diff --git a/filebeat/module/apache2/access/test/test.log-expected.json b/filebeat/module/apache2/access/test/test.log-expected.json index c59f6078b03..e671b1de017 100644 --- a/filebeat/module/apache2/access/test/test.log-expected.json +++ b/filebeat/module/apache2/access/test/test.log-expected.json @@ -1,106 +1,106 @@ [ { - "@timestamp": "2016-12-26T14:16:29.000Z", - "apache2.access.body_sent.bytes": 209, - "apache2.access.remote_ip": "::1", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "apache2", - "http.request.method": "GET", - "http.response.status_code": 404, - "http.version": "1.1", - "input.type": "log", - "log.offset": 0, - "source.ip": "::1", - "url.original": "/favicon.ico", + "@timestamp": "2016-12-26T14:16:29.000Z", + "apache2.access.body_sent.bytes": 209, + "apache2.access.remote_ip": "::1", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "apache2", + "http.request.method": "GET", + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 0, + "source.ip": "::1", + "url.original": "/favicon.ico", "user.name": "-" - }, + }, { - "@timestamp": "2016-12-26T16:22:13.000Z", - "apache2.access.body_sent.bytes": 499, - "apache2.access.remote_ip": "192.168.33.1", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "apache2", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 404, - "http.version": "1.1", - "input.type": "log", - "log.offset": 73, - "source.ip": "192.168.33.1", - "url.original": "/hello", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.major": "50", - "user_agent.minor": "0", - "user_agent.name": "Firefox", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", - "user_agent.os.full_name": "Mac OS X 10.12", - "user_agent.os.major": "10", - "user_agent.os.minor": "12", + "@timestamp": "2016-12-26T16:22:13.000Z", + "apache2.access.body_sent.bytes": 499, + "apache2.access.remote_ip": "192.168.33.1", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "apache2", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 73, + "source.ip": "192.168.33.1", + "url.original": "/hello", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "50", + "user_agent.minor": "0", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", + "user_agent.os.full_name": "Mac OS X 10.12", + "user_agent.os.major": "10", + "user_agent.os.minor": "12", "user_agent.os.name": "Mac OS X" - }, + }, { - "@timestamp": "2016-12-26T14:16:48.000Z", - "apache2.access.remote_ip": "::1", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "apache2", - "http.response.status_code": 408, - "input.type": "log", - "log.offset": 238, - "source.ip": "::1", + "@timestamp": "2016-12-26T14:16:48.000Z", + "apache2.access.remote_ip": "::1", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "apache2", + "http.response.status_code": 408, + "input.type": "log", + "log.offset": 238, + "source.ip": "::1", "user.name": "-" - }, + }, { - "@timestamp": "2017-05-29T19:02:48.000Z", - "apache2.access.body_sent.bytes": 612, - "apache2.access.remote_ip": "172.17.0.1", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "apache2", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 404, - "http.version": "1.1", - "input.type": "log", - "log.offset": 285, - "source.ip": "172.17.0.1", - "url.original": "/stringpatch", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.major": "15", - "user_agent.minor": "0", - "user_agent.name": "Firefox Alpha", - "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", - "user_agent.os.full_name": "Windows 7", - "user_agent.os.name": "Windows 7", + "@timestamp": "2017-05-29T19:02:48.000Z", + "apache2.access.body_sent.bytes": 612, + "apache2.access.remote_ip": "172.17.0.1", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "apache2", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 285, + "source.ip": "172.17.0.1", + "url.original": "/stringpatch", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "15", + "user_agent.minor": "0", + "user_agent.name": "Firefox Alpha", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", + "user_agent.os.full_name": "Windows 7", + "user_agent.os.name": "Windows 7", "user_agent.patch": "a2" - }, + }, { - "@timestamp": "2017-05-29T19:02:48.000Z", - "apache2.access.body_sent.bytes": 612, - "apache2.access.remote_ip": "monitoring-server", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "apache2", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 