Quickstart: Running Beats on Elastic Cloud on Kubernetes

ECK

Apply the following specification to deploy Filebeat and collect the logs of all containers running in the Kubernetes cluster. ECK automatically configures the secured connection to an Elasticsearch cluster named quickstart, created in Deploy an Elasticsearch cluster.

  cat <<EOF | kubectl apply -f - apiVersion: beat.k8s.elastic.co/v1beta1 kind: Beat metadata: name: quickstart spec: type: filebeat version: {{version.stack}} elasticsearchRef: name: quickstart config: filebeat.inputs: - type: container paths: - /var/log/containers/*.log daemonSet: podTemplate: spec: dnsPolicy: ClusterFirstWithHostNet hostNetwork: true securityContext: runAsUser: 0 containers: - name: filebeat volumeMounts: - name: varlogcontainers mountPath: /var/log/containers - name: varlogpods mountPath: /var/log/pods - name: varlibdockercontainers mountPath: /var/lib/docker/containers volumes: - name: varlogcontainers hostPath: path: /var/log/containers - name: varlogpods hostPath: path: /var/log/pods - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers EOF  

Check Configuration Examples for more ready-to-use manifests.

Monitor Beats.

Retrieve details about the Filebeat.

 kubectl get beat

  NAME HEALTH AVAILABLE EXPECTED TYPE VERSION AGE quickstart green 3 3 filebeat 9.2.0 2m  

List all the Pods belonging to a given Beat.

 kubectl get pods --selector='beat.k8s.elastic.co/name=quickstart-beat-filebeat'

  NAME READY STATUS RESTARTS AGE quickstart-beat-filebeat-tkz65 1/1 Running 0 3m45s quickstart-beat-filebeat-kx5jt 1/1 Running 0 3m45s quickstart-beat-filebeat-nb6qh 1/1 Running 0 3m45s  

Access logs for one of the Pods.

 kubectl logs -f quickstart-beat-filebeat-tkz65

Access logs ingested by Filebeat.

You have two options:
- Follow the Elasticsearch deployment guide and run:
```
 curl -u "elastic:$PASSWORD" -k "https://localhost:9200/filebeat-*/_search" 
```
- Follow the Kibana deployment guide, log in and go to Kibana > Discover.