BestHub
Sign in
Cloud Native 7 min read

Deploy Filebeat with Helm on Kubernetes: Automated Log Collection to Kafka

This step‑by‑step guide shows how to use a Helm chart to deploy Filebeat in a Kubernetes cluster, automatically collect container logs, and forward them to a Kafka cluster for reliable, scalable observability.

Linux Ops Smart Journey
Linux Ops Smart Journey
Linux Ops Smart Journey
Deploy Filebeat with Helm on Kubernetes: Automated Log Collection to Kafka

In cloud‑native environments, log collection is essential for observability. This guide walks through deploying Filebeat via a Helm chart to automatically collect container logs from a Kubernetes cluster and forward them to a Kafka cluster.

1. Environment Preparation

Kubernetes cluster (v1.18+)

Helm package manager (v3.0+)

Kafka cluster (as log sink)

Private image registry (for custom images)

2. Chart Management

2.1 Get the official Chart

<code>$ helm repo add elastic https://helm.elastic.co --force-update
"elastic" has been added to your repositories

$ helm pull elastic/filebeat --version 7.17.3</code>

2.2 Push to private registry

<code>$ helm push filebeat-7.17.3.tgz oci://core.jiaxzeng.com/plugins
Pushed: core.jiaxzeng.com/plugins/filebeat:7.17.3
Digest: sha256:76778389d4c793b414d392e9283851b7356feec9619dd37f0b7272c8ce42bf01</code>

2.3 Load Chart locally

<code>$ sudo helm pull oci://core.jiaxzeng.com/plugins/filebeat --version 7.17.3 --untar --untardir /etc/kubernetes/addons/
Pulled: core.jiaxzeng.com/plugins/filebeat:7.17.3
Digest: sha256:76778389d4c793b414d392e9283851b7356feec9619dd37f0b7272c8ce42bf01</code>

3. Core Configuration

3.1 DaemonSet configuration

<code>daemonset:
  enabled: true
  resources:
    requests:
      cpu: "100m"
      memory: "100Mi"
    limits:
      cpu: "1000m"
      memory: "200Mi"
</code>
DaemonSet must be used to ensure an instance runs on every node.

3.2 Log collection configuration

<code>filebeat.inputs:
- type: container
  paths:
    - /var/log/containers/*.log
  fields:
    type: k8s_logs
  processors:
    - add_kubernetes_metadata:
        host: ${NODE_NAME}
        matchers:
          - logs_path: "/var/log/containers/"
- type: log
  enabled: true
  fields:
    type: messages
  paths:
    - /var/log/messages
</code>
Path explanations: /var/log/containers/*.log – container stdout logs generated by Kubelet /var/log/messages – system logs (ensure the path exists on nodes)

3.3 Kafka output configuration

<code>output.kafka:
  hosts: ["172.139.20.17:9092","172.139.20.81:9092","172.139.20.177:9092"]
  topics:
    - topic: 'k8s_logs'
      when.equals:
        fields.type: k8s_logs
    - topic: 'messages'
      when.equals:
        fields.type: messages
  partition.round_robin: {}
  reachable_only: true
  required_acks: 1
  compression: gzip
  max_message_bytes: 1000000
</code>

3.4 Full values file (excerpt)

<code>fullnameOverride: "filebeat"
image: "core.jiaxzeng.com/library/filebeat"
hostPathRoot: /var/lib
tolerations:
  - effect: NoSchedule
    operator: Exists
daemonset:
  enabled: true
  resources:
    requests:
      cpu: "100m"
      memory: "100Mi"
    limits:
      cpu: "1000m"
      memory: "200Mi"
filebeatConfig:
  filebeat.yml: |
    filebeat.inputs:
    - type: container
      paths:
        - /var/log/containers/*.log
      fields:
        type: k8s_logs
      processors:
        - add_kubernetes_metadata:
            host: ${NODE_NAME}
            matchers:
              - logs_path: "/var/log/containers/"
    - type: log
      enabled: true
      fields:
        type: messages
      paths:
        - /var/log/messages
output.kafka:
  hosts: ["172.139.20.17:9092","172.139.20.81:9092","172.139.20.177:9092"]
  topics:
    - topic: 'k8s_logs'
      when.equals:
        fields.type: k8s_logs
    - topic: 'messages'
      when.equals:
        fields.type: messages
  partition.round_robin: {}
  reachable_only: true
  required_acks: 1
  compression: gzip
  max_message_bytes: 1000000
</code>

4. Deployment

4.1 Install command

<code>$ helm -n obs-system install filebeat -f /etc/kubernetes/addons/filebeat-values.yaml /etc/kubernetes/addons/filebeat</code>

4.2 Verify DaemonSet pods

<code>$ kubectl -n obs-system get pods -l app=filebeat -o wide
NAME          READY STATUS  RESTARTS AGE IP            NODE
filebeat-...  1/1   Running 1 (69m ago) 8h 10.244...   k8s-node04
...</code>

5. Data Validation

5.1 Check Kafka consumer offsets

<code>$ ./kafka-get-offsets.sh --bootstrap-server 172.139.20.17:9092 --topic k8s_logs
k8s_logs:0:296025
k8s_logs:1:297971
k8s_logs:2:297818
k8s_logs:3:296924
k8s_logs:4:296992
k8s_logs:5:297129
</code>

6. Conclusion

Mastering Helm‑based Filebeat deployment empowers efficient log handling in containerized environments, enabling reliable data pipelines to Kafka.

cloud-nativeObservabilitykubernetesKafkalog collectionHelmFilebeat
Linux Ops Smart Journey
Written by

Linux Ops Smart Journey

The operations journey never stops—pursuing excellence endlessly.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment