-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add awsfargate module to collect container logs from Amazon ECS on Fargate #25041
Conversation
Pinging @elastic/integrations (Team:Integrations) |
Pinging @elastic/integrations (Team:Platforms) |
This pull request doesn't have a |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
One question: Is there any way we can enrich this logs with container metadata?
@ChrsMark Thanks for the review!! I'm relying on the |
Hmm, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
/test |
CI failure should be fixed by #25141 |
field: message | ||
target_field: event.original | ||
ignore_missing: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you provide some detail on why doing this rename?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh sorry!! I thought we are moving all message
to event.oiriginal
. But I see #14708 is the other way around. I will remove this renaming here.
{ | ||
"event.dataset": "awsfargate.log", | ||
"event.module": "awsfargate", | ||
"event.original": "10.0.1.195 - - [24/Sep/2020:16:45:19 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"ELB-HealthChecker/2.0\" \"-\"", | ||
"fileset.name": "log", | ||
"input.type": "log", | ||
"log.offset": 189, | ||
"service.type": "awsfargate" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering, is cloudwatch providing any extra meta about the source of the logs? I would expect some info about the containers generating these logs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm the only metadata I can find is the container ID, which is in the name of the log stream. For example: ecs/metricbeat-awsfargate/397eb2787a7d4f7783d03c49cafd244c
.
This pull request is now in conflicts. Could you fix it? 🙏
|
…-github-pr-comment-template * upstream/master: [Ingest Manager] Keep http and logging config during enroll (elastic#25132) Refactor kubernetes autodiscover to avoid skipping short-living pods (elastic#24742) [libbeat] New decode xml wineventlog processor (elastic#25115) Add svc to agent k8s clusterRole (elastic#25146) Add awsfargate module to collect container logs from Amazon ECS on Fargate (elastic#25041) [Filebeat][Cisco ASA] log enhancement and performance (elastic#24744) Watch kubernetes namespaces for autodiscover metadata for pods (elastic#25117) Cyberark Privileged Access Security module (elastic#24803) [Elastic Agent] Log the container command output with LOGS_PATH (elastic#25150) Fix for tests after `device...` field has been removed (elastic#25141) [Ingest Manager] Restart process on output change (elastic#24907) Set --insecure in container when FLEET_SERVER_ENABLE and FLEET_INSECURE set. (elastic#25137) [filebeat] Update documentation / changelog / beta warnings for the syslog input (elastic#25047) Add support for ignore_inactive in filestream input (elastic#25036) Fix bug with annotations dedot config on k8s not used (elastic#25111)
What does this PR do?
This PR is to add support for collecting logs from AWS Fargate with
awsfargate
module.Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.How to test this PR locally
Step1: Follow steps in Metricbeat documentation to create some containers running using Fargate.
Step2: Check CloudWatch to get the log group ARN where your fargate logs are sent to.
Step3: Enable
awsfargate
module using./filebeat modules enable awsfargate
.Step4: Modify
awsfargate.yml
with credentials and the log group ARN. For example:Step5: Start Filebeat and you should be able to see logs getting ingested into ES.
Related issues