Skip to content

Commit

Permalink
Ingest structured ES deprecation logs (#10445)
Browse files Browse the repository at this point in the history 
* parse structed ES deprecation logs

* Adding CHANGELOG entry

* Add breaking change CHANGELOG entry

* Regenerating generated files
  • Loading branch information
@ycombinator
ycombinator authored Feb 1, 2019
1 parent 11d8ba4 commit b70fdcd
Show file tree
Hide file tree
Showing 13 changed files with 431 additions and 39 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Several text fields in the Logstash module are now indexed as `keyword` fields with `text` multi-fields (ECS). {pull}10417[10417]
- Several text fields in the Elasticsearch module are now indexed as `keyword` fields with `text` multi-fields (ECS). {pull}10414[10414]
- Move dissect pattern for traefik.access fileset from Filbeat to Elasticsearch. {pull}10442[10442]
- The `elasticsearch/deprecation` fileset now indexes the `component` field under `elasticsearch` instead of `elasticsearch.server`. {pull}10445[10445]

*Heartbeat*

Expand Down Expand Up @@ -231,6 +232,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add support for Percona in the `slowlog` fileset of `mysql` module. {issue}6665[6665] {pull}10227[10227]
- Added support for ingesting structured Elasticsearch audit logs {pull}10352[10352]
- Added support for ingesting structured Elasticsearch slow logs {pull}10445[10445]
- Added support for ingesting structured Elasticsearch deprecation logs {pull}10445[10445]

*Heartbeat*

Expand Down
2 changes: 2 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4342,6 +4342,8 @@ UUID of the cluster
*`elasticsearch.cluster.name`*::
+
--
type: keyword
example: docker-cluster
Name of the cluster
Expand Down
1 change: 1 addition & 0 deletions filebeat/module/elasticsearch/_meta/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
- name: cluster.name
description: "Name of the cluster"
example: "docker-cluster"
type: keyword
- name: node.id
description: "ID of the node"
example: "DSiWcTyeThWtUXLB9J0BMw"
Expand Down
2 changes: 1 addition & 1 deletion filebeat/module/elasticsearch/deprecation/config/log.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ paths:
{{ end }}
exclude_files: [".gz$","_slowlog.log$","_access.log$"]
multiline:
pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
pattern: '^(\[[0-9]{4}-[0-9]{2}-[0-9]{2}|{)'
negate: true
match: after

