From 5da1badcf9e835047d07d7c34eb0e38583867cc5 Mon Sep 17 00:00:00 2001
From: Antoine Cotten <hello@acotten.com>
Date: Wed, 14 Feb 2024 20:46:37 +0100
Subject: [PATCH] feat(ext/filebeat): ingest ES logs via elasticsearch module

Ensures that Elasticsearch log entries are processed through dedicated
ingestion pipelines, so that their fields can be automatically
extracted.
---
 extensions/filebeat/config/filebeat.yml | 11 +++++++++++
 setup/roles/filebeat_writer.json        |  1 +
 2 files changed, 12 insertions(+)

diff --git a/extensions/filebeat/config/filebeat.yml b/extensions/filebeat/config/filebeat.yml
index 1e9d0d9..119d5d5 100644
--- a/extensions/filebeat/config/filebeat.yml
+++ b/extensions/filebeat/config/filebeat.yml
@@ -19,6 +19,17 @@ filebeat.autodiscover:
         type: container
         paths:
           - /var/lib/docker/containers/${data.container.id}/*-json.log
+      templates:
+        - condition:
+            contains:
+              docker.container.image: elasticsearch
+          config:
+            - module: elasticsearch
+              server:
+                input:
+                  type: container
+                  paths:
+                    - /var/lib/docker/containers/${data.container.id}/*-json.log
 
 processors:
   - add_cloud_metadata: ~
diff --git a/setup/roles/filebeat_writer.json b/setup/roles/filebeat_writer.json
index 118614b..b24b873 100644
--- a/setup/roles/filebeat_writer.json
+++ b/setup/roles/filebeat_writer.json
@@ -2,6 +2,7 @@
   "cluster": [
     "manage_ilm",
     "manage_index_templates",
+    "manage_ingest_pipelines",
     "monitor",
     "read_pipeline"
   ],