Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Update handling of elasticsearch server logs #30018

Merged
merged 29 commits into from
Jan 28, 2022
Merged

[Filebeat] Update handling of elasticsearch server logs #30018

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
9bb84b7
New log samples from 8.0 branch
matschaffer Jan 26, 2022
ccb7ad5
Likely pipeline updates
matschaffer Jan 26, 2022
4dc1328
Do not rename `@timestamp` instead copy to make sure there is always …
kvch Jan 26, 2022
344352c
override `@timestamp` if needed
kvch Jan 26, 2022
84bbaa5
Merge remote-tracking branch 'upstream/master' into 29880-es-8-server…
kvch Jan 26, 2022
4671444
Isolate 7 & 8 pipelines for es server logs
matschaffer Jan 27, 2022
bd320d8
Re-generated expected 8.0.0 server log documents
matschaffer Jan 27, 2022
df482e0
Merge remote-tracking branch 'upstream/master' into 29880-es-8-server…
matschaffer Jan 27, 2022
d0095f9
Fix slowlog set pipeline entries
matschaffer Jan 27, 2022
100ad26
support 8.x deprecation logs
klacabane Jan 27, 2022
455b4f9
support 8.x slowlog logs
klacabane Jan 27, 2022
feddd42
adapt deprecation tests to new format
klacabane Jan 27, 2022
98df0c1
New 8.0.0 slowlog samples from @pgomulka
matschaffer Jan 28, 2022
fc2b942
No need to re-parse the message json
matschaffer Jan 28, 2022
4e273db
Drop unrecognized json
matschaffer Jan 28, 2022
7b8b5cb
Map up most of the slowlog 8 fields
matschaffer Jan 28, 2022
57f77ef
Actually pull took_millis
matschaffer Jan 28, 2022
91c2539
Preserve slow log message field
matschaffer Jan 28, 2022
7fcd2b7
Raise new slowlog fields to doc root
matschaffer Jan 28, 2022
33e0a6f
Update es slowlog expectation files
matschaffer Jan 28, 2022
aee4d57
Revert debugging change
matschaffer Jan 28, 2022
9dc1124
Rework slowlogs using strategy idea from @ruflin
matschaffer Jan 28, 2022
adc7cf8
Revert debugging message (again)
matschaffer Jan 28, 2022
675403e
update elasticsearch fields
klacabane Jan 28, 2022
0923cd4
rework 8.x deprecation logs pipeline
klacabane Jan 28, 2022
3b10008
add audit 8.x test logs
klacabane Jan 28, 2022
1e1c940
add missing audit fields
klacabane Jan 28, 2022
8a2cc61
handle trace.id in audit logs
klacabane Jan 28, 2022
a254d7b
add elasticsearch missing field types
klacabane Jan 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49735,6 +49735,39 @@ example: 0

--

*`elasticsearch.elastic_product_origin`*::
+
--
Used by Elastic stack to identify which component of the stack sent the request

type: keyword

example: kibana

--

*`elasticsearch.http.request.x_opaque_id`*::
+
--
Used by Elasticsearch to throttle and deduplicate deprecation warnings

type: keyword

example: v7app

--

*`elasticsearch.event.category`*::
+
--
Category of the deprecation event

type: keyword

example: compatible_api

--


*`elasticsearch.audit.layer`*::
+
Expand Down Expand Up @@ -49922,6 +49955,20 @@ type: boolean

--

*`elasticsearch.audit.authentication.type`*::
+
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should be adding these to the documentation. Maybe @pgomulka can confirm but fields that don't have the elasticsearch. prefix appear to be all ecs fields (for example this one is https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-dataset)

We can lift the field up to the root of the document to avoid having to document them here.

This comment was marked as outdated.

Sign in to view

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should be adding these to the documentation. Maybe @pgomulka can confirm but fields that don't have the elasticsearch. prefix appear to be all ecs fields (for example this one is https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-dataset)
We can lift the field up to the root of the document to avoid having to document them here.

yes, as mentioned in other comments. Logs emitted by ES8 are ECS and don't need to be renamed. Could be just attached to the root of the document.