200, - "http.version": "1.1", - "input.type": "log", - "log.offset": 443, - "source.domain": "monitoring-server", - "url.original": "/status", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.major": "15", - "user_agent.minor": "0", - "user_agent.name": "Firefox Alpha", - "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", - "user_agent.os.full_name": "Windows 7", - "user_agent.os.name": "Windows 7", + "@timestamp": "2017-05-29T19:02:48.000Z", + "apache2.access.body_sent.bytes": 612, + "apache2.access.remote_ip": "monitoring-server", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "apache2", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 443, + "source.domain": "monitoring-server", + "url.original": "/status", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "15", + "user_agent.minor": "0", + "user_agent.name": "Firefox Alpha", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", + "user_agent.os.full_name": "Windows 7", + "user_agent.os.name": "Windows 7", "user_agent.patch": "a2" } ] \ No newline at end of file diff --git a/filebeat/module/apache2/error/test/test.log-expected.json b/filebeat/module/apache2/error/test/test.log-expected.json index c179c9bc69b..269c2a5ce4c 100644 --- a/filebeat/module/apache2/error/test/test.log-expected.json +++ b/filebeat/module/apache2/error/test/test.log-expected.json @@ -1,39 +1,39 @@ [ { - "@timestamp": "2016-12-26T16:22:08.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "error", - "event.module": "apache2", - "input.type": "log", - "log.level": "error", - "log.offset": 0, - "message": "File does not exist: /var/www/favicon.ico", + "@timestamp": "2016-12-26T16:22:08.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "error", + "event.module": "apache2", + "input.type": "log", + "log.level": "error", + "log.offset": 0, + "message": "File does not exist: /var/www/favicon.ico", "source.address": "192.168.33.1" - }, + }, { - "@timestamp": "2016-12-26T16:15:55.103Z", - "apache2.error.module": "core", - "ecs.version": "1.0.0-beta2", - "event.dataset": "error", - "event.module": "apache2", - "input.type": "log", - "log.level": "notice", - "log.offset": 99, - "message": "AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'", + "@timestamp": "2016-12-26T16:15:55.103Z", + "apache2.error.module": "core", + "ecs.version": "1.0.0-beta2", + "event.dataset": "error", + "event.module": "apache2", + "input.type": "log", + "log.level": "notice", + "log.offset": 99, + "message": "AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'", "process.pid": 11379 - }, + }, { - "@timestamp": "2011-09-09T10:42:29.902Z", - "apache2.error.module": "core", - "ecs.version": "1.0.0-beta2", - "event.dataset": "error", - "event.module": "apache2", - "input.type": "log", - "log.level": "error", - "log.offset": 229, - "message": "File does not exist: /usr/local/apache2/htdocs/favicon.ico", - "process.pid": 35708, - "process.thread.id": 4328636416, + "@timestamp": "2011-09-09T10:42:29.902Z", + "apache2.error.module": "core", + "ecs.version": "1.0.0-beta2", + "event.dataset": "error", + "event.module": "apache2", + "input.type": "log", + "log.level": "error", + "log.offset": 229, + "message": "File does not exist: /usr/local/apache2/htdocs/favicon.ico", + "process.pid": 35708, + "process.thread.id": 4328636416, "source.address": "72.15.99.187" } ] \ No newline at end of file diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 93b535508c4..cc678223950 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -1,54 +1,54 @@ [ { - "@timestamp": "2017-01-31T20:17:14.891Z", - "auditd.log.auid": "4294967295", - "auditd.log.dst": "192.168.0.0", - "auditd.log.dst_prefixlen": "16", - "auditd.log.op": "SPD-delete", - "auditd.log.record_type": "MAC_IPSEC_EVENT", - "auditd.log.res": "1", - "auditd.log.sequence": 18877201, - "auditd.log.ses": "4294967295", - "auditd.log.src": "192.168.2.0", - "auditd.log.src_prefixlen": "24", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "auditd", - "input.type": "log", + "@timestamp": "2017-01-31T20:17:14.891Z", + "auditd.log.auid": "4294967295", + "auditd.log.dst": "192.168.0.0", + "auditd.log.dst_prefixlen": "16", + "auditd.log.op": "SPD-delete", + "auditd.log.record_type": "MAC_IPSEC_EVENT", + "auditd.log.res": "1", + "auditd.log.sequence": 