diff --git a/doc/30-namingscheme.md b/doc/30-namingscheme.md index a3fb5b3..cefafd3 100644 --- a/doc/30-namingscheme.md +++ b/doc/30-namingscheme.md @@ -77,10 +77,12 @@ These are all fieldnames in use for filter-50-configs to date: *apirequest, bytes, checkablespending, checkablesrate, checkinterval, checknext, checkoriginal, checktime, clientendpoint, code, command, component, configfilecount, connectedendpoints, context, count, currentepoch, currentmaster, date, dateend, datestart, dbinstance, detail, direction, endtime, epochcurrent, epochreceived, eventtype, exitcode, facility, filecount, filterversion, fstate, ftype, host, idlecheckables, items01min, items05min, items15min, itemscount, itemsrate, logposition, message, messagecount, messagetype, metriclist, name, nomessageduration, notificationcount, notificationtype, object, objectdetails, objectid, objecttype, period, pluginarguments, pluginexitcode, pluginoutput, query, receivedepoch, remainingclients, service, severity, signalcode, signaldetail, sslerrorcode, sslerrordetails, starttime, state, statefilter, statefilterid, stride, timerange, timestamp, typefilter, typefilterid, weekday, workerdetail, workerfacility, workerid, zone* +The `main` field has `facility` as subfield. This was introduced into the `icinga` module in Filebeat due to changes for ECS compatibility. Since it's the only nested field in the `icinga` namespace, we won't change the detection script by now. + ### Arrays We don't want to use arrays at all. Not just try to avoid them, please avoid them. We intend to use different fields for different data, which is key to logmanagement. If you really have to you can use yet another nested field *[icinga][nested][field]*, but even then the content should be related enough to combine them afterwards. This way we don't get an array, but string. The optimal solution of course is to use a [@metadata] field. ### Contribution-Dashboard -In this repository among other useful dashboards is a contribution.json, which provides a basic dashboard useful to identify areas which are in need of the most contribution. It gives you a nice overview of _grokparsefailures and undefined icinga.facility fields. +In this repository among other useful dashboards is a contribution.json, which provides a basic dashboard useful to identify areas which are in need of the most contribution. It gives you a nice overview of _grokparsefailures and undefined icinga.main.facility fields. diff --git a/filter-10-header.conf b/filter-10-header.conf index ac9615a..4699651 100644 --- a/filter-10-header.conf +++ b/filter-10-header.conf @@ -1,20 +1,22 @@ filter { - grok { - match => ["message","\[%{YEAR:year}-%{MONTHNUM:monthnum}-%{MONTHDAY:monthday} %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} %{ISO8601_TIMEZONE:timezone}\] %{WORD:[icinga][severity]}/%{WORD:[icinga][facility]}: %{GREEDYDATA:message}"] - add_tag => ["icinga2_header"] - tag_on_failure => ["_grokparsefailure","icinga2_header_failed"] - id => "icinga2" - overwrite => "message" - } - mutate { - add_field => { - "[icinga][timestamp]" => "%{[year]}-%{[monthnum]}-%{[monthday]} %{[hour]}:%{[minute]}:%{[second]} %{[timezone]}" + if ![event][module] { + grok { + match => ["message","\[%{YEAR:year}-%{MONTHNUM:monthnum}-%{MONTHDAY:monthday} %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} %{ISO8601_TIMEZONE:timezone}\] %{WORD:[icinga][severity]}/%{WORD:[icinga][main][facility]}: %{GREEDYDATA:message}"] + add_tag => ["icinga2_header"] + tag_on_failure => ["_grokparsefailure","icinga2_header_failed"] + id => "icinga2" + overwrite => "message" + } + mutate { + add_field => { + "[icinga][timestamp]" => "%{[year]}-%{[monthnum]}-%{[monthday]} %{[hour]}:%{[minute]}:%{[second]} %{[timezone]}" + } + } + date { + match => ["[icinga][timestamp]", "yyyy-MM-dd HH:mm:ss Z"] + } + mutate { + remove_field => ["[icinga][timestamp]","year","monthnum","monthday","hour","minute","second","timezone"] } - } - date { - match => ["[icinga][timestamp]", "yyyy-MM-dd HH:mm:ss Z"] - } - mutate { - remove_field => ["[icinga][timestamp]","year","monthnum","monthday","hour","minute","second","timezone"] } } diff --git a/filter-50-apilistener.conf b/filter-50-apilistener.conf index 8bee5e7..84753ab 100644 --- a/filter-50-apilistener.conf +++ b/filter-50-apilistener.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "ApiListener" { + if [icinga][main][facility] == "ApiListener" { if [message] =~ /^New client connection/ { grok { match => ["message","New client connection( for identity '%{HOSTNAME:[icinga][clientendpoint]}')? %{WORD:[icinga][direction]} \[%{IPORHOST:[client][address]}\]:%{POSINT:[client][port]}( \(%{GREEDYDATA:[icinga][detail]}\))?"] diff --git a/filter-50-checkable.conf b/filter-50-checkable.conf index 7e1ea46..4a2c97f 100644 --- a/filter-50-checkable.conf +++ b/filter-50-checkable.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "Checkable" { + if [icinga][main][facility] == "Checkable" { if [message] =~ /^Notifications are disabled for/ { grok { match => ["message","Notifications are disabled for %{WORD:[icinga][objecttype]} '%{DATA:[icinga][object]}'."] diff --git a/filter-50-checker.conf b/filter-50-checker.conf index 6a79f37..49705b2 100644 --- a/filter-50-checker.conf +++ b/filter-50-checker.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "CheckerComponent" { + if [icinga][main][facility] == "CheckerComponent" { if [message] =~ /Pending checkables/ { grok { match => ["message","Pending checkables: %{NUMBER:[icinga][checkablespending]}; Idle checkables: %{NUMBER:[icinga][idlecheckables]}; Checks/s: %{NUMBER:[icinga][checkablesrate]}"] diff --git a/filter-50-configobject.conf b/filter-50-configobject.conf index 542a98a..0e386fb 100644 --- a/filter-50-configobject.conf +++ b/filter-50-configobject.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "ConfigObject" { + if [icinga][main][facility] == "ConfigObject" { if [message] =~ /Dumping program state to file/ { # Pattern UNIXPATH seems to be broken, use DATA instead grok { diff --git a/filter-50-configobjectutility.conf b/filter-50-configobjectutility.conf index 7243f36..8334b8e 100644 --- a/filter-50-configobjectutility.conf +++ b/filter-50-configobjectutility.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "ConfigObjectUtility" { + if [icinga][main][facility] == "ConfigObjectUtility" { if [message] =~ /^Created and activated object/ { grok { match => ["message","Created and activated object 'rb-hyc_stin_s-url-checkpoint_int_sl3_eu!l_hyc_stin_f5_ext_check_s_ciosa3!e19908e2-8aca-4e63-bc87-b8a0f6cbe31c' of type 'Comment'."] diff --git a/filter-50-dbconnection.conf b/filter-50-dbconnection.conf index e1254c3..964006a 100644 --- a/filter-50-dbconnection.conf +++ b/filter-50-dbconnection.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "DbConnection" { + if [icinga][main][facility] == "DbConnection" { if [message] == "Updating programstatus table." { mutate { id => "icinga_updatingprogramstatustable" diff --git a/filter-50-dependency.conf b/filter-50-dependency.conf index 8451584..8349548 100644 --- a/filter-50-dependency.conf +++ b/filter-50-dependency.