Copy link
Contributor Author

@matschaffer matschaffer Jan 28, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually @ruflin 's idea might work even better. Just use add_to_root+dot_expander and you can avoid a lot of the remapping I think. Check out slowlog/ingest/pipeline-json-8.yml

--
type: keyword

--

*`elasticsearch.audit.opaque_id`*::
+
--
type: text

--

[float]
=== deprecation

Expand Down
12 changes: 12 additions & 0 deletions filebeat/module/elasticsearch/_meta/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,15 @@
description: "Id of the shard"
example: "0"
type: keyword
- name: elastic_product_origin
type: keyword
description: "Used by Elastic stack to identify which component of the stack sent the request"
example: "kibana"
- name: http.request.x_opaque_id
description: "Used by Elasticsearch to throttle and deduplicate deprecation warnings"
example: "v7app"
type: keyword
- name: event.category
description: "Category of the deprecation event"
example: "compatible_api"
type: keyword
4 changes: 4 additions & 0 deletions filebeat/module/elasticsearch/audit/_meta/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,3 +70,7 @@
type: text
- name: invalidate.apikeys.owned_by_authenticated_user
type: boolean
- name: authentication.type
type: keyword
- name: opaque_id
type: text
10 changes: 10 additions & 0 deletions filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,16 @@ processors:
field: elasticsearch.audit.level
target_field: log.level
ignore_missing: true
- dot_expander:
field: trace.id
path: elasticsearch.audit
- rename:
field: elasticsearch.audit.trace.id
target_field: trace.id
ignore_missing: true
- remove:
field: elasticsearch.audit.trace.id
ignore_missing: true
- date:
field: elasticsearch.audit.@timestamp
target_field: "@timestamp"
Expand Down
6 changes: 3 additions & 3 deletions filebeat/module/elasticsearch/audit/ingest/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ processors:
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
- rename:
field: '@timestamp'
target_field: event.created
- set:
copy_from: "@timestamp"
field: event.created
- grok:
field: message
patterns:
Expand Down
3 changes: 3 additions & 0 deletions filebeat/module/elasticsearch/audit/test/test-audit-800.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{"type":"audit", "timestamp":"2022-01-27T14:16:25,271+0100", "node.id":"O8SFUsk8QpGG16JVJcNgUw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:64583", "request.id":"yEUG-8deS2y8ZxGgeyeUnw", "action":"indices:admin/create", "request.name":"CreateIndexRequest", "indices":["test_1"], "opaque_id":"myApp1", "trace.id":"0af7651916cd43dd8448eb211c80319c"}
{"type":"audit", "timestamp":"2022-01-27T14:16:28,601+0100", "node.id":"O8SFUsk8QpGG16JVJcNgUw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:64583", "request.id":"qo04VI2qRzKrE1dlrsjYgw", "action":"indices:admin/create", "request.name":"CreateIndexRequest", "indices":["test_2"]}
{"type":"audit", "timestamp":"2022-01-27T14:16:30,950+0100", "node.id":"O8SFUsk8QpGG16JVJcNgUw", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:64583", "url.path":"/test_3", "request.method":"PUT", "request.id":"0ybRdKGYRAekov1eKI6nIw", "opaque_id":"myApp1", "trace.id":"0af7651916cd43dd8448eb211c80319c"}
105 changes: 105 additions & 0 deletions filebeat/module/elasticsearch/audit/test/test-audit-800.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
[
{
"@timestamp": "2022-01-27T13:16:25.271Z",
"elasticsearch.audit.action": "indices:admin/create",
"elasticsearch.audit.authentication.type": "REALM",
"elasticsearch.audit.indices": [
"test_1"
],
"elasticsearch.audit.layer": "transport",
"elasticsearch.audit.opaque_id": "myApp1",
"elasticsearch.audit.origin.type": "rest",
"elasticsearch.audit.request.id": "yEUG-8deS2y8ZxGgeyeUnw",
"elasticsearch.audit.request.name": "CreateIndexRequest",
"elasticsearch.audit.user.realm": "reserved",