18877201, + "auditd.log.ses": "4294967295", + "auditd.log.src": "192.168.2.0", + "auditd.log.src_prefixlen": "24", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "auditd", + "input.type": "log", "log.offset": 0 - }, + }, { - "@timestamp": "2017-01-31T20:17:14.891Z", - "auditd.log.a0": "9", - "auditd.log.a1": "7f564b2672a0", - "auditd.log.a2": "b8", - "auditd.log.a3": "0", - "auditd.log.arch": "x86_64", - "auditd.log.auid": "4294967295", - "auditd.log.comm": "charon", - "auditd.log.egid": "0", - "auditd.log.euid": "0", - "auditd.log.exe": "/usr/libexec/strongswan/charon (deleted)", - "auditd.log.exit": "184", - "auditd.log.fsgid": "0", - "auditd.log.fsuid": "0", - "auditd.log.gid": "0", - "auditd.log.items": "0", - "auditd.log.pid": "1281", - "auditd.log.ppid": "1240", - "auditd.log.record_type": "SYSCALL", - "auditd.log.sequence": 18877199, - "auditd.log.ses": "4294967295", - "auditd.log.sgid": "0", - "auditd.log.success": "yes", - "auditd.log.suid": "0", - "auditd.log.syscall": "44", - "auditd.log.tty": "(none)", - "auditd.log.uid": "0", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "auditd", - "input.type": "log", + "@timestamp": "2017-01-31T20:17:14.891Z", + "auditd.log.a0": "9", + "auditd.log.a1": "7f564b2672a0", + "auditd.log.a2": "b8", + "auditd.log.a3": "0", + "auditd.log.arch": "x86_64", + "auditd.log.auid": "4294967295", + "auditd.log.comm": "charon", + "auditd.log.egid": "0", + "auditd.log.euid": "0", + "auditd.log.exe": "/usr/libexec/strongswan/charon (deleted)", + "auditd.log.exit": "184", + "auditd.log.fsgid": "0", + "auditd.log.fsuid": "0", + "auditd.log.gid": "0", + "auditd.log.items": "0", + "auditd.log.pid": "1281", + "auditd.log.ppid": "1240", + "auditd.log.record_type": "SYSCALL", + "auditd.log.sequence": 18877199, + "auditd.log.ses": "4294967295", + "auditd.log.sgid": "0", + "auditd.log.success": "yes", + "auditd.log.suid": "0", + "auditd.log.syscall": "44", + "auditd.log.tty": "(none)", + "auditd.log.uid": "0", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "auditd", + "input.type": "log", "log.offset": 174 } ] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/audit/test/test.log-expected.json b/filebeat/module/elasticsearch/audit/test/test.log-expected.json index f4b880a84cf..227baa96cbf 100644 --- a/filebeat/module/elasticsearch/audit/test/test.log-expected.json +++ b/filebeat/module/elasticsearch/audit/test/test.log-expected.json @@ -1,114 +1,114 @@ [ { - "@timestamp": "2018-06-19T05:16:15.549Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.audit.event_type": "authentication_failed", - "elasticsearch.audit.layer": "rest", - "elasticsearch.audit.origin_address": "147.107.128.77", - "elasticsearch.audit.principal": "i030648", - "elasticsearch.audit.uri": "/_xpack/security/_authenticate", - "event.dataset": "audit", - "event.module": "elasticsearch", - "input.type": "log", - "log.offset": 0, - "message": "[2018-06-19T05:16:15,549] [rest] [authentication_failed] origin_address=[147.107.128.77], principal=[i030648], uri=[/_xpack/security/_authenticate]", + "@timestamp": "2018-06-19T05:16:15.549Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.event_type": "authentication_failed", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.origin_address": "147.107.128.77", + "elasticsearch.audit.principal": "i030648", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", + "event.dataset": "audit", + "event.module": "elasticsearch", + "input.type": "log", + "log.offset": 0, + "message": "[2018-06-19T05:16:15,549] [rest] [authentication_failed] origin_address=[147.107.128.77], principal=[i030648], uri=[/_xpack/security/_authenticate]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-19T05:07:52.304Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.audit.event_type": "authentication_failed", - "elasticsearch.audit.layer": "rest", - "elasticsearch.audit.origin_address": "172.22.0.3", - "elasticsearch.audit.principal": "rado", - "elasticsearch.audit.uri": "/_xpack/security/_authenticate", - "elasticsearch.node.name": "v_VJhjV", - "event.dataset": "audit", - "event.module": "elasticsearch", - "input.type": "log", - "log.offset": 155, - "message": "[2018-06-19T05:07:52,304] [v_VJhjV] [rest] [authentication_failed]\torigin_address=[172.22.0.3], principal=[rado], uri=[/_xpack/security/_authenticate]", + "@timestamp": "2018-06-19T05:07:52.304Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.event_type": "authentication_failed", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.origin_address": "172.22.0.3", + "elasticsearch.audit.principal": "rado", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", + "elasticsearch.node.name": "v_VJhjV", + "event.dataset": "audit", + "event.module": "elasticsearch", + "input.type": "log", + "log.offset": 