This Helm chart is a lightweight way to configure and run our official Filebeat Docker image.
Warning: This branch is used for development, please use the latest 7.x release for released version.
- Requirements
- Installing
- Upgrading
- Usage notes
- Configuration
- FAQ
- How to use Filebeat with Elasticsearch with security (authentication and TLS) enabled?
- How to install OSS version of Filebeat?
- Why is Filebeat host.name field set to Kubernetes pod name?
- How do I get multiple beats agents working with hostNetworking enabled?
- How to change readinessProbe for outputs which don't support testing
- Contributing
See supported configurations for more details.
-
Add the Elastic Helm charts repo:
helm repo add elastic https://helm.elastic.co
-
Install it:
helm install filebeat elastic/filebeat
-
Clone the git repo:
git clone [email protected]:elastic/helm-charts.git
-
Install it:
helm install filebeat ./helm-charts/filebeat --set imageTag=8.4.1
Please always check CHANGELOG.md and BREAKING_CHANGES.md before upgrading to a new chart version.
- The default Filebeat configuration file for this chart is configured to use an
Elasticsearch endpoint. Without any additional changes, Filebeat will send
documents to the service URL that the Elasticsearch Helm chart sets up by
default. The Elasticsearch credentials are also retrieved from
elasticsearch-master-credentials
Secret from Elasticsearch chart by default. You may either set theELASTICSEARCH_HOSTS
,ELASTICSEARCH_USER
andELASTICSEARCH_PASSWORD
environment variables inextraEnvs
to override this or modify the defaultfilebeatConfig
to change this behavior. - The default Filebeat configuration file is also configured to capture container logs and enrich them with Kubernetes metadata by default. This will capture all container logs in the cluster.
- This chart disables the HostNetwork setting by default for compatibility
reasons with the majority of kubernetes providers and scenarios. Some kubernetes
providers may not allow enabling
hostNetwork
and deploying multiple Filebeat pods on the same node isn't possible withhostNetwork
However Filebeat does recommend activating it. If your kubernetes provider is compatible withhostNetwork
and you don't need to run multiple Filebeat DaemonSets, you can activate it by settinghostNetworking: true
in values.yaml. - This repo includes several examples of configurations that can be used as a reference. They are also used in the automated testing of this chart.
Parameter | Description | Default |
---|---|---|
clusterRoleRules |
Configurable cluster role rules that Filebeat uses to access Kubernetes resources | see values.yaml |
daemonset.annotations |
Configurable annotations for filebeat daemonset | {} |
daemonset.labels |
Configurable labels applied to all filebeat DaemonSet pods | {} |
daemonset.affinity |
Configurable affinity for filebeat daemonset | {} |
daemonset.enabled |
If true, enable daemonset | true |
daemonset.envFrom |
Templatable string of envFrom to be passed to the environment from variables which will be appended to filebeat container for DaemonSet |
[] |
daemonset.extraEnvs |
Extra environment variables which will be appended to filebeat container for DaemonSet | see values.yaml |
daemonset.extraVolumeMounts |
Templatable string of additional volumeMounts to be passed to the tpl function for DaemonSet |
[] |
daemonset.extraVolumes |
Templatable string of additional volumes to be passed to the tpl function for DaemonSet |
[] |
daemonset.hostAliases |
Configurable hostAliases for filebeat DaemonSet | [] |
daemonset.hostNetworking |
Enable filebeat DaemonSet to use hostNetwork |
false |
daemonset.filebeatConfig |
Allows you to add any config files in /usr/share/filebeat such as filebeat.yml for filebeat DaemonSet |
see values.yaml |
daemonset.maxUnavailable |
The maxUnavailable value for the pod disruption budget. By default this will prevent Kubernetes from having more than 1 unhealthy pod in the node group | 1 |
daemonset.nodeSelector |
Configurable nodeSelector for filebeat DaemonSet | {} |
daemonset.secretMounts |
Allows you easily mount a secret as a file inside the DaemonSet. Useful for mounting certificates and other secrets. See values.yaml for an example | [] |
daemonset.podSecurityContext |
Configurable podSecurityContext for filebeat DaemonSet pod execution environment | see values.yaml |
daemonset.resources |
Allows you to set the resources for filebeat DaemonSet | see values.yaml |
daemonset.tolerations |
Configurable tolerations for filebeat DaemonSet | [] |
deployment.annotations |
Configurable annotations for filebeat Deployment | {} |
deployment.labels |
Configurable labels applied to all filebeat Deployment pods | {} |
deployment.affinity |
Configurable affinity for filebeat Deployment | {} |
deployment.enabled |
If true, enable deployment | false |
deployment.envFrom |
Templatable string of envFrom to be passed to the environment from variables which will be appended to filebeat container for Deployment |
[] |
deployment.extraEnvs |
Extra environment variables which will be appended to filebeat container for Deployment | see values.yaml |
deployment.extraVolumeMounts |
