From fc17d76615707bb2bc91cedd4dff8a1c79b516b7 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Wed, 30 Jan 2019 08:32:41 -0800 Subject: [PATCH] Cherry-pick #9761 to 6.6: Allow users to convert timezone in elasticsearch module filesets (#10403) * Allow users to convert timezone in elasticsearch module filesets (#9761) This PR updates the following filesets in the `elasticsearch` Filebeat module to accept a `var.convert_timezone` configuration setting: * [x] server * [x] audit * [x] slowlog * [x] deprecation The `gc` fileset was not modified because Elasticsearch GC logs already emit timestamps with timezone information in them. Fixes partially #9756. Related: #9797. (cherry picked from commit 3559e5805bfc98d61b0c687e5c7824c517bddec6) * Regenerating generated files * Fixing duplicated header in CHANGELOG * Updating generated file --- CHANGELOG.next.asciidoc | 1 + filebeat/filebeat.reference.yml | 13 + .../module/elasticsearch/_meta/config.yml | 13 + .../elasticsearch/audit/config/audit.yml | 5 + .../elasticsearch/audit/ingest/pipeline.json | 14 +- .../module/elasticsearch/audit/manifest.yml | 7 + .../audit/test/test.log-expected.json | 14 +- .../elasticsearch/deprecation/config/log.yml | 5 + .../deprecation/ingest/pipeline.json | 14 +- .../elasticsearch/deprecation/manifest.yml | 7 + ...lasticsearch_deprecation.log-expected.json | 88 ++-- ...lasticsearch_deprecation.log-expected.json | 412 +++++++++--------- .../elasticsearch/server/config/log.yml | 5 + .../elasticsearch/server/ingest/pipeline.json | 14 +- .../module/elasticsearch/server/manifest.yml | 7 + .../server/test/test.log-expected.json | 38 +- .../elasticsearch/slowlog/config/slowlog.yml | 5 + .../slowlog/ingest/pipeline.json | 16 +- .../module/elasticsearch/slowlog/manifest.yml | 7 + .../slowlog/test/test.log-expected.json | 12 +- filebeat/modules.d/elasticsearch.yml.disabled | 13 + x-pack/filebeat/filebeat.reference.yml | 13 + 22 files changed, 432 insertions(+), 291 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 162e9e49b6c..16e9502ef7e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -40,6 +40,7 @@ https://github.com/elastic/beats/compare/1035569addc4a3b29ffa14f8a08c27c1ace16ef - Fix bad bytes count in `docker` input when filtering by stream. {pull}10211[10211] - Add `convert_timezone` option to Logstash module to convert dates to UTC. {issue}9756[9756] {pull}9797[9797] +- Add `convert_timezone` option to Elasticsearch module to convert dates to UTC. {issue}9756[9756] {pull}9761[9761] *Heartbeat* diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index d4a35819e0e..a5b758db9b4 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -92,6 +92,9 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + gc: enabled: true # Set custom paths for the log files. If left empty, @@ -104,18 +107,28 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + slowlog: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + deprecation: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + + #------------------------------- haproxy Module ------------------------------ - module: haproxy # All logs diff --git a/filebeat/module/elasticsearch/_meta/config.yml b/filebeat/module/elasticsearch/_meta/config.yml index 0c2562f2796..3105d580379 100644 --- a/filebeat/module/elasticsearch/_meta/config.yml +++ b/filebeat/module/elasticsearch/_meta/config.yml @@ -7,6 +7,9 @@ # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + gc: enabled: true # Set custom paths for the log files. If left empty, @@ -19,14 +22,24 @@ # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + slowlog: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + deprecation: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + diff --git a/filebeat/module/elasticsearch/audit/config/audit.yml b/filebeat/module/elasticsearch/audit/config/audit.yml index 8d9139a7115..a6dab3dc2a9 100644 --- a/filebeat/module/elasticsearch/audit/config/audit.yml +++ b/filebeat/module/elasticsearch/audit/config/audit.yml @@ -5,6 +5,11 @@ paths: {{ end }} exclude_files: [".gz$"] +{{ if .convert_timezone }} +processors: +- add_locale: ~ +{{ end }} + fields: service.name: "elasticsearch" fields_under_root: true diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline.json b/filebeat/module/elasticsearch/audit/ingest/pipeline.json index 9c832362401..d686ba846b2 100644 --- a/filebeat/module/elasticsearch/audit/ingest/pipeline.json +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline.json @@ -16,9 +16,19 @@ } }, { - "rename": { + "date": { "field": "elasticsearch.audit.timestamp", - "target_field": "@timestamp" + "target_field": "@timestamp", + "formats": [ + "ISO8601" + ], + {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >} + "ignore_failure": true + } + }, + { + "remove": { + "field": "elasticsearch.audit.timestamp" } } ], diff --git a/filebeat/module/elasticsearch/audit/manifest.yml b/filebeat/module/elasticsearch/audit/manifest.yml index 00298cdf981..7ccb68c7e43 100644 --- a/filebeat/module/elasticsearch/audit/manifest.yml +++ b/filebeat/module/elasticsearch/audit/manifest.yml @@ -8,6 +8,13 @@ var: - /usr/local/var/lib/elasticsearch/*_access.log os.windows: - c:/ProgramData/Elastic/Elasticsearch/logs/*_access.log + - name: convert_timezone + default: false + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false ingest_pipeline: ingest/pipeline.json input: config/audit.yml diff --git a/filebeat/module/elasticsearch/audit/test/test.log-expected.json b/filebeat/module/elasticsearch/audit/test/test.log-expected.json index dea44171f3a..91a7f16d3ea 100644 --- a/filebeat/module/elasticsearch/audit/test/test.log-expected.json +++ b/filebeat/module/elasticsearch/audit/test/test.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2018-06-19T05:16:15,549", + "@timestamp": "2018-06-19T05:16:15.549Z", "elasticsearch.audit.event_type": "authentication_failed", "elasticsearch.audit.layer": "rest", "elasticsearch.audit.origin_address": "147.107.128.77", @@ -16,7 +16,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-06-19T05:07:52,304", + "@timestamp": "2018-06-19T05:07:52.304Z", "elasticsearch.audit.event_type": "authentication_failed", "elasticsearch.audit.layer": "rest", "elasticsearch.audit.origin_address": "172.22.0.3", @@ -33,7 +33,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-06-19T05:00:15,778", + "@timestamp": "2018-06-19T05:00:15.778Z", "elasticsearch.audit.action": "indices:data/read/scroll/clear", "elasticsearch.audit.event_type": "access_granted", "elasticsearch.audit.layer": "transport", @@ -51,7 +51,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-06-19T05:07:45,544", + "@timestamp": "2018-06-19T05:07:45.544Z", "elasticsearch.audit.event_type": "anonymous_access_denied", "elasticsearch.audit.layer": "rest", "elasticsearch.audit.origin_address": "172.22.0.3", @@ -67,7 +67,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-06-19T05:26:27,268", + "@timestamp": "2018-06-19T05:26:27.268Z", "elasticsearch.audit.event_type": "authentication_failed", "elasticsearch.audit.layer": "rest", "elasticsearch.audit.origin_address": "147.107.128.77", @@ -83,7 +83,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-06-19T05:55:26,898", + "@timestamp": "2018-06-19T05:55:26.898Z", "elasticsearch.audit.action": "cluster:monitor/main", "elasticsearch.audit.event_type": "access_denied", "elasticsearch.audit.layer": "transport", @@ -101,7 +101,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-06-19T05:24:15,190", + "@timestamp": "2018-06-19T05:24:15.190Z", "elasticsearch.audit.event_type": "authentication_failed", "elasticsearch.audit.layer": "rest", "elasticsearch.audit.origin_address": "172.18.0.3", diff --git a/filebeat/module/elasticsearch/deprecation/config/log.yml b/filebeat/module/elasticsearch/deprecation/config/log.yml index e49d0c86542..aa265c0b156 100644 --- a/filebeat/module/elasticsearch/deprecation/config/log.yml +++ b/filebeat/module/elasticsearch/deprecation/config/log.yml @@ -9,6 +9,11 @@ multiline: negate: true match: after +{{ if .convert_timezone }} +processors: +- add_locale: ~ +{{ end }} + fields: service.name: "elasticsearch" diff --git a/filebeat/module/elasticsearch/deprecation/ingest/pipeline.json b/filebeat/module/elasticsearch/deprecation/ingest/pipeline.json index 17bb9ddd409..8f126f11e2f 100755 --- a/filebeat/module/elasticsearch/deprecation/ingest/pipeline.json +++ b/filebeat/module/elasticsearch/deprecation/ingest/pipeline.json @@ -27,9 +27,19 @@ } }, { - "rename": { + "date": { "field": "timestamp", - "target_field": "@timestamp" + "target_field": "@timestamp", + "formats": [ + "ISO8601" + ], + {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >} + "ignore_failure": true + } + }, + { + "remove": { + "field": "timestamp" } } ] diff --git a/filebeat/module/elasticsearch/deprecation/manifest.yml b/filebeat/module/elasticsearch/deprecation/manifest.yml index 3d334014422..3fb63c647c6 100644 --- a/filebeat/module/elasticsearch/deprecation/manifest.yml +++ b/filebeat/module/elasticsearch/deprecation/manifest.yml @@ -8,6 +8,13 @@ var: - /usr/local/var/lib/elasticsearch/*_deprecation.log os.windows: - c:/ProgramData/Elastic/Elasticsearch/logs/*_deprecation.log + - name: convert_timezone + default: false + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false ingest_pipeline: ingest/pipeline.json prospector: config/log.yml diff --git a/filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json b/filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json index bbdf1b9023a..4567d3bd500 100644 --- a/filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json +++ b/filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json @@ -1,54 +1,54 @@ [ { - "@timestamp": "2018-04-23T16:40:13,737", - "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 0, - "message": "Deprecated field [template] used, replaced by [index_patterns]", - "prospector.type": "log", + "@timestamp": "2018-04-23T16:40:13.737Z", + "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Deprecated field [template] used, replaced by [index_patterns]", + "offset": 0, + "prospector.type": "log", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-04-23T16:40:13,862", - "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 137, - "message": "Deprecated field [template] used, replaced by [index_patterns]", - "prospector.type": "log", + "@timestamp": "2018-04-23T16:40:13.862Z", + "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Deprecated field [template] used, replaced by [index_patterns]", + "offset": 137, + "prospector.type": "log", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-04-23T16:40:14,792", - "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 274, - "message": "Deprecated field [template] used, replaced by [index_patterns]", - "prospector.type": "log", + "@timestamp": "2018-04-23T16:40:14.792Z", + "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Deprecated field [template] used, replaced by [index_patterns]", + "offset": 274, + "prospector.type": "log", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-04-23T16:40:15,127", - "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 411, - "message": "Deprecated field [template] used, replaced by [index_patterns]", - "prospector.type": "log", + "@timestamp": "2018-04-23T16:40:15.127Z", + "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Deprecated field [template] used, replaced by [index_patterns]", + "offset": 411, + "prospector.type": "log", "service.name": "elasticsearch" } -] +] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/deprecation/test/other_elasticsearch_deprecation.log-expected.json b/filebeat/module/elasticsearch/deprecation/test/other_elasticsearch_deprecation.log-expected.json index 75b0e49713a..db3d90939ce 100644 --- a/filebeat/module/elasticsearch/deprecation/test/other_elasticsearch_deprecation.log-expected.json +++ b/filebeat/module/elasticsearch/deprecation/test/other_elasticsearch_deprecation.log-expected.json @@ -1,210 +1,210 @@ [ { - "@timestamp": "2017-11-30T13:38:16,911", - "elasticsearch.server.component": "o.e.d.c.ParseField", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 0, - "message": "Deprecated field [inline] used, expected [source] instead", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T13:38:16,941", - "elasticsearch.server.component": "o.e.d.c.ParseField", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 118, - "message": "Deprecated field [inline] used, expected [source] instead", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T13:39:28,986", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 236, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T13:39:36,339", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 362, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T13:40:49,540", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 488, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T14:08:37,413", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 614, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T14:08:37,413", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 740, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T14:08:46,006", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 866, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T14:08:46,006", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 992, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-01T14:05:54,017", - "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 1118, - "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-01T14:05:54,019", - "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 1329, - "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-01T14:06:52,059", - "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 1540, - "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-01T14:46:10,428", - "elasticsearch.server.component": "o.e.d.s.a.InternalOrder$Parser", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 1751, - "message": "Deprecated aggregation order key [_term] used, replaced by [_key]", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-04T16:17:18,271", - "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 1882, - "message": "Deprecated field [template] used, replaced by [index_patterns]", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-04T16:17:18,282", - "elasticsearch.server.component": "o.e.d.i.m.MapperService", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 2019, - "message": "[_default_] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type", - "prospector.type": "log", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-04T16:20:43,248", - "elasticsearch.server.component": "o.e.d.i.m.MapperService", - "event.dataset": "elasticsearch.deprecation", - "fileset.module": "elasticsearch", - "fileset.name": "deprecation", - "input.type": "log", - "log.level": "WARN", - "offset": 2192, - "message": "[_default_] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type", - "prospector.type": "log", + "@timestamp": "2017-11-30T13:38:16.911Z", + "elasticsearch.server.component": "o.e.d.c.ParseField", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Deprecated field [inline] used, expected [source] instead", + "offset": 0, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T13:38:16.941Z", + "elasticsearch.server.component": "o.e.d.c.ParseField", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Deprecated field [inline] used, expected [source] instead", + "offset": 118, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T13:39:28.986Z", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "offset": 236, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T13:39:36.339Z", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "offset": 362, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T13:40:49.540Z", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "offset": 488, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T14:08:37.413Z", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "offset": 614, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T14:08:37.413Z", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "offset": 740, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T14:08:46.006Z", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "offset": 866, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T14:08:46.006Z", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "offset": 992, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-01T14:05:54.017Z", + "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", + "offset": 1118, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-01T14:05:54.019Z", + "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", + "offset": 1329, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-01T14:06:52.059Z", + "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", + "offset": 1540, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-01T14:46:10.428Z", + "elasticsearch.server.component": "o.e.d.s.a.InternalOrder$Parser", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Deprecated aggregation order key [_term] used, replaced by [_key]", + "offset": 1751, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-04T16:17:18.271Z", + "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "Deprecated field [template] used, replaced by [index_patterns]", + "offset": 1882, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-04T16:17:18.282Z", + "elasticsearch.server.component": "o.e.d.i.m.MapperService", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "[_default_] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type", + "offset": 2019, + "prospector.type": "log", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-04T16:20:43.248Z", + "elasticsearch.server.component": "o.e.d.i.m.MapperService", + "event.dataset": "elasticsearch.deprecation", + "fileset.module": "elasticsearch", + "fileset.name": "deprecation", + "input.type": "log", + "log.level": "WARN", + "message": "[_default_] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type", + "offset": 2192, + "prospector.type": "log", "service.name": "elasticsearch" } -] +] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/server/config/log.yml b/filebeat/module/elasticsearch/server/config/log.yml index 19a0839f107..e65a0a0f787 100644 --- a/filebeat/module/elasticsearch/server/config/log.yml +++ b/filebeat/module/elasticsearch/server/config/log.yml @@ -9,6 +9,11 @@ multiline: negate: true match: after +{{ if .convert_timezone }} +processors: +- add_locale: ~ +{{ end }} + fields: service.name: "elasticsearch" diff --git a/filebeat/module/elasticsearch/server/ingest/pipeline.json b/filebeat/module/elasticsearch/server/ingest/pipeline.json index 5a69e101877..8cdd7935341 100755 --- a/filebeat/module/elasticsearch/server/ingest/pipeline.json +++ b/filebeat/module/elasticsearch/server/ingest/pipeline.json @@ -28,9 +28,19 @@ } }, { - "rename": { + "date": { "field": "elasticsearch.server.timestamp", - "target_field": "@timestamp" + "target_field": "@timestamp", + "formats": [ + "ISO8601" + ], + {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >} + "ignore_failure": true + } + }, + { + "remove": { + "field": "elasticsearch.server.timestamp" } } ] diff --git a/filebeat/module/elasticsearch/server/manifest.yml b/filebeat/module/elasticsearch/server/manifest.yml index f327b1405f2..e4974131bc3 100644 --- a/filebeat/module/elasticsearch/server/manifest.yml +++ b/filebeat/module/elasticsearch/server/manifest.yml @@ -8,6 +8,13 @@ var: - /usr/local/var/lib/elasticsearch/*.log os.windows: - c:/ProgramData/Elastic/Elasticsearch/logs/*.log + - name: convert_timezone + default: false + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false ingest_pipeline: ingest/pipeline.json prospector: config/log.yml diff --git a/filebeat/module/elasticsearch/server/test/test.log-expected.json b/filebeat/module/elasticsearch/server/test/test.log-expected.json index 4f6ce04064a..e240ce181ba 100644 --- a/filebeat/module/elasticsearch/server/test/test.log-expected.json +++ b/filebeat/module/elasticsearch/server/test/test.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2018-05-17T08:29:12,177", + "@timestamp": "2018-05-17T08:29:12.177Z", "elasticsearch.index.name": "test-filebeat-modules", "elasticsearch.node.name": "vWNJsZ3", "elasticsearch.server.component": "o.e.c.m.MetaDataCreateIndexService", @@ -15,7 +15,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-05-17T08:19:35,939", + "@timestamp": "2018-05-17T08:19:35.939Z", "elasticsearch.node.name": "", "elasticsearch.server.component": "o.e.n.Node", "event.dataset": "elasticsearch.server", @@ -29,7 +29,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-05-17T08:19:36,089", + "@timestamp": "2018-05-17T08:19:36.089Z", "elasticsearch.node.name": "vWNJsZ3", "elasticsearch.server.component": "o.e.e.NodeEnvironment", "event.dataset": "elasticsearch.server", @@ -43,7 +43,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-05-17T08:19:36,090", + "@timestamp": "2018-05-17T08:19:36.090Z", "elasticsearch.node.name": "vWNJsZ3", "elasticsearch.server.component": "o.e.e.NodeEnvironment", "event.dataset": "elasticsearch.server", @@ -57,7 +57,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-05-17T08:19:36,116", + "@timestamp": "2018-05-17T08:19:36.116Z", "elasticsearch.server.component": "o.e.n.Node", "event.dataset": "elasticsearch.server", "fileset.module": "elasticsearch", @@ -70,7 +70,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-05-17T08:23:48,941", + "@timestamp": "2018-05-17T08:23:48.941Z", "elasticsearch.node.name": "vWNJsZ3", "elasticsearch.server.component": "o.e.c.r.a.DiskThresholdMonitor", "event.dataset": "elasticsearch.server", @@ -84,7 +84,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-05-17T08:29:09,245", + "@timestamp": "2018-05-17T08:29:09.245Z", "elasticsearch.index.name": "filebeat-test-input", "elasticsearch.node.name": "vWNJsZ3", "elasticsearch.server.component": "o.e.c.m.MetaDataCreateIndexService", @@ -99,7 +99,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-05-17T08:29:09,576", + "@timestamp": "2018-05-17T08:29:09.576Z", "elasticsearch.index.id": "aOGgDwbURfCV57AScqbCgw", "elasticsearch.index.name": "filebeat-test-input", "elasticsearch.node.name": "vWNJsZ3", @@ -115,7 +115,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-09T12:47:33,959", + "@timestamp": "2018-07-09T12:47:33.959Z", "elasticsearch.index.id": "3tWftqb4RLKdyCAga9syGA", "elasticsearch.index.name": ".kibana", "elasticsearch.node.name": "QGY1F5P", @@ -131,7 +131,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-05-17T08:29:25,598", + "@timestamp": "2018-05-17T08:29:25.598Z", "elasticsearch.node.name": "vWNJsZ3", "elasticsearch.server.component": "o.e.n.Node", "event.dataset": "elasticsearch.server", @@ -145,7 +145,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-05-17T08:29:25,612", + "@timestamp": "2018-05-17T08:29:25.612Z", "elasticsearch.node.name": "vWNJsZ3", "elasticsearch.server.component": "o.e.n.Node", "event.dataset": "elasticsearch.server", @@ -159,7 +159,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-03T11:45:48,548", + "@timestamp": "2018-07-03T11:45:48.548Z", "elasticsearch.node.name": "srvmulpvlsk252_md", "elasticsearch.server.component": "o.e.d.z.ZenDiscovery", "event.dataset": "elasticsearch.server", @@ -173,7 +173,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-03T11:45:48,548", + "@timestamp": "2018-07-03T11:45:48.548Z", "elasticsearch.node.name": "srvmulpvlsk252_md", "elasticsearch.server.component": "o.e.d.z.ZenDiscovery", "event.dataset": "elasticsearch.server", @@ -190,7 +190,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-03T11:45:52,666", + "@timestamp": "2018-07-03T11:45:52.666Z", "elasticsearch.server.component": "r.suppressed", "event.dataset": "elasticsearch.server", "fileset.module": "elasticsearch", @@ -206,7 +206,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-03T11:48:02,552", + "@timestamp": "2018-07-03T11:48:02.552Z", "elasticsearch.server.component": "r.suppressed", "event.dataset": "elasticsearch.server", "fileset.module": "elasticsearch", @@ -222,7 +222,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-03T11:45:27,896", + "@timestamp": "2018-07-03T11:45:27.896Z", "elasticsearch.node.name": "srvmulpvlsk252_md", "elasticsearch.server.component": "o.e.m.j.JvmGcMonitorService", "elasticsearch.server.gc.young.one": "3449979", @@ -241,7 +241,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-03T11:45:45,604", + "@timestamp": "2018-07-03T11:45:45.604Z", "elasticsearch.node.name": "srvmulpvlsk252_md", "elasticsearch.server.component": "o.e.m.j.JvmGcMonitorService", "elasticsearch.server.gc_overhead": "3449992", @@ -256,7 +256,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-03T11:48:02,541", + "@timestamp": "2018-07-03T11:48:02.541Z", "elasticsearch.node.name": "srvmulpvlsk252_md", "elasticsearch.server.component": "o.e.a.b.TransportShardBulkAction", "event.dataset": "elasticsearch.server", @@ -270,7 +270,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-03T20:10:07,376", + "@timestamp": "2018-07-03T20:10:07.376Z", "elasticsearch.node.name": "srvmulpvlsk252_md", "elasticsearch.server.component": "o.e.x.m.MonitoringService", "event.dataset": "elasticsearch.server", diff --git a/filebeat/module/elasticsearch/slowlog/config/slowlog.yml b/filebeat/module/elasticsearch/slowlog/config/slowlog.yml index c65f00f5ae0..afb6b902a01 100644 --- a/filebeat/module/elasticsearch/slowlog/config/slowlog.yml +++ b/filebeat/module/elasticsearch/slowlog/config/slowlog.yml @@ -10,6 +10,11 @@ multiline: negate: true match: after +{{ if .convert_timezone }} +processors: +- add_locale: ~ +{{ end }} + fields: service.name: "elasticsearch" fields_under_root: true diff --git a/filebeat/module/elasticsearch/slowlog/ingest/pipeline.json