filebeat-logs.yml

filebeat.inputs:
# Default input
- type: container
  paths:
    - /var/log/containers/*.log
  multiline:
    pattern: '^([[:space:]]+at|Caused[[:space:]]by|[[:space:]]+\.\.\.|[[:space:]]name:|^[[:space:]]*[{}]|[[:space:]]+\"[[:alnum:]]+|[[:blank:]]+[[:alnum:]]+|[[:space:]]+\-[[:space:]]+(Health|Checking)|^Message[[:space:]]History$|^Stacktrace$|^RouteId[[:space:]]+Processor|[[:space:]]*(\[[\w\.\s]+\]\s*){2,}|^\-{5,}:\s[\w\.]+:)'
    negate: false
    match: after
  processors:
    # Drop empty messages
    - drop_event:
        when:
          regexp:
            message: '^[^A-Za-z0-9{}]*$'
    
    # Add kubernetes metadata
    - add_kubernetes_metadata:
        host: ${NODE_NAME}
        in_cluster: true
        default_indexers.enabled: true
        matchers:
        - logs_path:
            logs_path: "/var/log/containers/"
    # drop logs from ignored namespaces
    - drop_event:
        when:
          or:
          - equals:
              kubernetes.namespace: "openshift-sdn"
          - equals:
              kubernetes.namespace: "openshift-logging"
          - equals:
              kubernetes.namespace: "openshift-cluster-version"
          - equals:
              kubernetes.namespace: "openshift-etcd-operator"
          - equals:
              kubernetes.namespace: "openshift-cluster-samples-operator"

    # Drop messages from ignored pods
    - drop_event:
        when:
          or:
          - regexp:
              kubernetes.pod.name: '^olm-operator-.+'
          - regexp:
              kubernetes.pod.name: '^packageserver-.+'
          

processors:
  - add_cloud_metadata:
      providers:
      - aws
  - add_host_metadata:
      netinfo.enabled: false

setup.ilm.enabled: false

output.elasticsearch:
  bulk_max_size: 2500
  worker: 2
  hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}
  protocol: ${ELASTICSEARCH_PROTOCOL}