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "Dependency" { + if [icinga][main][facility] == "Dependency" { grok { match => ["message","Dependency '%{DATA:dependency}' %{WORD:dependencystatus}: %{GREEDYDATA:detail}"] id => "dependencygeneral" diff --git a/filter-50-graphitewriter.conf b/filter-50-graphitewriter.conf index d4ad907..e12e9c9 100644 --- a/filter-50-graphitewriter.conf +++ b/filter-50-graphitewriter.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "GraphiteWriter" { + if [icinga][main][facility] == "GraphiteWriter" { if [message] =~ /^Checkable '.+' adds to metric list: '.+'./ { grok { match => ["message","Checkable '%{DATA:[icinga][object]}' adds to metric list: '%{DATA:[icinga][metriclist]}'"] diff --git a/filter-50-httpserverconnection.conf b/filter-50-httpserverconnection.conf index ec0a006..4a7bc3f 100644 --- a/filter-50-httpserverconnection.conf +++ b/filter-50-httpserverconnection.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "HttpServerConnection" { + if [icinga][main][facility] == "HttpServerConnection" { if [message] =~ /^HTTP client disconnected .+from/ { grok { match => ["message","HTTP client disconnected \(from \[%{IP:[client][ip]}\]:%{POSINT:[client][port]}\)"] diff --git a/filter-50-idomysqlconnection.conf b/filter-50-idomysqlconnection.conf index ff32934..c54f6c7 100644 --- a/filter-50-idomysqlconnection.conf +++ b/filter-50-idomysqlconnection.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "IdoMysqlConnection" { + if [icinga][main][facility] == "IdoMysqlConnection" { if [message] =~ /^MySQL IDO/ { grok { match => ["message","MySQL IDO instance id: %{POSINT:[icinga][dbinstance][id]} \(schema version: '%{DATA:[icinga][dbinstance][schema]}\)"] diff --git a/filter-50-jsonrpcconnection.conf b/filter-50-jsonrpcconnection.conf index a73e4ad..fb48254 100644 --- a/filter-50-jsonrpcconnection.conf +++ b/filter-50-jsonrpcconnection.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "JsonRpcConnection" { + if [icinga][main][facility] == "JsonRpcConnection" { if [message] =~ /API client disconnected/ { grok { match => ["message","API client disconnected for identity '%{HOSTNAME:[icinga][clientendpoint]}'"] diff --git a/filter-50-legacytimeperiod.conf b/filter-50-legacytimeperiod.conf index 5b2bc19..5502690 100644 --- a/filter-50-legacytimeperiod.conf +++ b/filter-50-legacytimeperiod.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "LegacyTimePeriod" { + if [icinga][main][facility] == "LegacyTimePeriod" { if [message] =~ /^Legacy timeperiod update returned .+ segments\./ { grok { match => ["message","Legacy timeperiod update returned %{DATA:[icinga][count]}."] diff --git a/filter-50-notification.conf b/filter-50-notification.conf index 205b217..30be1e9 100644 --- a/filter-50-notification.conf +++ b/filter-50-notification.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "Notification" { + if [icinga][main][facility] == "Notification" { if [message] =~ /^Sending / { grok { match => ["message","Sending '%{WORD:[icinga][notificationtype]}' notification '%{DATA:[icinga][object]}' for user '%{DATA:[user][name]}'"] diff --git a/filter-50-pluginchecktask.conf b/filter-50-pluginchecktask.conf index 2d5bc58..eec8c19 100644 --- a/filter-50-pluginchecktask.conf +++ b/filter-50-pluginchecktask.