From d6f7432ca900db7f4d780d3507242eccd31b86b5 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Mon, 18 May 2020 15:43:13 -0500 Subject: [PATCH] [Filebeat] Improve ECS categorization mappings in envoyproxy module. (#18395) (#18577) * Improve ECS categorization mappings in envoyproxy module. - convert pipeline to yaml - explicitly set ECS version - event.category - event.kind - event.outcome - event.type - network.protocol - network.transport - related.ip Closes #16161 (cherry picked from commit 7c3e38d1584531f9798e852b0c7c1559f03c35f4) --- CHANGELOG.next.asciidoc | 1 + .../envoyproxy/log/config/envoyproxy.yml | 4 + .../envoyproxy/log/ingest/pipeline-entry.json | 47 ------- .../envoyproxy/log/ingest/pipeline-entry.yml | 47 +++++++ .../envoyproxy/log/ingest/pipeline-http.json | 94 -------------- .../envoyproxy/log/ingest/pipeline-http.yml | 61 +++++++++ .../envoyproxy/log/ingest/pipeline-json.json | 47 ------- .../envoyproxy/log/ingest/pipeline-json.yml | 26 ++++ .../log/ingest/pipeline-plaintext.json | 117 ------------------ .../log/ingest/pipeline-plaintext.yml | 91 ++++++++++++++ .../envoyproxy/log/ingest/pipeline-tcp.json | 46 ------- .../envoyproxy/log/ingest/pipeline-tcp.yml | 35 ++++++ .../module/envoyproxy/log/manifest.yml | 10 +- .../log/test/envoy-json.log-expected.json | 30 +++++ .../log/test/envoy.log-expected.json | 60 +++++++++ 15 files changed, 360 insertions(+), 356 deletions(-) delete mode 100644 x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.json create mode 100644 x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml delete mode 100644 x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-http.json create mode 100644 x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-http.yml delete mode 100644 x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-json.json create mode 100644 x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-json.yml delete mode 100644 x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-plaintext.json create mode 100644 x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-plaintext.yml delete mode 100644 x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-tcp.json create mode 100644 x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-tcp.yml diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index bc82f8b7efd..0049c08dbd3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -411,6 +411,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add dashboard for Google Cloud Audit and AWS CloudTrail. {pull}17379[17379] - The `logstash` module can now automatically detect the log file format (JSON or plaintext) and process it accordingly. {issue}9964[9964] {pull}18095[18095] - Improve ECS categorization field mappings in coredns module. {issue}16159[16159] {pull}18424[18424] +- Improve ECS categorization field mappings in envoyproxy module. {issue}16161[16161] {pull}18395[18395] *Heartbeat* diff --git a/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml b/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml index c085c9e3aab..b2f0ebe4519 100644 --- a/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml +++ b/x-pack/filebeat/module/envoyproxy/log/config/envoyproxy.yml @@ -5,3 +5,7 @@ paths: {{ end }} tags: {{.tags}} processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.json b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.json deleted file mode 100644 index 724fcaeba08..00000000000 --- a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "description": "Pipeline for normalizing envoyproxy logs", - "processors": [ - { - "pipeline": { - "if": "ctx.message.charAt(0) != (char)(\"{\")", - "name": "{< IngestPipeline "pipeline-plaintext" >}" - } - }, - { - "pipeline": { - "if": "ctx.message.charAt(0) == (char)(\"{\")", - "name": "{< IngestPipeline "pipeline-json" >}" - } - }, - { - "pipeline": { - "name": "{< IngestPipeline "pipeline-geo-as" >}" - } - }, - { - "set": { - "field": "event.created", - "value": "{{@timestamp}}" - } - }, - { - "set": { - "field": "@timestamp", - "value": "{{timestamp}}", - "if": "ctx.timestamp != null" - } - }, - { - "remove": { - "field": ["timestamp"], - "ignore_failure": true - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "pipeline-entry: {{ _ingest.on_failure_message }}" - } - }] -} diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml new file mode 100644 index 00000000000..184c36d2c4f --- /dev/null +++ b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml @@ -0,0 +1,47 @@ +description: Pipeline for normalizing envoyproxy logs +processors: +- pipeline: + if: ctx.message.charAt(0) != (char)("{") + name: '{< IngestPipeline "pipeline-plaintext" >}' +- pipeline: + if: ctx.message.charAt(0) == (char)("{") + name: '{< IngestPipeline "pipeline-json" >}' +- pipeline: + name: '{< IngestPipeline "pipeline-geo-as" >}' +- set: + field: event.created + value: '{{@timestamp}}' +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- set: + field: event.kind + value: event +- append: + field: event.category + value: network +- append: + field: event.outcome + value: failure + if: "ctx?.envoyproxy?.response_flags != null" +- append: + field: event.outcome + value: success + if: "ctx?.envoyproxy?.response_flags == null" +- set: + field: '@timestamp' + value: '{{timestamp}}' + if: ctx.timestamp != null +- remove: + field: + - timestamp + ignore_failure: true +on_failure: +- set: + field: error.message + value: 'pipeline-entry: {{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-http.json b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-http.json deleted file mode 100644 index e38875cfeca..00000000000 --- a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-http.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "description": "Pipeline for normalizing envoy HTTP ACCESS logs", - "processors": [ - { - "script": { - "lang": "painless", - "source": "ctx['http'] = new HashMap(); def p = ctx.proto.indexOf ('/'); def l = ctx.proto.length(); ctx.http.version = ctx.proto.substring(p+1, l);", - "ignore_failure" : true - } - }, - { - "rename": { - "field": "method", - "target_field": "http.request.method" - } - }, - { - "rename": { - "field": "path", - "target_field": "url.path" - } - }, - { - "convert" : { - "field" : "response_code", - "type": "long" - } - }, - { - "rename": { - "field": "response_code", - "target_field": "http.response.status_code" - } - }, - { - "rename": { - "field": "bytes_received", - "target_field": "http.response.body.bytes" - } - }, - { - "convert" : { - "field" : "http.response.body.bytes", - "type": "long" - } - }, - { - "rename": { - "field": "bytes_sent", - "target_field": "http.request.body.bytes" - } - }, - { - "convert" : { - "field" : "http.request.body.bytes", - "type": "long" - } - }, - { - "script": { - "lang": "painless", - "source": "ctx.envoyproxy.upstream_service_time = Math.round(Double.parseDouble(ctx.upstream_service_time) * params.scale)", - "params": { - "scale": 1000000 - }, - "if": "ctx.upstream_service_time != null && ctx.upstream_service_time != '-'" - } - }, - { - "set": { - "field": "envoyproxy.proxy_type", - "value": "http" - } - }, - { - "set": { - "field": "url.domain", - "value": "{{envoyproxy.authority}}" - } - }, - { - "user_agent": { - "field": "user_agent.original", - "ignore_missing": true - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "pipeline-http: {{ _ingest.on_failure_message }}" - } - }] -} \ No newline at end of file diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-http.yml b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-http.yml new file mode 100644 index 00000000000..3cf26ddee0f --- /dev/null +++ b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-http.yml @@ -0,0 +1,61 @@ +description: Pipeline for normalizing envoy HTTP ACCESS logs +processors: +- script: + lang: painless + source: >- + ctx['http'] = new HashMap(); + def p = ctx.proto.indexOf ('/'); + def l = ctx.proto.length(); + ctx.http.version = ctx.proto.substring(p+1, l); + ignore_failure: true +- rename: + field: method + target_field: http.request.method +- rename: + field: path + target_field: url.path +- convert: + field: response_code + type: long +- rename: + field: response_code + target_field: http.response.status_code +- rename: + field: bytes_received + target_field: http.response.body.bytes +- convert: + field: http.response.body.bytes + type: long +- rename: + field: bytes_sent + target_field: http.request.body.bytes +- convert: + field: http.request.body.bytes + type: long +- script: + lang: painless + source: ctx.envoyproxy.upstream_service_time = Math.round(Double.parseDouble(ctx.upstream_service_time) * params.scale) + params: + scale: 1000000 + if: ctx.upstream_service_time != null && ctx.upstream_service_time != '-' +- set: + field: envoyproxy.proxy_type + value: http +- set: + field: url.domain + value: '{{envoyproxy.authority}}' +- user_agent: + field: user_agent.original + ignore_missing: true +- append: + field: event.type + value: + - connection + - protocol +- set: + field: network.protocol + value: http +on_failure: +- set: + field: error.message + value: 'pipeline-http: {{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-json.json b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-json.json deleted file mode 100644 index ce2244c8b06..00000000000 --- a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-json.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "description": "Pipeline for normalizing envoyproxy access logs", - "processors": [ - { - "json" : { - "field" : "message", - "target_field" : "json" - } - }, - { - "remove": { - "field": ["message"], - "ignore_failure" : true - } - }, - { - "rename": { - "field": "json.message", - "target_field": "message", - "ignore_failure" : true - } - }, - { - "rename": { - "field": "json.kubernetes", - "target_field": "kubernetes", - "ignore_failure" : true - } - }, - { - "remove": { - "field": ["json"] - } - }, - { - "pipeline": { - "name": "{< IngestPipeline "pipeline-plaintext" >}" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "pipeline-json: {{ _ingest.on_failure_message }}" - } - }] -} \ No newline at end of file diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-json.yml b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-json.yml new file mode 100644 index 00000000000..49b99515c2f --- /dev/null +++ b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-json.yml @@ -0,0 +1,26 @@ +description: Pipeline for normalizing envoyproxy access logs +processors: +- json: + field: message + target_field: json +- remove: + field: + - message + ignore_failure: true +- rename: + field: json.message + target_field: message + ignore_failure: true +- rename: + field: json.kubernetes + target_field: kubernetes + ignore_failure: true +- remove: + field: + - json +- pipeline: + name: '{< IngestPipeline "pipeline-plaintext" >}' +on_failure: +- set: + field: error.message + value: 'pipeline-json: {{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-plaintext.json b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-plaintext.json deleted file mode 100644 index e66e7d1104a..00000000000 --- a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-plaintext.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "description": "Pipeline for normalizing envoy access logs", - "processors": [ - { - "script": { - "lang": "painless", - "source": "if (ctx.message.charAt(0) == (char)(\"[\")) { ctx.temp_message = \"ACCESS \" + ctx.message;} else if (ctx.message.substring(0, 7) == \"ACCESS \") { ctx.temp_message = ctx.message;} else { throw new Exception(\"Not a valid envoyproxy access log\");}" - } - }, - { - "dissect": { - "field": "temp_message", - "pattern": "%{envoyproxy.log_type} [%{timestamp}] \"%{method} %{path} %{proto}\" %{response_code} %{envoyproxy.response_flags} %{bytes_received} %{bytes_sent} %{duration} %{upstream_service_time} \"%{source.address}\" \"%{user_agent.original}\" \"%{envoyproxy.request_id}\" \"%{envoyproxy.authority}\" \"%{dest}\"", - "on_failure" : [{ - "script": { - "lang": "painless", - "source": "ctx.remove('temp_message'); throw new Exception(\"Dissect error: Not a valid envoyproxy access log\");" - } - }] - } - }, - { - "script": { - "lang": "painless", - "source": "if (ctx.dest == \"-\") { ctx.remove('dest');} else { ctx['destination'] = new HashMap(); def p = ctx.dest.indexOf (':'); def l = ctx.dest.length(); ctx.destination.address = ctx.dest.substring(0, p); ctx.destination.port = ctx.dest.substring(p+1, l);} ctx.remove('dest');", - "if": "ctx.dest != null" - } - }, - { - "convert" : { - "field" : "destination.port", - "type": "integer", - "if": "ctx.destination?.port != null" - } - }, - { - "convert" : { - "field" : "duration", - "type": "double", - "if": "ctx.duration != null" - } - }, - { - "script": { - "lang": "painless", - "source": "ctx.event.duration = Math.round(ctx.duration * params.scale)", - "params": { - "scale": 1000000 - }, - "if": "ctx.duration != null" - } - }, - { - "remove": { - "field": ["json", "duration", "time", "temp_message"], - "ignore_missing": true - } - }, - { - "pipeline": { - "if": "ctx.proto.charAt(0) != (char)(\"-\")", - "name": "{< IngestPipeline "pipeline-http" >}" - } - }, - { - "pipeline": { - "if": "ctx.proto.charAt(0) == (char)(\"-\")", - "name": "{< IngestPipeline "pipeline-tcp" >}" - } - }, - { - "remove": { - "field": ["proto", "upstream_service_time"], - "ignore_failure": true - } - }, - { - "remove": { - "field": "source.address", - "if": "ctx.source.address == '-'" - } - }, - { - "remove": { - "field": "envoyproxy.response_flags", - "if": "ctx.envoyproxy.response_flags == '-'" - } - }, - { - "split": { - "field": "envoyproxy.response_flags", - "separator": "," , - "if": "ctx.envoyproxy.response_flags != null" - } - }, - { - "set" : { - "field" : "destination.ip", - "value" : "{{destination.address}}", - "if": "ctx.destination?.address != null" - } - }, - { - "set" : { - "field" : "source.ip", - "value" : "{{source.address}}", - "if": "ctx.source?.address != null" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "pipeline-plaintext: {{ _ingest.on_failure_message }}" - } - }] -} diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-plaintext.yml b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-plaintext.yml new file mode 100644 index 00000000000..21673d93df6 --- /dev/null +++ b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-plaintext.yml @@ -0,0 +1,91 @@ +description: Pipeline for normalizing envoy access logs +processors: +- script: + lang: painless + source: >- + if (ctx.message.charAt(0) == (char)("[")) { + ctx.temp_message = "ACCESS " + ctx.message; + } else if (ctx.message.substring(0, 7) == "ACCESS ") { + ctx.temp_message = ctx.message; + } else { + throw new Exception("Not a valid envoyproxy access log"); + } +- dissect: + field: temp_message + pattern: '%{envoyproxy.log_type} [%{timestamp}] "%{method} %{path} %{proto}" %{response_code} + %{envoyproxy.response_flags} %{bytes_received} %{bytes_sent} %{duration} %{upstream_service_time} + "%{source.address}" "%{user_agent.original}" "%{envoyproxy.request_id}" "%{envoyproxy.authority}" + "%{dest}"' + on_failure: + - script: + lang: painless + source: 'ctx.remove(''temp_message''); throw new Exception("Dissect error: + Not a valid envoyproxy access log");' +- script: + lang: painless + source: >- + if (ctx.dest == "-") { + ctx.remove('dest'); + } else { + ctx['destination'] = new HashMap(); + def p = ctx.dest.indexOf (':'); + def l = ctx.dest.length(); + ctx.destination.address = ctx.dest.substring(0, p); + ctx.destination.port = ctx.dest.substring(p+1, l); + } + ctx.remove('dest'); + if: ctx.dest != null +- convert: + field: destination.port + type: integer + if: ctx.destination?.port != null +- convert: + field: duration + type: double + if: ctx.duration != null +- script: + lang: painless + source: ctx.event.duration = Math.round(ctx.duration * params.scale) + params: + scale: 1000000 + if: ctx.duration != null +- remove: + field: + - json + - duration + - time + - temp_message + ignore_missing: true +- pipeline: + if: ctx.proto.charAt(0) != (char)("-") + name: '{< IngestPipeline "pipeline-http" >}' +- pipeline: + if: ctx.proto.charAt(0) == (char)("-") + name: '{< IngestPipeline "pipeline-tcp" >}' +- remove: + field: + - proto + - upstream_service_time + ignore_failure: true +- remove: + field: source.address + if: ctx.source.address == '-' +- remove: + field: envoyproxy.response_flags + if: ctx.envoyproxy.response_flags == '-' +- split: + field: envoyproxy.response_flags + separator: ',' + if: ctx.envoyproxy.response_flags != null +- set: + field: destination.ip + value: '{{destination.address}}' + if: ctx.destination?.address != null +- set: + field: source.ip + value: '{{source.address}}' + if: ctx.source?.address != null +on_failure: +- set: + field: error.message + value: 'pipeline-plaintext: {{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-tcp.json b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-tcp.json deleted file mode 100644 index 8a84954dc23..00000000000 --- a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-tcp.