Filebeat Samples for docker

filebeat.yaml

# this fails as json parsing happens 3 times, docker input itself, then json, then decode_json_fields
filebeat.inputs:
- type: docker
  combine_partial: true
  containers:
    path: '/var/lib/docker/containers'
    stream: 'all'
    ids:
      - "0db62a3d99474712c297e6f517c89b0a6f5bdf77648fbb5d03fa93d17c58d0ab"
  json.message_key: log
  json.keys_under_root: true
  json.add_error_key: true
  encoding: utf-8
  processors:
  - add_docker_metadata: 
      host: "unix:///var/run/docker.sock"
  - decode_json_fields:
      fields: ["log"]

filebeat_docker_minimal.yml

# This works, although more improvement needed
# Note that docker metadata will have container name only for logs fetched with running container.
# Also this works under assumption that filebeat runs in its own docker container with elasticsearch and kibana 
# all present in name bridge network (created separately)
filebeat.inputs:
- type: docker
  combine_partial: true
  containers:
    path: '/var/lib/docker/containers'
    stream: 'all'
    ids:
      - "0db62a3d99474712c297e6f517c89b0a6f5bdf77648fbb5d03fa93d17c58d0ab"
  processors:
  - add_docker_metadata:
      host: "unix:///var/run/docker.sock"
output.elasticsearch:
  hosts: ["elasticsearch:9200"]