Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Update handling of elasticsearch server logs #30018

Merged
merged 29 commits into from
Jan 28, 2022
Merged

[Filebeat] Update handling of elasticsearch server logs #30018

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
9bb84b7
New log samples from 8.0 branch
matschaffer Jan 26, 2022
ccb7ad5
Likely pipeline updates
matschaffer Jan 26, 2022
4dc1328
Do not rename `@timestamp` instead copy to make sure there is always …
kvch Jan 26, 2022
344352c
override `@timestamp` if needed
kvch Jan 26, 2022
84bbaa5
Merge remote-tracking branch 'upstream/master' into 29880-es-8-server…
kvch Jan 26, 2022
4671444
Isolate 7 & 8 pipelines for es server logs
matschaffer Jan 27, 2022
bd320d8
Re-generated expected 8.0.0 server log documents
matschaffer Jan 27, 2022
df482e0
Merge remote-tracking branch 'upstream/master' into 29880-es-8-server…
matschaffer Jan 27, 2022
d0095f9
Fix slowlog set pipeline entries
matschaffer Jan 27, 2022
100ad26
support 8.x deprecation logs
klacabane Jan 27, 2022
455b4f9
support 8.x slowlog logs
klacabane Jan 27, 2022
feddd42
adapt deprecation tests to new format
klacabane Jan 27, 2022
98df0c1
New 8.0.0 slowlog samples from @pgomulka
matschaffer Jan 28, 2022
fc2b942
No need to re-parse the message json
matschaffer Jan 28, 2022
4e273db
Drop unrecognized json
matschaffer Jan 28, 2022
7b8b5cb
Map up most of the slowlog 8 fields
matschaffer Jan 28, 2022
57f77ef
Actually pull took_millis
matschaffer Jan 28, 2022
91c2539
Preserve slow log message field
matschaffer Jan 28, 2022
7fcd2b7
Raise new slowlog fields to doc root
matschaffer Jan 28, 2022
33e0a6f
Update es slowlog expectation files
matschaffer Jan 28, 2022
aee4d57
Revert debugging change
matschaffer Jan 28, 2022
9dc1124
Rework slowlogs using strategy idea from @ruflin
matschaffer Jan 28, 2022
adc7cf8
Revert debugging message (again)
matschaffer Jan 28, 2022
675403e
update elasticsearch fields
klacabane Jan 28, 2022
0923cd4
rework 8.x deprecation logs pipeline
klacabane Jan 28, 2022
3b10008
add audit 8.x test logs
klacabane Jan 28, 2022
1e1c940
add missing audit fields
klacabane Jan 28, 2022
8a2cc61
handle trace.id in audit logs
klacabane Jan 28, 2022
a254d7b
add elasticsearch missing field types
klacabane Jan 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 23 additions & 19 deletions filebeat/module/elasticsearch/server/ingest/pipeline-json.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,51 +7,55 @@ processors:
- json:
field: message
target_field: elasticsearch.server
- dot_expander:
field: event.dataset
path: elasticsearch.server
- drop:
if: ctx.elasticsearch.server.type != 'server'
- remove:
field: elasticsearch.server.type
if: ctx.elasticsearch.server.event.dataset != 'elasticsearch.server'
- rename:
field: elasticsearch.server.event.dataset
target_field: event.dataset
ignore_missing: true
- dot_expander:
field: ecs.version
path: elasticsearch.server
- rename:
field: elasticsearch.server.ecs.version
target_field: ecs.version
ignore_missing: true
- dot_expander:
field: service.name
path: elasticsearch.server
- rename:
field: elasticsearch.server.service.name
target_field: service.name
ignore_missing: true
- rename:
field: elasticsearch.server.component
target_field: elasticsearch.component
ignore_missing: true
- dot_expander:
field: cluster.name
field: elasticsearch.cluster.name
path: elasticsearch.server
- rename:
field: elasticsearch.server.cluster.name
field: elasticsearch.server.elasticsearch.cluster.name
target_field: elasticsearch.cluster.name
- dot_expander:
field: node.name
field: elasticsearch.node.name
path: elasticsearch.server
- rename:
field: elasticsearch.server.node.name
field: elasticsearch.server.elasticsearch.node.name
target_field: elasticsearch.node.name
- dot_expander:
field: cluster.uuid
field: elasticsearch.cluster.uuid
path: elasticsearch.server
- rename:
