Fix filebeat system module timezone parsing

[pragkent]

Closes #13306

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[jsoriano]

ok to test

[jsoriano]

@pragkent thanks for reporting the issue and opening this PR to fix it. I think that you are actually right and we are incorrectly handling timezones, at least since #12253 (7.3.0).

I wonder if other modules are affected too after #12311.

Could you also add a changelog entry mentioning the fix?

[pragkent]

Sure, I'll handle this later

[pragkent]

And maybe I can try to fix this issue in other modules by the way.

[ghost]

Hi @pragkent, we have found your signature in our records, but it seems like you have signed with a different e-mail than the one used in your Git commit. Can you please add both of these e-mails into your Github profile (they can be hidden), so we can match your e-mails to your Github profile?

[jsoriano]

@pragkent Thanks for looking at these modules too, but let's focus first on the system module. For the elasticsearch one I think we will also need to change the formats, because it is actually like ISO8601, but without timezone.

[pragkent]

@jsoriano yes, you are correct. we need to define a new format, or the timezone is wrong. I'll fix it later.

[pragkent]

I grabbed some elasticsearch 7.3 logs from our server, it seems that ISO8601 format was used (timezone included). So, use ISO8601 format for parsing is actually right.

And logs from elasticsearch 6.x does not have timezone part, as you said.

So I added a format for parsing elasticsearch 6.x logs.

Could you please double-check that?

Part of the logs is listed as follow:

{"type": "deprecation", "timestamp": "2019-08-20T05:08:27,756+0000", "level": "WARN", "component": "o.e.d.c.s.Settings", "cluster.name": "hulk", "node.name": "hulk-es-22x9pqqc4q",  "message": "[discovery.zen.hosts_provider] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version."  }

{"type": "server", "timestamp": "2019-08-22T20:52:56,131+0000", "level": "INFO", "component": "o.e.m.j.JvmGcMonitorService", "cluster.name": "hulk", "node.name": "hulk-es-22x9pqqc4q", "cluster.uuid": "3pYlYTCPT4iLMqHmeq7Yew", "node.id": "UFfAvAUkTIuOlUbMgT9x0A",  "message": "[gc][229011] overhead, spent [293ms] collecting in the last [1s]"  }

[jsoriano]

Looks good, but I think we could remove the ISO8601 format.

[jsoriano]

Or do something like what I proposed for ISO8601 in the system module.

[pragkent]

Hmm, I think we should not remove ISO8601 for elasticsearch module. For example, if we have elasticsearch 7.3, and have event.timezone set, then the parsing will failed without this ISO8601 format.

[jsoriano]

I am trying and this seems correct in 7.3 for JSON logs, but not for plain text logs. We may need to move date parsing to the specific pipeline (there are three pipelines, a common one, and another two for the specific needings of plain text and json formats).
Also I think that the format for timestamps without timezone should be yyyy-MM-dd'T'HH:mm:ss,SSS, as they contain milliseconds.

[pragkent]

You are right. I just changed the format to yyyy-MM-dd'T'HH:mm:ss,SSS. When the format is yyyy-MM-dd'T'HH:mm:ss, the date processor will always choose ISO8601 format for parsing, because the time in log files contain milliseconds part.

Is there any other reasons which caused plain text logs parsing failure that I missed out?

[jsoriano]

Changes in Kafka and nginx modules LGTM, let's not add more modules to this PR.
I have added a couple of comments for elasticsearch and system modules.

[jsoriano]

Looks good, but I think we could remove the ISO8601 format.

[pragkent]

Changes in Kafka and nginx modules LGTM, let's not add more modules to this PR.
I have added a couple of comments for elasticsearch and system modules.

I just reverted changes to nginx and kafka modules.

[jsoriano]

It seems to be working for the system module, but I am not so sure about the elasticsearch one. What do you think about focusing in this PR on the system module and fix the other modules in other PRs?

[pragkent]

It seems to be working for the system module, but I am not so sure about the elasticsearch one. What do you think about focusing in this PR on the system module and fix the other modules in other PRs?

OK, I'll submit other prs for other modules

[pragkent]

I've updated the commits to only include changes about system module.

[pragkent]

@jsoriano Just created a few PRs:

#13367 elasticsearch
#13368 kafka
#13369 nginx

[ztyzbb]

Found a similar date processor usage in logstash module.
filebeat/module/logstash/log/ingest/pipeline-plain.json
Does it need a fix too?

[jsoriano]

@ztyzbb yes, I can confirm that this issue also happens in logstash module when parsing plain text files. I will open a PR to fix this.