155, + "message": "[2018-06-19T05:07:52,304] [v_VJhjV] [rest] [authentication_failed]\torigin_address=[172.22.0.3], principal=[rado], uri=[/_xpack/security/_authenticate]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-19T05:00:15.778Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.audit.action": "indices:data/read/scroll/clear", - "elasticsearch.audit.event_type": "access_granted", - "elasticsearch.audit.layer": "transport", - "elasticsearch.audit.origin_address": "192.168.1.165", - "elasticsearch.audit.origin_type": "local_node", - "elasticsearch.audit.principal": "_xpack_security", - "elasticsearch.audit.request": "ClearScrollRequest", - "event.dataset": "audit", - "event.module": "elasticsearch", - "input.type": "log", - "log.offset": 306, - "message": "[2018-06-19T05:00:15,778] [transport] [access_granted] origin_type=[local_node], origin_address=[192.168.1.165], principal=[_xpack_security], action=[indices:data/read/scroll/clear], request=[ClearScrollRequest]", + "@timestamp": "2018-06-19T05:00:15.778Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.action": "indices:data/read/scroll/clear", + "elasticsearch.audit.event_type": "access_granted", + "elasticsearch.audit.layer": "transport", + "elasticsearch.audit.origin_address": "192.168.1.165", + "elasticsearch.audit.origin_type": "local_node", + "elasticsearch.audit.principal": "_xpack_security", + "elasticsearch.audit.request": "ClearScrollRequest", + "event.dataset": "audit", + "event.module": "elasticsearch", + "input.type": "log", + "log.offset": 306, + "message": "[2018-06-19T05:00:15,778] [transport] [access_granted] origin_type=[local_node], origin_address=[192.168.1.165], principal=[_xpack_security], action=[indices:data/read/scroll/clear], request=[ClearScrollRequest]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-19T05:07:45.544Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.audit.event_type": "anonymous_access_denied", - "elasticsearch.audit.layer": "rest", - "elasticsearch.audit.origin_address": "172.22.0.3", - "elasticsearch.audit.uri": "/_xpack/security/_authenticate", - "elasticsearch.node.name": "v_VJhjV", - "event.dataset": "audit", - "event.module": "elasticsearch", - "input.type": "log", - "log.offset": 519, - "message": "[2018-06-19T05:07:45,544] [v_VJhjV] [rest] [anonymous_access_denied]\torigin_address=[172.22.0.3], uri=[/_xpack/security/_authenticate]", + "@timestamp": "2018-06-19T05:07:45.544Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.event_type": "anonymous_access_denied", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.origin_address": "172.22.0.3", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", + "elasticsearch.node.name": "v_VJhjV", + "event.dataset": "audit", + "event.module": "elasticsearch", + "input.type": "log", + "log.offset": 519, + "message": "[2018-06-19T05:07:45,544] [v_VJhjV] [rest] [anonymous_access_denied]\torigin_address=[172.22.0.3], uri=[/_xpack/security/_authenticate]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-19T05:26:27.268Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.audit.event_type": "authentication_failed", - "elasticsearch.audit.layer": "rest", - "elasticsearch.audit.origin_address": "147.107.128.77", - "elasticsearch.audit.principal": "N078801", - "elasticsearch.audit.uri": "/_xpack/security/_authenticate", - "event.dataset": "audit", - "event.module": "elasticsearch", - "input.type": "log", - "log.offset": 654, - "message": "[2018-06-19T05:26:27,268] [rest] [authentication_failed]\torigin_address=[147.107.128.77], principal=[N078801], uri=[/_xpack/security/_authenticate]", + "@timestamp": "2018-06-19T05:26:27.268Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.event_type": "authentication_failed", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.origin_address": "147.107.128.77", + "elasticsearch.audit.principal": "N078801", + "elasticsearch.audit.uri": "/_xpack/security/_authenticate", + "event.dataset": "audit", + "event.module": "elasticsearch", + "input.type": "log", + "log.offset": 