I'm trying to limit my filebeat daemonset to collect logs only from certain namespaces.
According to the official autodiscovery documentation, I can define namespace: but it seems to be singular, not plural.
Is there anyway to limit the namespace but for several namespaces?
My current configuration looks like this:
filebeat.autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
namespace: backend
hints.enabled: true
hints.default_config:
type: container
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
include_annotations: '*'
After some reading it looks that you can achieve your goal with Hints based autodiscover:
The hints system looks for hints in Kubernetes Pod annotations or Docker labels that have the prefix co.elastic.logs. As soon as the container starts, Filebeat will check if it contains any hints and launch the proper config for it. Hints tell Filebeat how to get logs for the given container.
So basically you enable the hints in your main configuration:
filebeat.autodiscover:
providers:
- type: kubernetes
hints.enabled: true
add_resource_metadata.namespace.enabled: true
hints.default_config.enabled: false
Then you can provide the hint for it in form of annotation:
annotations:
co.elastic.logs/enabled: 'true'