field: elasticsearch.server.cluster.uuid
field: elasticsearch.server.elasticsearch.cluster.uuid
target_field: elasticsearch.cluster.uuid
ignore_missing: true
- dot_expander:
field: node.id
field: elasticsearch.node.id
path: elasticsearch.server
- rename:
field: elasticsearch.server.node.id
field: elasticsearch.server.elasticsearch.node.id
target_field: elasticsearch.node.id
ignore_missing: true
- rename:
field: elasticsearch.server.level
target_field: log.level
ignore_missing: true
- dot_expander:
field: log.level
path: elasticsearch.server
Expand Down
6 changes: 3 additions & 3 deletions filebeat/module/elasticsearch/server/test/elasticsearch-json.800.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
{"@timestamp":"2020-04-14T14:05:58.019Z", "log.level": "INFO", "message":"adding template [.management-beats] for index patterns [.management-beats]", "service.name":"ES_ECS","process.thread.name":"elasticsearch[CBR-MBP.local][masterService#updateTask][T#1]","log.logger":"org.elasticsearch.cluster.metadata.MetaDataIndexTemplateService","type":"server","cluster.uuid":"ECEBF2VPQuCF9tbBKaLqXQ","node.id":"suOYiQwuRvialOY-c0wHLA","node.name":"CBR-MBP.local","cluster.name":"elasticsearch"}
{"@timestamp":"2020-04-14T20:57:49.663Z", "log.level": "INFO", "message":"[test-filebeat-modules] creating index, cause [auto(bulk api)], templates [test-filebeat-modules], shards [1]/[1], mappings [_doc]", "service.name":"ES_ECS","process.thread.name":"elasticsearch[7debcb878699][masterService#updateTask][T#1]","log.logger":"org.elasticsearch.cluster.metadata.MetadataCreateIndexService","type":"server","cluster.uuid":"QxYAE76DTAWkgk9CwIRedQ","node.id":"kZnYdakGTqihZQT_1rM92g","node.name":"7debcb878699","cluster.name":"docker-cluster"}
{"@timestamp":"2020-04-14T20:57:49.772Z", "log.level": "INFO", "message":"[test-filebeat-modules/IW1jJcOBTFeIDihqjoT8yQ] update_mapping [_doc]", "service.name":"ES_ECS","process.thread.name":"elasticsearch[7debcb878699][masterService#updateTask][T#1]","log.logger":"org.elasticsearch.cluster.metadata.MetadataMappingService","type":"server","cluster.uuid":"QxYAE76DTAWkgk9CwIRedQ","node.id":"kZnYdakGTqihZQT_1rM92g","node.name":"7debcb878699","cluster.name":"docker-cluster"}
{"@timestamp":"2022-01-25T15:12:08.472Z", "log.level": "INFO", "message":"adding template [.monitoring-kibana] for index patterns [.monitoring-kibana-7-*]", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[matschaffer-mbp2019.lan][masterService#updateTask][T#1]","log.logger":"org.elasticsearch.cluster.metadata.MetadataIndexTemplateService","elasticsearch.cluster.uuid":"28iKoFsvTJ6HEyXbdLL-PQ","elasticsearch.node.id":"tc3nhgC0SFCKfwwy6jCmkw","elasticsearch.node.name":"matschaffer-mbp2019.lan","elasticsearch.cluster.name":"main"}
matschaffer marked this conversation as resolved.
Show resolved Hide resolved
{"@timestamp":"2022-01-25T15:12:08.588Z", "log.level": "INFO", "message":"adding template [.monitoring-logstash] for index patterns [.monitoring-logstash-7-*]", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[matschaffer-mbp2019.lan][masterService#updateTask][T#1]","log.logger":"org.elasticsearch.cluster.metadata.MetadataIndexTemplateService","elasticsearch.cluster.uuid":"28iKoFsvTJ6HEyXbdLL-PQ","elasticsearch.node.id":"tc3nhgC0SFCKfwwy6jCmkw","elasticsearch.node.name":"matschaffer-mbp2019.lan","elasticsearch.cluster.name":"main"}
{"@timestamp":"2022-01-25T15:12:08.686Z", "log.level": "INFO", "message":"adding template [.monitoring-alerts-7] for index patterns [.monitoring-alerts-7]", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[matschaffer-mbp2019.lan][masterService#updateTask][T#1]","log.logger":"org.elasticsearch.cluster.metadata.MetadataIndexTemplateService","elasticsearch.cluster.uuid":"28iKoFsvTJ6HEyXbdLL-PQ","elasticsearch.node.id":"tc3nhgC0SFCKfwwy6jCmkw","elasticsearch.node.name":"matschaffer-mbp2019.lan","elasticsearch.cluster.name":"main"}