Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filebeat coredns module #11200

Merged
merged 24 commits into from
Mar 26, 2019
Merged
Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
6199c1e
Add coredns module
Mar 6, 2019
20dc52f
Add coredns module
Mar 6, 2019
3440037
Add fileset kubernetes for coredns module to handle Kubernetes deploy…
Mar 7, 2019
2229a53
Add fileset kubernetes for coredns module to support Kubernetes deplo…
Mar 7, 2019
475da9b
Update README and docs
Mar 9, 2019
469c013
Update docs for coredns
Mar 9, 2019
6f0c4f8
Merge with master
Mar 11, 2019
ba43d40
Add Coredns Overview Dashboard
Mar 11, 2019
27e36d8
Update dashboard to add NXDOMAIN visualization
Mar 12, 2019
a1b051c
Update fields
Mar 12, 2019
a520e02
Merge remote-tracking branch 'upstream/master' into filebeat-coredns-…
Mar 12, 2019
af1ed61
Merge remote-tracking branch 'upstream/master' into filebeat-coredns-…
Mar 12, 2019
c1aeaea
Rebuild filebeat.test, so it generates ecs version 1.0.0 instead of 1…
Mar 12, 2019
a93a8cc
Update CHANGELOG.next.asciidoc
Mar 15, 2019
fc0bddf
Remove changes to kubernetes fields.yml since it has been addressed i…
Mar 15, 2019
a25bc3d
Fix pipeline to support bracketed IPv6 address and address some bugs.…
Mar 19, 2019
717d079
Merge branch 'master' into filebeat-coredns-module
Mar 19, 2019
27d35a3
Merge branch 'master' into filebeat-coredns-module
Mar 22, 2019
f32bc05
Merge two filesets into one
Mar 22, 2019
bcaa67a
Fix fileset name in README
Mar 22, 2019
a3b3a31
use message field for coredns part of the original log
Mar 22, 2019
ae6ba52
Merge branch 'master' into filebeat-coredns-module
Mar 25, 2019
4eb67b7
Merge with master and update CHANGELOG.next.asciidoc
Mar 25, 2019
4b406c6
Fix an indentation error in README
Mar 25, 2019
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -290,6 +290,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Change Suricata module pipeline to handle `destination.domain` being set if a reverse DNS processor is used. {issue}10510[10510]
- Add the `network.community_id` flow identifier to field to the IPTables, Suricata, and Zeek modules. {pull}11005[11005]
- Add support for loading custom NetFlow and IPFIX field definitions to netflow input. {pull}10945[10945]
- New Filebeat coredns module to ingest coredns logs. It supports both the native coredns deployment and coredns deployment in kubernetes. {pull}11200[11200]

*Heartbeat*

Expand Down
109 changes: 109 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ grouped in the following categories:
* <<exported-fields-auditd>>
* <<exported-fields-beat>>
* <<exported-fields-cloud>>
* <<exported-fields-coredns>>
* <<exported-fields-docker-processor>>
* <<exported-fields-ecs>>
* <<exported-fields-elasticsearch>>
Expand Down Expand Up @@ -1125,6 +1126,114 @@ type: alias

alias to: cloud.region

--

[[exported-fields-coredns]]
== Coredns fields

Module for handling logs produced by coredns



[float]
== coredns fields

coredns fields after normalization



*`coredns.id`*::
+
--
type: keyword

id of the DNS transaction


--

*`coredns.query.size`*::
+
--
type: integer

format: bytes

size of the DNS query


--

*`coredns.query.class`*::
+
--
type: keyword

DNS query class


--

*`coredns.query.name`*::
+
--
type: keyword

DNS query name


--

*`coredns.query.type`*::
+
--
type: keyword

DNS query type


--

*`coredns.response.code`*::
+
--
type: keyword

DNS response code


--

*`coredns.response.flags`*::
+
--
type: keyword

DNS response flags


--

*`coredns.response.size`*::
+
--
type: integer

format: bytes

size of the DNS response


--

*`coredns.dnssec_ok`*::
+
--
type: boolean

dnssec flag


--

[[exported-fields-docker-processor]]
Expand Down
37 changes: 37 additions & 0 deletions filebeat/docs/modules/coredns.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
////
This file is generated! See scripts/docs_collector.py
////

[[filebeat-module-coredns]]
[role="xpack"]

:modulename: coredns
:has-dashboards: true

== Coredns Module

This is a filebeat module for coredns. It supports both standalone coredns deployment and
coredns deployment in Kubernetes. Standalone coredns deployment uses the log fileset, while
Kubernetes coredns deployment uses the kubernetes fileset.

[float]
=== Compatibility

Although this module has been developed against Kubernetes v1.13.x, it is expected to work
with other versions of Kubernetes.

[float]
=== Example dashboard

This module comes with a sample dashboard.

[role="screenshot"]
image::./images/Coredns_Overview_Dashboard.jpg[]


[float]
=== Fields

For a description of each field in the module, see the
<<exported-fields-coredns,exported fields>> section.

