| value: 192.168.99.1 | ||
| - name: ELASTICSEARCH_USERNAME | ||
| value: elastic | ||
| - name: ELASTICSEARCH_PASSWORD | ||
| value: changeme | ||
| - name: KIBANA_HOST | ||
| value: 192.168.99.1 | ||
| ``` | ||
|
|
||
| The module setup step can also be done separately without Kubernetes if applicable, and in that case, the args can be simplified to: | ||
| ``` | ||
| args: [ | ||
| "sh", "-c", "filebeat -e -c /etc/filebeat.yml" | ||
| ] | ||
| ``` | ||
|
|
||
| ### Note that you probably need to update the coredns configmap to enable logging, and coredns deployment to add proper annotations. | ||
|
|
||
| ##### Sample ConfigMap for coredns: | ||
|
|
||
| ``` | ||
| apiVersion: v1 | ||
| data: | ||
| Corefile: | | ||
| .:53 { | ||
| log | ||
| errors | ||
| health | ||
| kubernetes cluster.local in-addr.arpa ip6.arpa { | ||
| pods verified | ||
| endpoint_pod_names | ||
| upstream | ||
| fallthrough in-addr.arpa ip6.arpa | ||
| } | ||
| prometheus :9153 | ||
| proxy . /etc/resolv.conf | ||
| cache 30 | ||
| loop | ||
| reload | ||
| loadbalance | ||
| } | ||
| kind: ConfigMap | ||
| metadata: | ||
| creationTimestamp: "2019-01-31T21:02:57Z" | ||
| name: coredns | ||
| namespace: kube-system | ||
| resourceVersion: "185717" | ||
| selfLink: /api/v1/namespaces/kube-system/configmaps/coredns | ||
| uid: 95a5d5cb-259b-11e9-8e5d-080027971f3c | ||
| ``` | ||
|
|
||
| #### Sample Deployment for coredns. Note the annotations. | ||
|
|
||
| ``` | ||
| apiVersion: extensions/v1beta1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: coredns | ||
| spec: | ||
| replicas: 2 | ||
| template: | ||
| metadata: | ||
| annotations: | ||
| "co.elastic.logs/module": "coredns" | ||
| "co.elastic.logs/fileset": "kubernetes" | ||
| "co.elastic.logs/disable": "false" | ||
| labels: | ||
| k8s-app: coredns | ||
| spec: | ||
| <snipped> | ||
| ``` | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| - module: coredns | ||
| # Fileset for native deployment | ||
| log: | ||
| enabled: true | ||
| # Fileset for Kubernetes deployment | ||
| kubernetes: | ||
| enabled: false | ||
|
|
||
| # Set custom paths for the log files. If left empty, | ||
| # Filebeat will choose the paths depending on your OS. | ||
| #var.paths: |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The indentation here looks like it's off by 2 spaces.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, good catch. It was manually edited for the README and a mistake was made.