Filebeat 6.2 cannot parse json logs of docker container

Asked Aug 10 '18 at 09:16

Active Aug 10 '18 at 12:06

Viewed 635 times

My application logs in json format like

{"verified": true, "id": 42, "date": "bla"}

and I want to forward this as json with filebeat (6.2.4). However, because the applications runs inside docker, the log is written to /var/lib/docker/containers//_json.log as:

{"log":"{\"verified\": true, \"id\": 42, \"date\": \"bla\"}\r\n","stream":"stdout","time":"2018-08-10T08:13:53.219511878Z"}

So now there is a json element log with a string value.

When filebeat parses the docker-log file, the content the log value is interpreted as a simple string and filebeat produces this output:

... "log": "{\"verified\": true, \"id\": 42, \"date\": \"bla\"}", "time": "2018-08-10T09:00:15.038787209Z", "stream": "stdout", ...

Is it possible to parse the field "log" in filebeat so that the filebeat output contains the json elements verified, id and date.

This is my configuration: filebeat.autodiscover: providers: - type: docker templates: - condition: contains.docker.container.image: logprod config: - type: log paths: - /var/lib/docker/containers/${data.docker.container.id}/*.log json.message_key: log json.add_error_key: true json.keys_under_root: true output.console: enabled: true pretty: true

edited Aug 10 '18 at 12:06

asked Aug 10 '18 at 09:16

christian

9,412
10
41
51

1

did you ever figure this out? I'm having the same issue. – Arian Motamedi Apr 23 '19 at 20:12
If somebody, stumbles upon this with Graylog Beats input, v2.5.2 can't handle json in a message, 3.x can. – Markes Oct 15 '19 at 09:04

Filebeat 6.2 cannot parse json logs of docker container

0 Answers0