Here some people recommend using the sidecar pattern to run ‘filebeat’, ‘logstash’, ‘fluentd’, ‘vector.dev’ along side the nomad job.
I’d rather not duplicate logging in every nomad job, and instead have an agent running on every nomad agent that forwards all logs. In order to do that, how would you correlate the allocation to a service?
We use SumoLogic in our environment, so for now I’m using the vendor provided Docker image for logging containers. I run it as a system job on all Nomad clients. The config basically mounts the docker socket, so the container can gets logs via docker’s API.
This approach lets me configure labels in the Nomad docker job. The sumo agent is looking for docker labels that correlate environment, app name, etc… to categorize the logs per container.
I don’t have to touch the default docker json-file logging approach, or touch any logging options in the Nomad jobs. It also does not impact nomad’s internal logging for jobs. So “nomad alloc logs” commands will still work just fine.
I believe something similar could be setup with Filebeat as a system job, but I haven’t tried as we don’t use Elastic for logs. Cursory glance at the docs looks like you can probably configure this with “autodiscover hints”
To install Filebeat in the client Nomad node, you can either install it directly on the machine or run Filebeat as System Jobs that will run in every client node, which is more convenient.
Another option is to run nomad_follower as a system job – I did some work on it recently to allow it to work on locked down clusters, use temporary vault credentials to fetch allocations and so forth. Since it uses a Nomad token rather than the docker socket it’s a little more secure and it write out the logs to a host_volume mounted directory (so you do need Nomad 0.10.0).
We have been using for a few weeks filebeat to ship the logs of several Nomad clusters into Elasticsearch. We wrote a custom module that is currently being contributed back to filebeat. It is implemented as an autodiscover provider, this allows us to specify certain tags in the meta stanza to customize how the logs of a given job/group/task should be parsed.
We deploy/run filebeat as a system job on all the nodes and mount the alloc_dir directory into the container. This way each filebeat instance talks to the local agent and it is only responsible of shipping the logs of only the current node. Normally we write directly to Kafka but it could also write directly into ES with the elasticsearch output.
For example, a task running an instance of Nginx (with the default log format) could be tagged on Nomad with the following meta:
Hi @jorgelbg,
Your filebeat nomad module sounds very interesting and something that we could leverage as well. Do you have any info as to if this will be included with filebeat? Or if this will be an opensource module we could leverage? Thanks for any info!
Hi @codyja we’re contributing back to filebeat our code. Currently, we have opened this PR https://github.com/elastic/beats/pull/14954 that includes the autodiscover module and the processor(s) for Filebeat (as described in my previous comment).
The response from the beats maintainers has been very welcoming so I think that the module will be available in a future release .
If you want to give it a try I can push the internal docker image that we’ve been using to a public registry and you could give it a try. We’re still going through certain edge cases that we’ve found, but we’re still using it in our production clusters.
Sure! If you have a docker ID I can add you to the private repo (where I’ve been pushing the image that we’re using currently internally). And you can test it. I would love to get some external feedback as well.
The documentation (including the sample configuration) is included in the PR on the elastic repository.
You should be able to pull the jorgelbg/filebeat-nomad image from DockerHub. This is the image version that we’re running right now in all of our environments. Keep in mind that this image was not built using the current filebeat master.
We deploy this as a system job into our entire cluster with a config like: