Add Filebeat kubernetes module. {issue}10812[10812]

CHANGELOG.next.asciidoc

@@ -244,6 +244,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add ISO8601 timestamp support in syslog metricset. {issue}8716[8716] {pull}10736[10736]
 - Add more info to message logged when a duplicated symlink file is found {pull}10845[10845]
 - Add Netflow module to enrich flow events with geoip data. {pull}10877[10877]
+- Add Filebeat kubernetes module. {issue}10812[10812] 
 
 *Heartbeat*
 

filebeat/docs/fields.asciidoc

@@ -27,6 +27,7 @@ grouped in the following categories:
 * <<exported-fields-kafka>>
 * <<exported-fields-kibana>>
 * <<exported-fields-kubernetes-processor>>
+* <<exported-fields-kubernetes>>
 * <<exported-fields-log>>
 * <<exported-fields-logstash>>
 * <<exported-fields-mongodb>>
@@ -6521,6 +6522,288 @@ type: keyword
 Kubernetes container image
 
 
+--
+
+[[exported-fields-kubernetes]]
+== Kubernetes fields
+
+Module for handling logs produced by Kubenetes pods
+
+
+
+[float]
+== coredns fields
+
+Fields from coredns logs after normalization
+
+
+
+*`coredns.duration`*::
++
+--
+type: double
+
+--
+
+*`coredns.client`*::
++
+--
+type: ip
+
+--
+
+*`coredns.size`*::
++
+--
+type: integer
+
+--
+
+*`coredns.dnssec_ok`*::
++
+--
+type: boolean
+
+--
+
+*`coredns.proto`*::
++
+--
+type: keyword
+
+--
+
+*`coredns.qclass`*::
++
+--
+type: keyword
+
+--
+
+*`coredns.rsize`*::
++
+--
+type: integer
+
+--
+
+*`coredns.log_level`*::
++
+--
+type: keyword
+
+--
+
+*`coredns.id`*::
++
+--
+type: keyword
+
+--
+
+*`coredns.rcode`*::
++
+--
+type: keyword
+
+--
+
+*`coredns.port`*::
++
+--
+type: integer
+
+--
+
+*`coredns.bufsize`*::
++
+--
+type: integer
+
+--
+
+*`coredns.qtype`*::
++
+--
+type: keyword
+
+--
+
+*`coredns.rflags`*::
++
+--
+type: keyword
+
+coredns response flags
+
+
+--
+
+*`coredns.qname`*::
++
+--
+type: keyword
+
+coredns query name
+
+
+--
+
+*`coredns.message`*::
++
+--
+type: text
+
+coredns original log message
+
+
+--
+
+[float]
+== kubernetes fields
+
+Kubernetes meta fields
+
+
+
+
+*`kubernetes.replicaset.name`*::
++
+--
+type: keyword
+
+--
+
+[float]
+== envoy fields
+
+Fields from envoy proxy logs after normalization
+
+
+
+*`envoy.log_type`*::
++
+--
+type: keyword
+
+Envoy log type, normally ACCESS
+
+
+--
+
+*`envoy.method`*::
++
+--
+type: keyword
+
+--
+
+*`envoy.path`*::
++
+--
+type: keyword
+
+--
+
+*`envoy.proto`*::
++
+--
+type: keyword
+
+--
+
+*`envoy.response_code`*::
++
+--
+type: integer
+
+--
+
+*`envoy.response_flags`*::
++
+--
+type: keyword
+
+--
+
+*`envoy.bytes_received`*::
++
+--
+type: long
+
+--
+
+*`envoy.bytes_sent`*::
++
+--
+type: long
+
+--
+
+*`envoy.duration`*::
++
+--
+type: double
+
+--
+
+*`envoy.upstream_service_time`*::
++
+--
+type: double
+
+--
+
+*`envoy.forwarded_for`*::
++
+--
+type: keyword
+
+--
+
+*`envoy.http_user_agent`*::
++
+--
+type: keyword
+
+--
+
+*`envoy.request_id`*::
++
+--
+type: keyword
+
+--
+
+*`envoy.authority`*::
++
+--
+type: keyword
+
+--
+
+*`envoy.upstream_host`*::
++
+--
+type: ip
+
+--
+
+*`envoy.upstream_port`*::
++
+--
+type: integer
+
+--
+
+*`envoy.message`*::
++
+--
+type: text
+
+envoy original log message
+
+
 --
 
 [[exported-fields-log]]

filebeat/docs/modules/kubernetes.asciidoc

@@ -0,0 +1,35 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[filebeat-module-kubernetes]]
+[role="xpack"]
+
+:modulename: kubernetes
+:has-dashboards: true
+
+== Kubernetes Module
+
+This is a filebeat module for Kubernetes. It ingests logs for Kubernetes pods and containers, specifically coredns and envoy.
+
+[float]
+=== Compatibility
+
+This module has been developed against Kubernetes v1.13.x, but is expected to work
+with other versions of Kubernetes.
+
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard.
+
+[role="screenshot"]
+image::./images/Filebeat-Kubernetes-Dashboard.png[]
+
+
+[float]
+=== Fields
+
+For a description of each field in the module, see the
+<<exported-fields-kubernetes,exported fields>> section.
+

filebeat/docs/modules_list.asciidoc

@@ -12,6 +12,7 @@ This file is generated! See scripts/docs_collector.py
   * <<filebeat-module-iptables>>
   * <<filebeat-module-kafka>>
   * <<filebeat-module-kibana>>
+  * <<filebeat-module-kubernetes>>
   * <<filebeat-module-logstash>>
   * <<filebeat-module-mongodb>>
   * <<filebeat-module-mysql>>
@@ -40,6 +41,7 @@ include::modules/iis.asciidoc[]
 include::modules/iptables.asciidoc[]
 include::modules/kafka.asciidoc[]
 include::modules/kibana.asciidoc[]
+include::modules/kubernetes.asciidoc[]
 include::modules/logstash.asciidoc[]
 include::modules/mongodb.asciidoc[]
 include::modules/mysql.asciidoc[]

x-pack/filebeat/filebeat.reference.yml

@@ -245,6 +245,18 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#------------------------------ Kubernetes Module ------------------------------
+- module: kubernetes
+  # All logs
+  coredns: 
+    enabled: true
+  envoy:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #------------------------------- Logstash Module -------------------------------
 #- module: logstash
   # logs