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "PluginCheckTask" { + if [icinga][main][facility] == "PluginCheckTask" { if [message] =~ /^Check command for object/ { grok { match => ["message","Check command for object '%{DATA:[icinga][object]}' \(PID: %{POSINT:[process][pid]}, arguments: '%{DATA:[file][path]}' %{DATA:[icinga][pluginarguments]}\) terminated with exit code %{POSINT:[icinga][pluginexitcode]}, output: %{GREEDYDATA:[icinga][pluginoutput]}"] diff --git a/filter-50-process.conf b/filter-50-process.conf index c655a11..7f3a6a2 100644 --- a/filter-50-process.conf +++ b/filter-50-process.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "Process" { + if [icinga][main][facility] == "Process" { if [message] =~ /^PID/ { grok { match => ["message","PID %{POSINT:[process][pid]} (\(%{DATA:[icinga][command]}\) )?(was )?terminated (by signal %{NUMBER:[icinga][signalcode]} \(%{WORD:[icinga][signaldetail]}\)|with exit code %{NUMBER:[icinga][exitcode]})"] diff --git a/filter-50-remotecheckqueue.conf b/filter-50-remotecheckqueue.conf index 8d0f8de..80d3f5b 100644 --- a/filter-50-remotecheckqueue.conf +++ b/filter-50-remotecheckqueue.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "RemoteCheckQueue" { + if [icinga][main][facility] == "RemoteCheckQueue" { grok { match => ["message","items: %{NUMBER:[icinga][itemscount]}, rate: %{NUMBER:[icinga][itemsrate]}/s \(%{NUMBER:[icinga][items01min]}/min %{NUMBER:[icinga][items05min]}/5min %{NUMBER:[icinga][items15min]}/15min\);"] id => "icinga_remotecheckqueue" diff --git a/filter-50-tcpsocket.conf b/filter-50-tcpsocket.conf index 2fdf572..6f0caf9 100644 --- a/filter-50-tcpsocket.conf +++ b/filter-50-tcpsocket.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "TcpSocket" { + if [icinga][main][facility] == "TcpSocket" { if [message] =~ /^getaddrinfo\(\) failed with error code .+, ".+"\nContext:\n\t\(0\) Reconnecting to Graphite '.+'/ { grok { match => ["message","getaddrinfo\(\) failed with error code %{NUMBER:[icinga][code]}, \"%{DATA:[icinga][message]}\"\nContext:\n\t\(0\) Reconnecting to Graphite '%{DATA:[icinga][name]}'"] diff --git a/filter-50-timeperiod.conf b/filter-50-timeperiod.conf index 021a618..6495512 100644 --- a/filter-50-timeperiod.conf +++ b/filter-50-timeperiod.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "TimePeriod" { + if [icinga][main][facility] == "TimePeriod" { if [message] =~ /^Purging segments older than '.+' from TimePeriod '.+'/ { grok { match => ["message","Purging segments older than '%{DATA:[icinga][date]}' from TimePeriod '%{DATA:[icinga][period]}'"] diff --git a/filter-50-tlsstream.conf b/filter-50-tlsstream.conf index 9859950..b9d9c35 100644 --- a/filter-50-tlsstream.conf +++ b/filter-50-tlsstream.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "TlsStream" { + if [icinga][main][facility] == "TlsStream" { if [message] =~ /^OpenSSL error:/ { grok { match => ["message","OpenSSL error: error:%{DATA:[icinga][sslerrorcode]}:%{GREEDYDATA:[icinga][sslerrordetails]}"] diff --git a/filter-50-workqueue.conf b/filter-50-workqueue.conf index e6518ae..c32ea00 100644 --- a/filter-50-workqueue.conf +++ b/filter-50-workqueue.conf @@ -1,5 +1,5 @@ filter { - if [icinga][facility] == "WorkQueue" { + if [icinga][main][facility] == "WorkQueue" { if [message] =~ /^#\d/ { grok { match => ["message","%{NUMBER:[icinga][workerid]} \(%{WORD:[icinga][workerfacility]}, %{DATA:[icinga][workerdetail]}\) items: %{NUMBER:[icinga][itemscount]}, rate: ( )?%{NUMBER:[icinga][itemsrate]}/s \(%{NUMBER:[icinga][items01min]}/min %{NUMBER:[icinga][items05min]}/5min %{NUMBER:[icinga][items15min]}/15min\);"]