"elasticsearch.audit.user.roles": [
"superuser"
],
"elasticsearch.node.id": "O8SFUsk8QpGG16JVJcNgUw",
"event.action": "access_granted",
"event.category": "database",
"event.dataset": "elasticsearch.audit",
"event.kind": "event",
"event.module": "elasticsearch",
"event.outcome": "success",
"fileset.name": "audit",
"host.id": "O8SFUsk8QpGG16JVJcNgUw",
"http.request.id": "yEUG-8deS2y8ZxGgeyeUnw",
"input.type": "log",
"log.offset": 0,
"message": "{\"type\":\"audit\", \"timestamp\":\"2022-01-27T14:16:25,271+0100\", \"node.id\":\"O8SFUsk8QpGG16JVJcNgUw\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"authentication.type\":\"REALM\", \"user.name\":\"elastic\", \"user.realm\":\"reserved\", \"user.roles\":[\"superuser\"], \"origin.type\":\"rest\", \"origin.address\":\"[::1]:64583\", \"request.id\":\"yEUG-8deS2y8ZxGgeyeUnw\", \"action\":\"indices:admin/create\", \"request.name\":\"CreateIndexRequest\", \"indices\":[\"test_1\"], \"opaque_id\":\"myApp1\", \"trace.id\":\"0af7651916cd43dd8448eb211c80319c\"}",
"related.user": [
"elastic"
],
"service.type": "elasticsearch",
"source.address": "[::1]:64583",
"source.ip": "::1",
"source.port": 64583,
"trace.id": "0af7651916cd43dd8448eb211c80319c",
"user.name": "elastic"
},
{
"@timestamp": "2022-01-27T13:16:28.601Z",
"elasticsearch.audit.action": "indices:admin/create",
"elasticsearch.audit.authentication.type": "REALM",
"elasticsearch.audit.indices": [
"test_2"
],
"elasticsearch.audit.layer": "transport",
"elasticsearch.audit.origin.type": "rest",
"elasticsearch.audit.request.id": "qo04VI2qRzKrE1dlrsjYgw",
"elasticsearch.audit.request.name": "CreateIndexRequest",
"elasticsearch.audit.user.realm": "reserved",
"elasticsearch.audit.user.roles": [
"superuser"
],
"elasticsearch.node.id": "O8SFUsk8QpGG16JVJcNgUw",
"event.action": "access_granted",
"event.category": "database",
"event.dataset": "elasticsearch.audit",
"event.kind": "event",
"event.module": "elasticsearch",
"event.outcome": "success",
"fileset.name": "audit",
"host.id": "O8SFUsk8QpGG16JVJcNgUw",
"http.request.id": "qo04VI2qRzKrE1dlrsjYgw",
"input.type": "log",
"log.offset": 517,
"message": "{\"type\":\"audit\", \"timestamp\":\"2022-01-27T14:16:28,601+0100\", \"node.id\":\"O8SFUsk8QpGG16JVJcNgUw\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"authentication.type\":\"REALM\", \"user.name\":\"elastic\", \"user.realm\":\"reserved\", \"user.roles\":[\"superuser\"], \"origin.type\":\"rest\", \"origin.address\":\"[::1]:64583\", \"request.id\":\"qo04VI2qRzKrE1dlrsjYgw\", \"action\":\"indices:admin/create\", \"request.name\":\"CreateIndexRequest\", \"indices\":[\"test_2\"]}",
"related.user": [
"elastic"
],
"service.type": "elasticsearch",
"source.address": "[::1]:64583",
"source.ip": "::1",
"source.port": 64583,
"user.name": "elastic"
},
{
"@timestamp": "2022-01-27T13:16:30.950Z",
"elasticsearch.audit.layer": "rest",
"elasticsearch.audit.opaque_id": "myApp1",
"elasticsearch.audit.origin.type": "rest",
"elasticsearch.audit.request.id": "0ybRdKGYRAekov1eKI6nIw",
"elasticsearch.node.id": "O8SFUsk8QpGG16JVJcNgUw",
"event.action": "anonymous_access_denied",
"event.category": "database",
"event.dataset": "elasticsearch.audit",
"event.kind": "event",
"event.module": "elasticsearch",
"event.outcome": "failure",
"fileset.name": "audit",
"host.id": "O8SFUsk8QpGG16JVJcNgUw",
"http.request.id": "0ybRdKGYRAekov1eKI6nIw",
"http.request.method": "PUT",
"input.type": "log",
"log.offset": 965,
"message": "{\"type\":\"audit\", \"timestamp\":\"2022-01-27T14:16:30,950+0100\", \"node.id\":\"O8SFUsk8QpGG16JVJcNgUw\", \"event.type\":\"rest\", \"event.action\":\"anonymous_access_denied\", \"origin.type\":\"rest\", \"origin.address\":\"[::1]:64583\", \"url.path\":\"/test_3\", \"request.method\":\"PUT\", \"request.id\":\"0ybRdKGYRAekov1eKI6nIw\", \"opaque_id\":\"myApp1\", \"trace.id\":\"0af7651916cd43dd8448eb211c80319c\"}",