654, + "message": "[2018-06-19T05:26:27,268] [rest] [authentication_failed]\torigin_address=[147.107.128.77], principal=[N078801], uri=[/_xpack/security/_authenticate]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-19T05:55:26.898Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.audit.action": "cluster:monitor/main", - "elasticsearch.audit.event_type": "access_denied", - "elasticsearch.audit.layer": "transport", - "elasticsearch.audit.origin_address": "147.107.128.77", - "elasticsearch.audit.origin_type": "rest", - "elasticsearch.audit.principal": "_anonymous", - "elasticsearch.audit.request": "MainRequest", - "event.dataset": "audit", - "event.module": "elasticsearch", - "input.type": "log", - "log.offset": 802, - "message": "[2018-06-19T05:55:26,898] [transport] [access_denied]\torigin_type=[rest], origin_address=[147.107.128.77], principal=[_anonymous], action=[cluster:monitor/main], request=[MainRequest]", + "@timestamp": "2018-06-19T05:55:26.898Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.action": "cluster:monitor/main", + "elasticsearch.audit.event_type": "access_denied", + "elasticsearch.audit.layer": "transport", + "elasticsearch.audit.origin_address": "147.107.128.77", + "elasticsearch.audit.origin_type": "rest", + "elasticsearch.audit.principal": "_anonymous", + "elasticsearch.audit.request": "MainRequest", + "event.dataset": "audit", + "event.module": "elasticsearch", + "input.type": "log", + "log.offset": 802, + "message": "[2018-06-19T05:55:26,898] [transport] [access_denied]\torigin_type=[rest], origin_address=[147.107.128.77], principal=[_anonymous], action=[cluster:monitor/main], request=[MainRequest]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-19T05:24:15.190Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.audit.event_type": "authentication_failed", - "elasticsearch.audit.layer": "rest", - "elasticsearch.audit.origin_address": "172.18.0.3", - "elasticsearch.audit.principal": "elastic", - "elasticsearch.audit.request_body": "body", - "elasticsearch.audit.uri": "/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip", - "elasticsearch.node.name": "v_VJhjV", - "event.dataset": "audit", - "event.module": "elasticsearch", - "input.type": "log", - "log.offset": 986, - "message": "[2018-06-19T05:24:15,190] [v_VJhjV] [rest] [authentication_failed]\torigin_address=[172.18.0.3], principal=[elastic], uri=[/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip], request_body=[body]", + "@timestamp": "2018-06-19T05:24:15.190Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.audit.event_type": "authentication_failed", + "elasticsearch.audit.layer": "rest", + "elasticsearch.audit.origin_address": "172.18.0.3", + "elasticsearch.audit.principal": "elastic", + "elasticsearch.audit.request_body": "body", + "elasticsearch.audit.uri": "/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip", + "elasticsearch.node.name": "v_VJhjV", + "event.dataset": "audit", + "event.module": "elasticsearch", + "input.type": "log", + "log.offset": 986, + "message": "[2018-06-19T05:24:15,190] [v_VJhjV] [rest] [authentication_failed]\torigin_address=[172.18.0.3], principal=[elastic], uri=[/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip], request_body=[body]", "service.name": "elasticsearch" } ] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json b/filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json index f209a7618e2..8b58026306b 100644 --- a/filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json +++ b/filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json @@ -1,50 +1,50 @@ [ { - "@timestamp": "2018-04-23T16:40:13.737Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 0, - "message": "Deprecated field [template] used, replaced by [index_patterns]", + "@timestamp": "2018-04-23T16:40:13.737Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 0, + "message": "Deprecated field [template] used, replaced by [index_patterns]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-04-23T16:40:13.862Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 137, - "message": "Deprecated field [template] used, replaced by [index_patterns]", + "@timestamp": "2018-04-23T16:40:13.862Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 137, + "message": "Deprecated field [template] used, replaced by [index_patterns]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-04-23T16:40:14.792Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 