filebeat-docker-compose.yml

version: "3.8"

services:

  # How to Tune Elastic Beats Performance: A Practical Example with Batch Size, Worker Count, and More
  # https://www.elastic.co/blog/how-to-tune-elastic-beats-performance-a-practical-example-with-batch-size-worker-count-and-more?blade=tw&hulk=social
  filebeat:
    image: docker.elastic.co/beats/filebeat:${ELASTIC_VERSION:-7.9.1}
    # https://github.com/docker/swarmkit/issues/1951
    hostname: "{{.Node.Hostname}}-filebeat"
    # Need to override user so we can access the log files, and docker.sock
    user: root
    networks:
      - elastic
    configs:
      - source: fb_config
        target: /usr/share/filebeat/filebeat.yml
    volumes:
      - filebeat:/usr/share/filebeat/data
      - /var/run/docker.sock:/var/run/docker.sock
      # This is needed for filebeat to load container log path as specified in filebeat.yml
      - /var/lib/docker/containers/:/var/lib/docker/containers/:ro

      # # This is needed for filebeat to load jenkins build log path as specified in filebeat.yml
      # - /var/lib/docker/volumes/jenkins_home/_data/jobs/:/var/lib/docker/volumes/jenkins_home/_data/jobs/:ro

      # This is needed for filebeat to load logs for system and auth modules
      - /var/log/:/var/log/:ro
      # This is needed for filebeat to load logs for auditd module. you might have to install audit system
      # on ubuntu first (sudo apt-get install -y auditd audispd-plugins)
      - /var/log/audit/:/var/log/audit/:ro
    environment:
      - ELASTICSEARCH_HOST=${ELASTICSEARCH_HOST:-node1}
      - KIBANA_HOST=${KIBANA_HOST:-node1}
      - ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME:-elastic}
      - ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD:-changeme}
    # disable strict permission checks
    command: ["--strict.perms=false"]
    deploy:
      mode: global

networks:
  elastic:
    external: true
    name: host

volumes:
  filebeat:

configs:
  fb_config:
    file: $PWD/elk/beats/filebeat/config/filebeat.yml