"service.type": "elasticsearch",
"source.address": "[::1]:64583",
"source.ip": "::1",
"source.port": 64583,
"trace.id": "0af7651916cd43dd8448eb211c80319c",
"url.original": "/test_3"
}
]
97 changes: 97 additions & 0 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline-json-7.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
description: Pipeline for parsing the Elasticsearch deprecation log file in JSON format.
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
processors:
- json:
field: message
target_field: elasticsearch.deprecation
- drop:
if: '!["deprecation", "deprecation.elasticsearch"].contains(ctx.elasticsearch.deprecation.type)'
- remove:
field: elasticsearch.deprecation.type
- dot_expander:
field: service.name
path: elasticsearch.deprecation
- rename:
field: elasticsearch.deprecation.service.name
target_field: service.name
ignore_missing: true
- rename:
field: elasticsearch.deprecation.level
target_field: log.level
ignore_missing: true
- dot_expander:
field: log.level
path: elasticsearch.deprecation
- rename:
field: elasticsearch.deprecation.log.level
target_field: log.level
ignore_missing: true
- dot_expander:
field: log.logger
path: elasticsearch.deprecation
- rename:
field: elasticsearch.deprecation.log.logger
target_field: log.logger
ignore_missing: true
- dot_expander:
field: process.thread.name
path: elasticsearch.deprecation
- rename:
field: elasticsearch.deprecation.process.thread.name
target_field: process.thread.name
ignore_missing: true
- rename:
field: elasticsearch.deprecation.component
target_field: elasticsearch.component
ignore_missing: true
- dot_expander:
field: cluster.name
path: elasticsearch.deprecation
- rename:
field: elasticsearch.deprecation.cluster.name
target_field: elasticsearch.cluster.name
- dot_expander:
field: node.name
path: elasticsearch.deprecation
- rename:
field: elasticsearch.deprecation.node.name
target_field: elasticsearch.node.name
- dot_expander:
field: cluster.uuid
path: elasticsearch.deprecation
- rename:
field: elasticsearch.deprecation.cluster.uuid
target_field: elasticsearch.cluster.uuid
ignore_missing: true
- dot_expander:
field: node.id
path: elasticsearch.deprecation
- rename:
field: elasticsearch.deprecation.node.id
target_field: elasticsearch.node.id
ignore_missing: true
- remove:
field: message
- rename:
field: elasticsearch.deprecation.message
target_field: message
- date:
field: 'elasticsearch.deprecation.@timestamp'
formats:
- ISO8601
ignore_failure: true
if: 'ctx.elasticsearch?.deprecation["@timestamp"] != null'
- date:
field: 'elasticsearch.deprecation.timestamp'
formats:
- ISO8601
ignore_failure: true
if: 'ctx.elasticsearch?.deprecation?.timestamp != null'
- remove:
field:
- elasticsearch.deprecation.timestamp
- elasticsearch.deprecation.@timestamp
ignore_missing: true
15 changes: 15 additions & 0 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline-json-8.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
description: Pipeline for parsing the Elasticsearch deprecation log file in JSON format.
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
processors:
- json:
field: message
add_to_root: true
- dot_expander:
field: '*'
override: true
- set:
field: event.dataset
value: elasticsearch.deprecation
Comment on lines +13 to +15
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Elasticsearch currently produces an inconsistent dataset for deprecation logs which has the product and type reversed (ie deprecation.elasticsearch). This is a temporary pipeline override that will be removed once the inconsistency is fixed on the producer side

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@klacabane Create a followup issue for this change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there was some intention around this elastic/elasticsearch#68737 but lets not hold off this PR on this and follow up on it.

Loading