Expand Down
102 changes: 102 additions & 0 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline-json.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
{
"description": "Pipeline for parsing the Elasticsearch deprecation log file in JSON format.",
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
],
"processors": [
{
"json": {
"field": "message",
"target_field": "elasticsearch.deprecation"
}
},
{
"drop": {
"if": "ctx.elasticsearch.deprecation.type != 'deprecation'"
}
},
{
"remove": {
"field": "elasticsearch.deprecation.type"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.level",
"target_field": "log.level"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.component",
"target_field": "elasticsearch.component"
}
},
{
"dot_expander": {
"field": "cluster.name",
"path": "elasticsearch.deprecation"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.cluster.name",
"target_field": "elasticsearch.cluster.name"
}
},
{
"dot_expander": {
"field": "node.name",
"path": "elasticsearch.deprecation"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.node.name",
"target_field": "elasticsearch.node.name"
}
},
{
"dot_expander": {
"field": "cluster.uuid",
"path": "elasticsearch.deprecation"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.cluster.uuid",
"target_field": "elasticsearch.cluster.uuid",
"ignore_missing": true
}
},
{
"dot_expander": {
"field": "node.id",
"path": "elasticsearch.deprecation"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.node.id",
"target_field": "elasticsearch.node.id",
"ignore_missing": true
}
},
{
"remove": {
"field": "message"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.message",
"target_field": "message"
}
}
]
}
24 changes: 24 additions & 0 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline-plaintext.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"description": "Pipeline for parsing the Elasticsearch deprecation log file in plaintext format.",
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
],
"processors": [
{
"grok": {
"field": "message",
"pattern_definitions": {
"GREEDYMULTILINE": "(.|\n)*"
},
"patterns": [
"\\[%{TIMESTAMP_ISO8601:elasticsearch.deprecation.timestamp}\\]\\[%{LOGLEVEL:log.level}%{SPACE}*\\]\\[%{DATA:elasticsearch.component}%{SPACE}*\\] %{GREEDYMULTILINE:message}"
]
}
}
]
}
51 changes: 35 additions & 16 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline.json
100755 → 100644
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,5 @@
{
"description": "Pipeline for parsing the Elasticsearch deprecation log file.",
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
],
"description": "Pipeline for parsing elasticsearch deprecation logs",
"processors": [
{
"rename": {
Expand All @@ -18,17 +10,29 @@
{
"grok": {
"field": "message",
"pattern_definitions": {
"GREEDYMULTILINE": "(.|\n)*"
},
"patterns": [
"\\[%{TIMESTAMP_ISO8601:timestamp}\\]\\[%{LOGLEVEL:log.level}%{SPACE}*\\]\\[%{DATA:elasticsearch.server.component}%{SPACE}*\\] %{GREEDYMULTILINE:message}"
]
"^%{CHAR:first_char}"
],
"pattern_definitions": {
"CHAR": "."
}
}
},
{
"pipeline": {
"if": "ctx.first_char != '{'",
"name": "{< IngestPipeline "pipeline-plaintext" >}"
}
},
{
"pipeline": {
"if": "ctx.first_char == '{'",
"name": "{< IngestPipeline "pipeline-json" >}"
}
},
{
"date": {
"field": "timestamp",
"field": "elasticsearch.deprecation.timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
Expand All @@ -39,7 +43,22 @@
},
{
"remove": {
"field": "timestamp"
"field": "elasticsearch.deprecation.timestamp"
}
},
{
"remove": {
"field": [
"first_char"
]
}
}
],
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
]
Expand Down
8 changes: 7 additions & 1 deletion filebeat/module/elasticsearch/deprecation/manifest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,13 @@ var:
- name: paths
default:
- /var/log/elasticsearch/*_deprecation.log
- /var/log/elasticsearch/*_deprecation.json
os.darwin:
- /usr/local/var/lib/elasticsearch/*_deprecation.log
- /usr/local/var/lib/elasticsearch/*_deprecation.json
os.windows:
- c:/ProgramData/Elastic/Elasticsearch/logs/*_deprecation.log
- c:/ProgramData/Elastic/Elasticsearch/logs/*_deprecation.json
- name: convert_timezone
default: false
# if ES < 6.1.0, this flag switches to false automatically when evaluating the
Expand All @@ -16,5 +19,8 @@ var:
version: 6.1.0
value: false

ingest_pipeline: ingest/pipeline.json
ingest_pipeline:
- ingest/pipeline.json
- ingest/pipeline-plaintext.json
- ingest/pipeline-json.json
input: config/log.yml
8 changes: 4 additions & 4 deletions filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
{
"@timestamp": "2018-04-23T16:40:13.737Z",
"ecs.version": "1.0.0-beta2",
"elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"elasticsearch.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"event.dataset": "elasticsearch.deprecation",
"event.module": "elasticsearch",
"fileset.name": "deprecation",
Expand All @@ -15,7 +15,7 @@
{
"@timestamp": "2018-04-23T16:40:13.862Z",
"ecs.version": "1.0.0-beta2",
"elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"elasticsearch.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"event.dataset": "elasticsearch.deprecation",
"event.module": "elasticsearch",
"fileset.name": "deprecation",
Expand All @@ -28,7 +28,7 @@
{
"@timestamp": "2018-04-23T16:40:14.792Z",
"ecs.version": "1.0.0-beta2",
"elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"elasticsearch.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"event.dataset": "elasticsearch.deprecation",
"event.module": "elasticsearch",
"fileset.name": "deprecation",
Expand All @@ -41,7 +41,7 @@
{
"@timestamp": "2018-04-23T16:40:15.127Z",
"ecs.version": "1.0.0-beta2",
"elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"elasticsearch.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"event.dataset": "elasticsearch.deprecation",
"event.module": "elasticsearch",
"fileset.name": "deprecation",
Expand Down
Loading

0 comments on commit b70fdcd

Please sign in to comment.