Simple Guide to set up Traefik 2.0 with Filebeat
Over the last week i took myself some time to set up Traefik with Filebeat to get the Access logs into Kibana.
This Guide is for people who already set up Traefik and ElasticSearch with Kibana in Docker-Compose and want to get more monitoring Information visualized.
Filebeat
Filebeat is a tool developed by Elastic, which allows to import logs into ElasticSearch.
The code below is from my Docker-Compose file. Its shows my current configuration for Filebeat.
Filebeat is in the same network as ElasticSearch, Kibana an Traefik.
filebeat:
image: docker.elastic.co/beats/filebeat:7.5.2
container_name: filebeat
restart: always
user: root
depends_on:
- elasticsearch
- kibana
volumes:
- /path/to/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
- /var/lib/docker/containers:/var/lib/docker/containers:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- elastic
To configure Filebeat we can use the filebeat.yml. Below is some code from my file.
filebeat.config:
modules:
path: /usr/share/filebeat/modules.d/*.yml
reload.enabled: false
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
#Setup Kibana Dashboards
setup.dashboards.enabled: true #Uncomment this line to enable the dashboards
output.elasticsearch:
hosts: ["elasticsearch:9200"]
username: "user" # if xpack security is enabled
password: "password"
setup.kibana:
host: "kibana:5601"
username: "user" # if xpack security is enabled
password: "password"
Its important that the file rights are to set read/write for owner and read for group and everyone.
Also the file is needed to be owned by root.
sudo chmod g-w filebeat.yml //Remove groups right to write
sudo chmod root:root filebeat.yml // Set owner and group to rootIf you use Xpack-security to enable basic authentication you need to set up a role for Filebeat. Further information can be found here.
Traefik
The Traefik entry in the Docker-Compose file needs this label for the logs to be correctly parsed.
labels:
# Filebeat
- "co.elastic.logs/module=traefik"Filebeat reads by default from the stdout/stderr of the container. So set up the access log to print out all fields of your interest. These settings are from my traefik.yml. The documentation for it can be found here.
accessLog:
fields:
defaultMode: keep
names:
ClientUsername: keep
headers:
defaultMode: keep
names:
User-Agent: keep
Authorization: keep
Content-Type: keep
Dashboard
Filebeat has a default dashboard for Traefik with it, but some features were, at least for me, broken. The OS-Breakdown needed some changes to work.
Also i wanted to see from which container the most files were accessed.
A download link for the visualizations can be found here. More information can be found in the readme.
If you have Question or Comments please post them down below or send me an E-Mail. I will answer as soon as possible.
Resources/Links
https://www.elastic.co/guide/en/beats/filebeat/current/feature-roles.html
https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html