2 changes: 2 additions & 0 deletions filebeat/docs/modules_list.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ This file is generated! See scripts/docs_collector.py
* <<filebeat-modules-overview>>
* <<filebeat-module-apache>>
* <<filebeat-module-auditd>>
* <<filebeat-module-coredns>>
* <<filebeat-module-elasticsearch>>
* <<filebeat-module-haproxy>>
* <<filebeat-module-icinga>>
Expand Down Expand Up @@ -33,6 +34,7 @@ This file is generated! See scripts/docs_collector.py
include::modules-overview.asciidoc[]
include::modules/apache.asciidoc[]
include::modules/auditd.asciidoc[]
include::modules/coredns.asciidoc[]
include::modules/elasticsearch.asciidoc[]
include::modules/haproxy.asciidoc[]
include::modules/icinga.asciidoc[]
Expand Down
13 changes: 13 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,19 @@ filebeat.modules:
# can be added under this section.
#input:

#------------------------------- Coredns Module -------------------------------
- module: coredns
# Fileset for native deployment
log:
enabled: true
# Fileset for Kubernetes deployment
kubernetes:
enabled: false

# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

#---------------------------- Elasticsearch Module ----------------------------
- module: elasticsearch
# Server log
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/include/list.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

160 changes: 160 additions & 0 deletions x-pack/filebeat/module/coredns/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
# Coredns Module

This is a filebeat module for coredns. It supports both standalone coredns deployment and
coredns deployment in Kubernetes.

## Caveats

* Module is to be considered _beta_.

## Download and install Filebeat

Grab the filebeat binary from elastic.co, and install it by following the instructions.

## Deployment Scenario #1: coredns native deployment

Make sure to update coredns configuration to enable log plugin. This module assumes that coredns log
entries will be written to /var/log/coredns.log. Should it be not the case, please point the module
log path to the path of the log file.

Update filebeat.yml to point to Elasticsearch and Kibana.
Setup Filebeat.
```
./filebeat setup --modules coredns -e
```

Enable the Filebeat coredns module
```
./filebeat modules enable coredns
```

Start Filebeat
```
./filebeat -e
```

Now, the Coredns logs and dashboard should appear in Kibana.


## Deployment Scenario #2: coredns for kubernetes

For Kubernetes deployment, the filebeat daemon-set yaml file needs to be deployed to the
Kubernetes cluster. Sample configuration files is provided under the `beats/deploy/filebeat`
directory, and can be deployed by doing the following:
```
kubectl apply -f filebeat
```

#### Note the following section in the ConfigMap, make changes to the yaml file if necessary
```
filebeat.autodiscover:
providers:
- type: kubernetes
hints.enabled: true
default.disable: true

processors:
- add_kubernetes_metadata:
in_cluster: true
Copy link
Member

@andrewkroh andrewkroh Mar 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The indentation here looks like it's off by 2 spaces.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, good catch. It was manually edited for the README and a mistake was made.

```

This enables auto-discovery and hints for filebeat. When default.disable is set to true (default value is false), it will disable log harvesting for the pod/container, unless it has specific annotations enabled. This gives users more granular control on kubernetes log ingestion. The `add_kubernetes_metadata` processor will add enrichment data for Kubernetes to the ingest logs.

#### Note the following section in the DaemonSet, make changes to the yaml file if necessary
```
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: filebeat
namespace: kube-system
labels:
k8s-app: filebeat
spec:
template:
metadata:
labels:
k8s-app: filebeat
spec:
serviceAccountName: filebeat
terminationGracePeriodSeconds: 30
containers:
- name: filebeat
image: docker.elastic.co/beats/filebeat:%VERSION%
args: [
"sh", "-c", "filebeat setup -e --modules coredns -c /etc/filebeat.yml && filebeat -e -c /etc/filebeat.yml"
]
env:
# Edit the following values to reflect your setup accordingly
- name: ELASTICSEARCH_HOST
value: 192.168.99.1
- name: ELASTICSEARCH_USERNAME
value: elastic
- name: ELASTICSEARCH_PASSWORD
value: changeme
- name: KIBANA_HOST
value: 192.168.99.1
```

The module setup step can also be done separately without Kubernetes if applicable, and in that case, the args can be simplified to:
```
args: [
"sh", "-c", "filebeat -e -c /etc/filebeat.yml"
]
```

### Note that you probably need to update the coredns configmap to enable logging, and coredns deployment to add proper annotations.

##### Sample ConfigMap for coredns:

```
apiVersion: v1
data:
Corefile: |
.:53 {
log
errors
health
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods verified
endpoint_pod_names
upstream
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
proxy . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
kind: ConfigMap
metadata:
creationTimestamp: "2019-01-31T21:02:57Z"
name: coredns
namespace: kube-system
resourceVersion: "185717"
selfLink: /api/v1/namespaces/kube-system/configmaps/coredns
uid: 95a5d5cb-259b-11e9-8e5d-080027971f3c
```

#### Sample Deployment for coredns. Note the annotations.

```
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: coredns
spec:
replicas: 2
template:
metadata:
annotations:
"co.elastic.logs/module": "coredns"
"co.elastic.logs/fileset": "kubernetes"
"co.elastic.logs/disable": "false"
labels:
k8s-app: coredns
spec:
<snipped>
```

11 changes: 11 additions & 0 deletions x-pack/filebeat/module/coredns/_meta/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
- module: coredns
# Fileset for native deployment
log:
enabled: true
# Fileset for Kubernetes deployment
kubernetes:
enabled: false

# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
Loading