File: //usr/share/filebeat/module/coredns/README.md
# Coredns Module
This is a filebeat module for coredns. It supports both standalone coredns deployment and
coredns deployment in Kubernetes.
## Download and install Filebeat
Grab the filebeat binary from elastic.co, and install it by following the instructions.
## Deployment Scenario #1: coredns native deployment
Make sure to update coredns configuration to enable log plugin. This module assumes that coredns log
entries will be written to /var/log/coredns.log. Should it be not the case, please point the module
log path to the path of the log file.
Update filebeat.yml to point to Elasticsearch and Kibana.
Setup Filebeat.
```
./filebeat setup --modules coredns -e
```
Enable the Filebeat coredns module
```
./filebeat modules enable coredns
```
Start Filebeat
```
./filebeat -e
```
Now, the Coredns logs and dashboard should appear in Kibana.
## Deployment Scenario #2: coredns for kubernetes
For Kubernetes deployment, the filebeat daemon-set yaml file needs to be deployed to the
Kubernetes cluster. Sample configuration files is provided under the `beats/deploy/filebeat`
directory, and can be deployed by doing the following:
```
kubectl apply -f filebeat
```
#### Note the following section in the ConfigMap, make changes to the yaml file if necessary
```
filebeat.autodiscover:
providers:
- type: kubernetes
hints.enabled: true
hints.default_config.enabled: false
processors:
- add_kubernetes_metadata: ~
```
This enables auto-discovery and hints for filebeat. When default.disable is set to true (default value is false), it will disable log harvesting for the pod/container, unless it has specific annotations enabled. This gives users more granular control on kubernetes log ingestion. The `add_kubernetes_metadata` processor will add enrichment data for Kubernetes to the ingest logs.
#### Note the following section in the DaemonSet, make changes to the yaml file if necessary
```
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: filebeat
namespace: kube-system
labels:
k8s-app: filebeat
spec:
selector:
matchLabels:
k8s-app: filebeat
template:
metadata:
labels:
k8s-app: filebeat
spec:
serviceAccountName: filebeat
terminationGracePeriodSeconds: 30
containers:
- name: filebeat
image: docker.elastic.co/beats/filebeat:%VERSION%
args: [
"sh", "-c", "filebeat setup -e --modules coredns -c /etc/filebeat.yml && filebeat -e -c /etc/filebeat.yml"
]
env:
# Edit the following values to reflect your setup accordingly
- name: ELASTICSEARCH_HOST
value: 192.168.99.1
- name: ELASTICSEARCH_USERNAME
value: elastic
- name: ELASTICSEARCH_PASSWORD
value: changeme
- name: KIBANA_HOST
value: 192.168.99.1
```
The module setup step can also be done separately without Kubernetes if applicable, and in that case, the args can be simplified to:
```
args: [
"sh", "-c", "filebeat -e -c /etc/filebeat.yml"
]
```
### Note that you probably need to update the coredns configmap to enable logging, and coredns deployment to add proper annotations.
##### Sample ConfigMap for coredns:
```
apiVersion: v1
data:
Corefile: |
.:53 {
log
errors
health
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods verified
endpoint_pod_names
upstream
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
proxy . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
kind: ConfigMap
metadata:
creationTimestamp: "2019-01-31T21:02:57Z"
name: coredns
namespace: kube-system
resourceVersion: "185717"
selfLink: /api/v1/namespaces/kube-system/configmaps/coredns
uid: 95a5d5cb-259b-11e9-8e5d-080027971f3c
```
#### Sample Deployment for coredns. Note the annotations.
```
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
spec:
replicas: 2
selector:
matchLabels:
k8s-app: coredns
template:
metadata:
annotations:
"co.elastic.logs/module": "coredns"
"co.elastic.logs/fileset": "log"
"co.elastic.logs/disable": "false"
labels:
k8s-app: coredns
spec:
<snipped>
```