Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document that Filebeat should not collect its own logs on Kubernetes #39566

Open
belimawr opened this issue May 14, 2024 · 3 comments
Open

Document that Filebeat should not collect its own logs on Kubernetes #39566

belimawr opened this issue May 14, 2024 · 3 comments
Labels
Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Comments

@belimawr
Copy link
Contributor

When using Kubernetes autodiscover, the example configuration from our docs will make Filebeat collect it's own logs. This is fine most of the time.

However if Filebeat is logging in debug level and the processors selector is enabled, this will cause Filebeat to log every event it ingested causing a loop of ever growing log entries:

  1. Filebeat reads any event
  2. Filebeat ingests the event and logs the event in level debug
  3. Because Filebeat is also collecting its own logs, at some point it will read the log generated at 2.
  4. Filebeat ingests its own log from 3, then logs it in debug level. Now the log from 2 has been "wrapped" into another log entry that is also logged
  5. GOTO 2

We should at least add a warning in our documentation about it and provide an example of how to prevent Filebeat from collecting its own logs.
@belimawr belimawr added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label May 14, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@belimawr belimawr mentioned this issue May 24, 2024
Merged
13 tasks
@cmacknz
Copy link
Member

cmacknz commented May 29, 2024
edited

So the loop we have is something like:

  1. Filebeat reads event A.
  2. Filebeat logs that it published event A.
  3. Filebeat reads the log for publishing event A.
  4. Filebeat logs that it published the log for publishing event A.
  5. ... this repeats indefinitely

At step 2 is there some obvious marker we can add to this log message so that in step 3 Filebeat can drop this log line, or at least not recursively log about it? Whatever marker we choose has to still work if the Filebeat pod is restarted, that is it cannot be ephemeral.

@belimawr
Copy link
Contributor Author

We could match the Publish event: string in the logs as part of a drop processor configuration. Ideally that should be restricted to Filebeat's pods, so it would be good to match on pod/daemonset name or something like that. I believe the ideal scenario is use the dynamic templates to get Filebeat's pod ID and filter out the on it. I'm just not sure how feasible that is (I haven't looked into that either).

However we cannot guarantee user's won't change it.

When Filebeat reads its own logs while collecting Kuberenetes logs, it reads as plain text, so no fields from the JSON are available for filtering.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@belimawr @cmacknz @elasticmachine