Templatable string of additional volumeMounts to be passed to the tpl function for DaemonSet |
[] |
deployment.extraVolumes |
Templatable string of additional volumes to be passed to the tpl function for Deployment |
[] |
daemonset.hostAliases |
Configurable hostAliases for filebeat Deployment | [] |
deployment.filebeatConfig |
Allows you to add any config files in /usr/share/filebeat such as filebeat.yml for filebeat Deployment |
see values.yaml |
deployment.nodeSelector |
Configurable nodeSelector for filebeat Deployment | {} |
deployment.secretMounts |
Allows you easily mount a secret as a file inside the Deployment Useful for mounting certificates and other secrets. See values.yaml for an example | [] |
deployment.resources |
Allows you to set the resources for filebeat Deployment | see values.yaml |
deployment.securityContext |
Configurable [securityContext][] for filebeat Deployment pod execution environment | see values.yaml |
deployment.tolerations |
Configurable tolerations for filebeat Deployment | [] |
replicas |
The replica count for the Filebeat deployment | 1 |
extraContainers |
Templatable string of additional containers to be passed to the tpl function |
"" |
extraInitContainers |
Templatable string of additional containers to be passed to the tpl function |
"" |
fullnameOverride |
Overrides the full name of the resources. If not set the name will default to " .Release.Name - .Values.nameOverride or .Chart.Name " |
"" |
hostPathRoot |
Fully-qualified hostPath that will be used to persist filebeat registry data | /var/lib |
imagePullPolicy |
The Kubernetes imagePullPolicy value | IfNotPresent |
imagePullSecrets |
Configuration for imagePullSecrets so that you can use a private registry for your image | [] |
imageTag |
The filebeat Docker image tag | 8.4.1 |
image |
The filebeat Docker image | docker.elastic.co/beats/filebeat |
livenessProbe |
Parameters to pass to liveness probe checks for values such as timeouts and thresholds | see values.yaml |
managedServiceAccount |
Whether the serviceAccount should be managed by this helm chart. Set this to false in order to manage your own service account and related roles |
true |
nameOverride |
Overrides the chart name for resources. If not set the name will default to .Chart.Name |
"" |
podAnnotations |
Configurable annotations applied to all filebeat pods | {} |
priorityClassName |
The name of the PriorityClass. No default is supplied as the PriorityClass must be created first | "" |
readinessProbe |
Parameters to pass to readiness probe checks for values such as timeouts and thresholds | see values.yaml |
serviceAccount |
Custom serviceAccount that filebeat will use during execution. By default will use the service account created by this chart | "" |
serviceAccountAnnotations |
Annotations to be added to the ServiceAccount that is created by this chart. | {} |
terminationGracePeriod |
Termination period (in seconds) to wait before killing filebeat pod process on pod shutdown | 30 |
updateStrategy |
The updateStrategy for the DaemonSet By default Kubernetes will kill and recreate pods on updates. Setting this to OnDelete will require that pods be deleted manually |
RollingUpdate |
This Helm chart can use existing Kubernetes secrets to setup credentials or certificates for examples. These secrets should be created outside of this chart and accessed using environment variables and volumes.
An example can be found in examples/security.
Deploying OSS version of Filebeat can be done by setting image
value to
Filebeat OSS Docker image
An example of Filebeat deployment using OSS version can be found in examples/oss.
The default Filebeat configuration is using Filebeat pod name for
agent.hostname
and host.name
fields. The hostname
of the Kubernetes nodes
can be find in kubernetes.node.name
field. If you would like to have
agent.hostname
and host.name
fields set to the hostname of the nodes, you'll
need to set hostNetworking
value to true.
Note that enabling hostNetwork make Filebeat pod use the host network namespace which gives it access to the host loopback device, services listening on localhost, could be used to snoop on network activity of other pods on the same node.
The default http port for multiple beats agents may be on the same port, for
example, Filebeats and Metricbeats both default to 5066. When hostNetworking
is enabled this will cause collisions when standing up the http server. The work
around for this is to set http.port
in the config file for one of the beats agent
to use a different port.
Some Filebeat outputs like Kafka output don't support testing using
filebeat test output
command which is used by Filebeat chart readiness probe.
This makes Filebeat pods crash before being ready with the following message:
Readiness probe failed: kafka output doesn't support testing
.
The workaround when using this kind of output is to override the readiness probe command to check Filebeat API instead (same as existing liveness probe).
readinessProbe:
exec:
command:
- sh
- -c
- |
#!/usr/bin/env bash -e
curl --fail 127.0.0.1:5066
Please check CONTRIBUTING.md before any contribution or for any questions about our development and testing process.