docker pull docker.elastic.co/beats/filebeat:7.9.1
docker run -d \
    --name=filebeat \
    --user=root \
    --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" \
    --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
    --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
    --volume="/var/log:/var/log" \ # mount host log position
    docker.elastic.co/beats/filebeat:7.9.1 filebeat -e -strict.perms=false

# file input
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/test.log
exclude_lines: ['^nohup']

# modules
filebeat.config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false

# logstash output
output.logstash:
hosts: ["localhost:5044"]

# elasticsearch output
output.elasticsearch:
hosts: ["localhost:9200"] # 当ES在docker中运行时，要用host ip而不能写localhost，因为Filebeat和ES不在一个docker中
username: 'username'
password: 'password'