Sending Logs to an External Elasticsearch Instance when using Filebeat - Red Hat Customer Portal

Issue

The configured OCP cluster wants to send all container logs to our external Elasticsearch environment (ELK 6.1.1).
Therefor trying to use Filebeat as daemon-set on all nodes.
However, these pods are looking for json.log files within /var/lib/docker/containers/<container_name>/. Refer here.
But it looks like cluster sends container logs to journald

$ sudo grep "OPTIONS" /etc/sysconfig/docker
OPTIONS=' --selinux-enabled     --log-driver=journald  --signature-verification=False'

Can the docker settings be changed to -log-driver=json-file and apply a systemctl restart docker to fix this?

Environment

Openshift Container Platform (OCP)
- 3.7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content

Quick Links

Help

Site Info

Related Sites

Copyright © 2024 Red Hat, Inc.

Here are the common uses of Markdown.

Code blocks

~~~
Code surrounded in tildes is easier to read
~~~

Links/URLs

[Red Hat Customer Portal](https://access.redhat.com)