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "description": "Pipeline for normalizing envoy TCP ACCESS logs", - "processors": [ - { - "remove": { - "field": ["upstream_service_time", "method", "user_agent", "path", "response_code"] - } - }, - { - "rename": { - "field": "bytes_received", - "target_field": "destination.bytes" - } - }, - { - "convert" : { - "field" : "destination.bytes", - "type": "long" - } - }, - { - "rename": { - "field": "bytes_sent", - "target_field": "source.bytes" - } - }, - { - "convert" : { - "field" : "source.bytes", - "type": "long" - } - }, - { - "set": { - "field": "envoyproxy.proxy_type", - "value": "tcp" - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "pipeline-tcp: {{ _ingest.on_failure_message }}" - } - }] -} \ No newline at end of file diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-tcp.yml b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-tcp.yml new file mode 100644 index 00000000000..38c8b8fedc9 --- /dev/null +++ b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-tcp.yml @@ -0,0 +1,35 @@ +description: Pipeline for normalizing envoy TCP ACCESS logs +processors: +- remove: + field: + - upstream_service_time + - method + - user_agent + - path + - response_code +- rename: + field: bytes_received + target_field: destination.bytes +- convert: + field: destination.bytes + type: long +- rename: + field: bytes_sent + target_field: source.bytes +- convert: + field: source.bytes + type: long +- set: + field: envoyproxy.proxy_type + value: tcp +- append: + field: event.type + value: + - connection +- set: + field: network.transport + value: tcp +on_failure: +- set: + field: error.message + value: 'pipeline-tcp: {{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/envoyproxy/log/manifest.yml b/x-pack/filebeat/module/envoyproxy/log/manifest.yml index 3ad24871b55..a5e6b2728e8 100644 --- a/x-pack/filebeat/module/envoyproxy/log/manifest.yml +++ b/x-pack/filebeat/module/envoyproxy/log/manifest.yml @@ -9,10 +9,10 @@ var: default: [envoyproxy] ingest_pipeline: - - ingest/pipeline-entry.json - - ingest/pipeline-json.json - - ingest/pipeline-plaintext.json - - ingest/pipeline-http.json - - ingest/pipeline-tcp.json + - ingest/pipeline-entry.yml + - ingest/pipeline-json.yml + - ingest/pipeline-plaintext.yml + - ingest/pipeline-http.yml + - ingest/pipeline-tcp.yml - ingest/pipeline-geo-as.yml input: config/envoyproxy.yml diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json index 1d0193b2cba..e6ca9516ad0 100644 --- a/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json +++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json @@ -18,9 +18,20 @@ "envoyproxy.proxy_type": "http", "envoyproxy.request_id": "413bf460-bd56-4515-ada4-2a69c5e78e54", "envoyproxy.upstream_service_time": 179000000, + "event.category": [ + "network" + ], "event.dataset": "envoyproxy.log", "event.duration": 180000000, + "event.kind": "event", "event.module": "envoyproxy", + "event.outcome": [ + "success" + ], + "event.type": [ + "connection", + "protocol" + ], "fileset.name": "log", "http.request.body.bytes": 0, "http.request.method": "GET", @@ -36,6 +47,11 @@ "kubernetes.pod.uid": "e57d545e-2a9d-11e9-995f-08002730e0dc", "log.offset": 0, "message": "ACCESS [2019-04-10T03:49:34.451Z] \"GET /httpbin/status/501 HTTP/1.1\" 501 - 0 0 180 179 \"172.17.0.3\" \"curl/7.59.0\" \"413bf460-bd56-4515-ada4-2a69c5e78e54\" \"httpbin.org\" \"52.71.234.219:80\"", + "network.protocol": "http", + "related.ip": [ + "172.17.0.3", + "52.71.234.219" + ], "service.type": "envoyproxy", "source.address": "172.17.0.3", "source.ip": "172.17.0.3", @@ -63,9 +79,19 @@ "UF", "URX" ], + "event.category": [ + "network" + ], "event.dataset": "envoyproxy.log", "event.duration": 0, + "event.kind": "event", "event.module": "envoyproxy", + "event.outcome": [ + "failure" + ], + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "kubernetes.container.name": "ambassador", @@ -76,6 +102,10 @@ "kubernetes.pod.uid": "e57d545e-2a9d-11e9-995f-08002730e0dc", "log.offset": 518, "message": "ACCESS [2019-04-06T06:20:05.972Z] \"- - -\" 0 UF,URX 0 0 0 - \"-\" \"-\" \"-\" \"-\" \"127.0.0.1:9200\"", + "network.transport": "tcp", + "related.ip": [ + "127.0.0.1" + ], "service.type": "envoyproxy", "source.bytes": 0, "tags": [ diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json index 7699096e111..1c9482cefdb 100644 --- a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json +++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json @@ -9,13 +9,27 @@ "envoyproxy.log_type": "ACCESS", "envoyproxy.proxy_type": "tcp", "envoyproxy.request_id": "-", + "event.category": [ + "network" + ], "event.dataset": "envoyproxy.log", "event.duration": 4000000, + "event.kind": "event", "event.module": "envoyproxy", + "event.outcome": [ + "success" + ], + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "log.offset": 0, "message": "[2019-04-08T16:50:12.533Z] \"- - -\" 0 - 87 254 4 - \"-\" \"-\" \"-\" \"-\" \"172.27.0.2:80\"", + "network.transport": "tcp", + "related.ip": [ + "172.27.0.2" + ], "service.type": "envoyproxy", "source.bytes": 254, "tags": [ @@ -32,9 +46,20 @@ "envoyproxy.proxy_type": "http", "envoyproxy.request_id": "c219f6da-2b7f-483e-9ced-ec323d9330a9", "envoyproxy.upstream_service_time": 4000000, + "event.category": [ + "network" + ], "event.dataset": "envoyproxy.log", "event.duration": 5000000, + "event.kind": "event", "event.module": "envoyproxy", + "event.outcome": [ + "success" + ], + "event.type": [ + "connection", + "protocol" + ], "fileset.name": "log", "http.request.body.bytes": 89, "http.request.method": "GET", @@ -44,6 +69,10 @@ "input.type": "log", "log.offset": 82, "message": "[2019-04-08T16:16:55.931Z] \"GET /service/1 HTTP/1.1\" 200 - 0 89 5 4 \"-\" \"curl/7.54.0\" \"c219f6da-2b7f-483e-9ced-ec323d9330a9\" \"localhost:8000\" \"172.27.0.3:80\"", + "network.protocol": "http", + "related.ip": [ + "172.27.0.3" + ], "service.type": "envoyproxy", "tags": [ "envoyproxy" @@ -64,9 +93,20 @@ "envoyproxy.response_flags": [ "NR" ], + "event.category": [ + "network" + ], "event.dataset": "envoyproxy.log", "event.duration": 0, + "event.kind": "event", "event.module": "envoyproxy", + "event.outcome": [ + "failure" + ], + "event.type": [ + "connection", + "protocol" + ], "fileset.name": "log", "http.request.body.bytes": 0, "http.request.method": "GET", @@ -76,6 +116,10 @@ "input.type": "log", "log.offset": 240, "message": "[2019-04-11T00:31:55.439Z] \"GET /elastic HTTP/1.1\" 404 NR 0 0 0 - \"172.17.0.3\" \"curl/7.59.0\" \"58436667-bf70-4fd0-9fe9-cdadadecfd55\" \"192.168.99.107:30901\" \"-\"", + "network.protocol": "http", + "related.ip": [ + "172.17.0.3" + ], "service.type": "envoyproxy", "source.address": "172.17.0.3", "source.ip": "172.17.0.3", @@ -105,9 +149,20 @@ "envoyproxy.proxy_type": "http", "envoyproxy.request_id": "078d1daa-b786-4d6d-85a5-7e4366adaa19", "envoyproxy.upstream_service_time": 39000000, + "event.category": [ + "network" + ], "event.dataset": "envoyproxy.log", "event.duration": 41000000, + "event.kind": "event", "event.module": "envoyproxy", + "event.outcome": [ + "success" + ], + "event.type": [ + "connection", + "protocol" + ], "fileset.name": "log", "http.request.body.bytes": 0, "http.request.method": "GET", @@ -117,6 +172,11 @@ "input.type": "log", "log.offset": 399, "message": "[2019-04-11T00:51:07.980Z] \"GET /elastic/ HTTP/1.1\" 301 - 0 0 41 39 \"172.17.0.3\" \"curl/7.59.0\" \"078d1daa-b786-4d6d-85a5-7e4366adaa19\" \"www.elastic.co\" \"151.101.66.217:80\"", + "network.protocol": "http", + "related.ip": [ + "172.17.0.3", + "151.101.66.217" + ], "service.type": "envoyproxy", "source.address": "172.17.0.3", "source.ip": "172.17.0.3",