Journalbeat reports Docker CONTAINER_TAG as container.image.tag

[SpComb]

Version: 6.5.4
Operating system: Amazon Linux 2
Discuss Forum URL: https://discuss.elastic.co/t/incorrect-journalbeat-container-output-fields-for-docker-journald-messages/166017

Journalbeat translates the CONTAINER_TAG field generated by the Docker journald log driver to container.image.tag: https://github.com/elastic/beats/blob/v6.5.4/journalbeat/reader/fields.go#L86

This is not consistent with the semantics for container.image.tag in ECS: https://github.com/elastic/ecs#container

Container image tag.

The CONTAINER_TAG field generated by the Docker journald log driver can be customized using --log-opt tag=..., and it defaults to the short container ID: https://docs.docker.com/config/containers/logging/journald/#options https://docs.docker.com/config/containers/logging/log_tags/

It would be possible to configure Docker with --log-opt 'tag={{.ImageName}}', but this would generate a CONTAINER_TAG field with the full REPOSITORY/IMAGE:TAG field, not just the tag part.

I don't know what the correct translated field would be, ECS does not include any appropriate field for the user-defined CONTAINER_TAG. However, the CONTAINER_TAG field is very useful for applying the correct logstash grok rules to the correct container outputs, because the container.name can vary on different hosts or similar containers.

[SpComb]

Current workaround is to simply use the container.image.tag field in logstash. However, if something were to overwrite the container.image.tag field with the actual container image tag, then the original CONTAINER_TAG field would become completely inaccessible.

I have not yet tested the add_docker_metadata processor, but it looks like the add_docker_metadata currently only writes container.image.name, but not container.image.tag:

beats/libbeat/processors/add_docker_metadata/add_docker_metadata.go

Lines 185 to 188 in f43683f

	meta.Put("container.id", container.ID)
	meta.Put("container.image.name", container.Image)
	meta.Put("container.name", container.Name)
	event.Fields.DeepUpdate(meta.Clone())

(looks like the container.image.name ends up being the sha256:... hash of the Container image?)

[ruflin]

@webmat This is worthing having a look for ECS.

[webmat]

Perhaps Journalbeat could add the user-defined tags to the top level tags field?

I'm actually a bit fuzzy on which one will contain what. I need to see the data to fully grasp.

Note for @ruflin tags vs tag inconsistency 😢

[kvch]

What about merely naming this field container.tag? The tags configured by users belong to that running container instance. So adding it to the namespace container is justified.
The other conatiner.image.tag is the tag of the image. Thus, there will not be any naming collisions.

[SpComb]

👍 for container.log.tag - the --log-opt tag=... is specific to logging, and the usecase is to identify the log events themselves, not the container.

[kvch]

Thank you for the verification!

[webmat]

I'm fuzzy on what's being suggested overall. Are we talking about adding both container.log.tag and container.tag? Or are we trying to decide between the two? :-)