Add a HAProxy filebeat module.

[Tethik]

I created a new module for parsing HAProxy http logs via filebeat. Originally developed on version 6.3 of elasticsearch/filebeat.

Feedback would be appreciated, please let me know if there's anything missing.

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[jsoriano]

Really nice work here, thanks for this! I have added some comments.

[jsoriano]

This should be replaced by the name of the fileset, I guess http in this case.

[Tethik]

👍

[jsoriano]

Could you follow ECS in fields naming if possible? for example http response fields could be at the root level under http.response....

[Tethik]

Will do.

[jsoriano]

These field names are a bit cryptic, maybe we could have a connections object with different counts, so these fields are named connections.active, connections.frontend, connections.backend, connections.server, wdyt?

[Tethik]

I copied the names of the fields directly from the HAProxy documentation
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#8.2.3

I don't mind changing them though.

[Tethik]

Would you move them up from the fileset though? e.g. haproxy.connections.* as opposed to haproxy.http.connections.*

[jsoriano]

I think we could leave them directly on haproxy.connections, so if at some moment we have also a TCP fileset they can be aggregated more easily.

[Tethik]

Sounds good. What about the rest of the fields that are shared between the TCP and HTTP logs? e.g. client_ip, frontend_name or the different queue times? Should we put these directly on the parent (as haproxy.client_ip, haproxy.frontend_name) or try to group them more?

[jsoriano]

Good point, I also think it would also make sense to move these fields to the module level.

[jsoriano]

Add here also a reference to var.input

[Tethik]

👍

[jsoriano]

Nice addition to be able to use syslog and file.

[Tethik]

Thanks. I started out with a normal file log but setting it up in HAProxy requires a bit of effort. Going via syslog was easier as HAProxy has that support built in. I intend to document the HAProxy configuration necessary for using the module too.

[jsoriano]

Thanks for the dashboard! 😃

[jsoriano]

Replace {fileset} also here

[Tethik]

👍

[Tethik]

Pushed some changes now, but I still need to update the dashboard and test the changes. Hope I can do so later tonight.

[jsoriano]

This file should contain only the list of events (each event being the value of _source)

[jsoriano]

Be careful with exposing personal data in examples/tests 🙂

[Tethik]

Minor slip up, but not really sensitive. I'll see if I can scrub it.

[jsoriano]

http also here

[jsoriano]

Being syslog the default is going to be tricky for the test_modules test as it instantiates filebeat with the default configurations.
@kvch @ph is there a way to provide a different config than the default for the test_modules?

[kvch]

filebeat/tests/system/config/filebeat.yml.j2 is the template used during running system tests. This needs to be extended with syslog input.

[kvch]

The current system test framework also needs to be extended to be able to send logs over TCP and UDP to Filebeat. Maybe running netcat with proper config does the trick of feeding Filebeat with input.

[jsoriano]

Thanks, I'll take a look to this.

[Tethik]

Still working on the dashboard fyi, quite busy these coming days though so it might take a while.

[jsoriano]

Another placeholder here, remember to run also make update after modifying these files.

[Tethik]

Dashboard remade and tests scrubbed.

Here's also a sample haproxy config that should work to send logs to this module.
https://gist.github.com/Tethik/b458036e734f5ec78bb362bba53e9d1c

[jsoriano]

@Tethik thanks for your work on this, I'm going to take a look on how we can extend our tests for syslog-based modules, I'll keep you updated.

[Tethik]

Glad to be able to contribute. I hope to add some more modules in the near future too 🎁

[jsoriano]

@Tethik we have merged #8140, that will force the use of file input for tests, please update your branch with master to check your test files.

[Tethik]

Done, I rebased to the latest master. Not sure how I'm supposed to run the tests though.

[jsoriano]

To run the tests locally, you can run INTEGRATION_TESTS=1 make system-tests from the filebeat directory.
This takes a while as it runs all system tests, if you want to run only the tests with the haproxy log files, you will need first a running elasticsearch, you can run it with make start-environment, and then:

make python-env
source build/python-env/bin/activate
make filebeat.test
INTEGRATION_TESTS=1 TEST_MODULES=haproxy BEAT_STRICT_PERMS=false ES_HOST=<easticsearch ip> nosetest tests/system/test_module.py

You can check the logs for more info in build/system-tests.

[jsoriano]

This file may need a new line at the end to ensure that this is read on tests.

[Tethik]

Pushed the newline. No change though

[jsoriano]

There was a change 🙂 now the test build failed due to expected object not found. I have added a comment with the missing fields.

[Tethik]

Ah sorry, been trying to run the tests locally but the environment is not cooperating with me. (I get different failures from the other unrelated tests too)

[jsoriano]

These fields are missing:

        "input.type": "log",
        "prospector.type": "log",
        "fileset.module": "haproxy",
        "fileset.name": "http",
        "haproxy.geoip.region_iso_code": "US-WA",
        "offset": 0,

[jsoriano]

jenkins, test this please

[jsoriano]

jenkins, test this again please

[jsoriano]

To be backported to 6.x along with #8215