b/filebeat/module/elasticsearch/slowlog/ingest/pipeline.json index 0fb4b7ab756..1d2f4d78870 100644 --- a/filebeat/module/elasticsearch/slowlog/ingest/pipeline.json +++ b/filebeat/module/elasticsearch/slowlog/ingest/pipeline.json @@ -20,12 +20,22 @@ } }, { - "rename": { + "date": { "field": "elasticsearch.slowlog.timestamp", - "target_field": "@timestamp" + "target_field": "@timestamp", + "formats": [ + "ISO8601" + ], + {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >} + "ignore_failure": true + } + }, + { + "remove": { + "field": "elasticsearch.slowlog.timestamp" } } - ], + ], "on_failure" : [{ "set" : { "field" : "error.message", diff --git a/filebeat/module/elasticsearch/slowlog/manifest.yml b/filebeat/module/elasticsearch/slowlog/manifest.yml index 5fc6306b9fe..904b5db5ef6 100644 --- a/filebeat/module/elasticsearch/slowlog/manifest.yml +++ b/filebeat/module/elasticsearch/slowlog/manifest.yml @@ -11,6 +11,13 @@ var: os.windows: - c:/ProgramData/Elastic/Elasticsearch/logs/*_index_search_slowlog.log - c:/ProgramData/Elastic/Elasticsearch/logs/*_index_indexing_slowlog.log + - name: convert_timezone + default: false + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false ingest_pipeline: ingest/pipeline.json input: config/slowlog.yml diff --git a/filebeat/module/elasticsearch/slowlog/test/test.log-expected.json b/filebeat/module/elasticsearch/slowlog/test/test.log-expected.json index 1dca186bbb1..bce5a4ced95 100644 --- a/filebeat/module/elasticsearch/slowlog/test/test.log-expected.json +++ b/filebeat/module/elasticsearch/slowlog/test/test.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2018-06-29T10:06:14,933", + "@timestamp": "2018-06-29T10:06:14.933Z", "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", "elasticsearch.node.name": "v_VJhjV", "elasticsearch.shard.id": "0", @@ -24,7 +24,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-06-29T10:06:14,943", + "@timestamp": "2018-06-29T10:06:14.943Z", "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", "elasticsearch.node.name": "v_VJhjV", "elasticsearch.shard.id": "0", @@ -48,7 +48,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-06-29T09:01:01,821", + "@timestamp": "2018-06-29T09:01:01.821Z", "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", "elasticsearch.node.name": "v_VJhjV", "elasticsearch.shard.id": "0", @@ -72,7 +72,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-06-29T09:01:01,827", + "@timestamp": "2018-06-29T09:01:01.827Z", "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", "elasticsearch.node.name": "v_VJhjV", "elasticsearch.shard.id": "0", @@ -96,7 +96,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-04T13:48:07,452", + "@timestamp": "2018-07-04T13:48:07.452Z", "elasticsearch.index.id": "VLKxBLvUSYuIMKzpacGjRg", "elasticsearch.index.name": "metricbeat-6.3.0-2018.07.04", "elasticsearch.node.name": "v_VJhjV", @@ -118,7 +118,7 @@ "service.name": "elasticsearch" }, { - "@timestamp": "2018-07-04T21:51:30,411", + "@timestamp": "2018-07-04T21:51:30.411Z", "elasticsearch.index.id": "VLKxBLvUSYuIMKzpacGjRg", "elasticsearch.index.name": "metricbeat-6.3.0-2018.07.04", "elasticsearch.node.name": "v_VJhjV", diff --git a/filebeat/modules.d/elasticsearch.yml.disabled b/filebeat/modules.d/elasticsearch.yml.disabled index 0c2562f2796..3105d580379 100644 --- a/filebeat/modules.d/elasticsearch.yml.disabled +++ b/filebeat/modules.d/elasticsearch.yml.disabled @@ -7,6 +7,9 @@ # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + gc: enabled: true # Set custom paths for the log files. If left empty, @@ -19,14 +22,24 @@ # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + slowlog: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + deprecation: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index d5200432fdc..315c0c2a49a 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -92,6 +92,9 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + gc: enabled: true # Set custom paths for the log files. If left empty, @@ -104,18 +107,28 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + slowlog: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + deprecation: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + + #-------------------------------- Haproxy Module -------------------------------- - module: haproxy # All logs