Cherry-pick #9797 to 6.x: Allow users to convert timezone in logstash…

… module filesets (#9828)

* Allow users to convert timezone in logstash module filesets (#9797)

* Allow users to convert timezone in logstash/log fileset

* Forgot to remove unnecessary field

* Allow users to convert timezone in logstash/slowlog fileset

* Adding CHANGELOG entry

* Updating expected results of tests

(cherry picked from commit d6c0394)

* Cleaning up CHANGELOG after rebase

CHANGELOG.asciidoc

@@ -69,6 +69,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
 - Stop runners disabled by hints after previously being started. {pull}9305[9305]
 - Fix saved objects in filebeat haproxy dashboard. {pull}9417[9417]
 - Fixed a memory leak when harvesters are closed. {pull}7820[7820]
+- Add `convert_timezone` option to Logstash module to convert dates to UTC. {issue}9756[9756] {pull}9797[9797]
 
 *Heartbeat*
 

filebeat/module/logstash/_meta/config.yml

@@ -7,9 +7,15 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   # Slow logs
   slowlog:
    enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
+
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false

filebeat/module/logstash/log/config/log.yml

@@ -8,3 +8,8 @@ multiline:
   pattern: ^\[[0-9]{4}-[0-9]{2}-[0-9]{2}
   negate: true
   match: after
+
+{{ if .convert_timezone }}
+processors:
+- add_locale: ~
+{{ end }}

filebeat/module/logstash/log/ingest/pipeline-plain.json

@@ -34,9 +34,19 @@
             }
         },
         {
-            "rename": {
+            "date": {
                 "field": "logstash.log.timestamp",
-                "target_field": "@timestamp"
+                "target_field": "@timestamp",
+                "formats": [
+                  "ISO8601"
+              ],
+              {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
+              "ignore_failure": true
+            }
+        },
+        {
+            "remove": {
+                "field": "logstash.log.timestamp"
             }
         }
     ]

filebeat/module/logstash/log/manifest.yml

@@ -8,6 +8,13 @@ var:
       - /var/log/logstash/logstash-{{.format}}*.log
     os.windows:
       - c:/programdata/logstash/logs/logstash-{{.format}}*.log
+  - name: convert_timezone
+    default: false
+    # if ES < 6.1.0, this flag switches to false automatically when evaluating the
+    # pipeline
+    min_elasticsearch_version:
+      version: 6.1.0
+      value: false
 
 ingest_pipeline: ingest/pipeline-{{.format}}.json
 input: config/log.yml

filebeat/module/logstash/log/test/logstash-plain.log-expected.json

@@ -1,6 +1,6 @@
 [
     {
-        "@timestamp": "2017-10-23T14:20:12,046",
+        "@timestamp": "2017-10-23T14:20:12.046Z",
         "event.dataset": "logstash.log",
         "fileset.module": "logstash",
         "fileset.name": "log",
@@ -12,7 +12,7 @@
         "prospector.type": "log"
     },
     {
-        "@timestamp": "2017-11-20T03:55:00,318",
+        "@timestamp": "2017-11-20T03:55:00.318Z",
         "event.dataset": "logstash.log",
         "fileset.module": "logstash",
         "fileset.name": "log",
@@ -26,4 +26,4 @@
         "offset": 175,
         "prospector.type": "log"
     }
-]
+]

filebeat/module/logstash/slowlog/config/slowlog.yml

@@ -4,3 +4,8 @@ paths:
  - {{$path}}
 {{ end }}
 exclude_files: [".gz$"]
+
+{{ if .convert_timezone }}
+processors:
+- add_locale: ~
+{{ end }}

filebeat/module/logstash/slowlog/ingest/pipeline-plain.json

@@ -49,9 +49,19 @@
             }
         },
         {
-            "rename": {
+            "date": {
                 "field": "logstash.slowlog.timestamp",
-                "target_field": "@timestamp"
+                "target_field": "@timestamp",
+                "formats": [
+                  "ISO8601"
+              ],
+              {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
+              "ignore_failure": true
+            }
+        },
+        {
+            "remove": {
+                "field": "logstash.slowlog.timestamp"
             }
         },
         {

filebeat/module/logstash/slowlog/manifest.yml

@@ -8,6 +8,13 @@ var:
       - /var/log/logstash/logstash-slowlog-{{.format}}*.log
     os.windows:
       - c:/programdata/logstash/logs/logstash-slowlog-{{.format}}*.log
+  - name: convert_timezone
+    default: false
+    # if ES < 6.1.0, this flag switches to false automatically when evaluating the
+    # pipeline
+    min_elasticsearch_version:
+      version: 6.1.0
+      value: false
 
 ingest_pipeline: ingest/pipeline-{{.format}}.json
 input: config/slowlog.yml

filebeat/module/logstash/slowlog/test/slowlog-plain.log-expected.json

@@ -1,6 +1,6 @@
 [
     {
-        "@timestamp": "2017-10-30T09:57:58,243",
+        "@timestamp": "2017-10-30T09:57:58.243Z",
         "event.dataset": "logstash.slowlog",
         "fileset.module": "logstash",
         "fileset.name": "slowlog",
@@ -17,4 +17,4 @@
         "offset": 0,
         "prospector.type": "log"
     }
-]
+]

filebeat/modules.d/logstash.yml.disabled

@@ -7,9 +7,15 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   # Slow logs
   slowlog:
    enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
+
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false