Sending Logs to an External Elasticsearch Instance when using Filebeat

Solution Verified - Updated -

Issue

  • The configured OCP cluster wants to send all container logs to our external Elasticsearch environment (ELK 6.1.1).
  • Therefor trying to use Filebeat as daemon-set on all nodes.
  • However, these pods are looking for json.log files within /var/lib/docker/containers/<container_name>/. Refer here.
  • But it looks like cluster sends container logs to journald
$ sudo grep "OPTIONS" /etc/sysconfig/docker
OPTIONS=' --selinux-enabled     --log-driver=journald  --signature-verification=False'
  • Can the docker settings be changed to -log-driver=json-file and apply a systemctl restart docker to fix this?

Environment

  • Openshift Container Platform (OCP)
    • 3.7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.