274, - "message": "Deprecated field [template] used, replaced by [index_patterns]", + "@timestamp": "2018-04-23T16:40:14.792Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 274, + "message": "Deprecated field [template] used, replaced by [index_patterns]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-04-23T16:40:15.127Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 411, - "message": "Deprecated field [template] used, replaced by [index_patterns]", + "@timestamp": "2018-04-23T16:40:15.127Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 411, + "message": "Deprecated field [template] used, replaced by [index_patterns]", "service.name": "elasticsearch" } ] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/deprecation/test/other_elasticsearch_deprecation.log-expected.json b/filebeat/module/elasticsearch/deprecation/test/other_elasticsearch_deprecation.log-expected.json index 15c97d31415..31e73c1983d 100644 --- a/filebeat/module/elasticsearch/deprecation/test/other_elasticsearch_deprecation.log-expected.json +++ b/filebeat/module/elasticsearch/deprecation/test/other_elasticsearch_deprecation.log-expected.json @@ -1,194 +1,194 @@ [ { - "@timestamp": "2017-11-30T13:38:16.911Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.c.ParseField", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 0, - "message": "Deprecated field [inline] used, expected [source] instead", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T13:38:16.941Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.c.ParseField", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 118, - "message": "Deprecated field [inline] used, expected [source] instead", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T13:39:28.986Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 236, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T13:39:36.339Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 362, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T13:40:49.540Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 488, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T14:08:37.413Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 614, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T14:08:37.413Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 740, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T14:08:46.006Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 866, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-11-30T14:08:46.006Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 992, - "message": "Fielddata access on the _uid field is deprecated, use _id instead", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-01T14:05:54.017Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 1118, - "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-01T14:05:54.019Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 1329, - "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-01T14:06:52.059Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 1540, - "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-01T14:46:10.428Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.s.a.InternalOrder$Parser", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 1751, - "message": "Deprecated aggregation order key [_term] used, replaced by [_key]", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-04T16:17:18.271Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 1882, - "message": "Deprecated field [template] used, replaced by [index_patterns]", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-04T16:17:18.282Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.MapperService", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 2019, - "message": "[_default_] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type", - "service.name": "elasticsearch" - }, - { - "@timestamp": "2017-12-04T16:20:43.248Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.d.i.m.MapperService", - "event.dataset": "deprecation", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 2192, - "message": "[_default_] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type", + "@timestamp": "2017-11-30T13:38:16.911Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.c.ParseField", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 0, + "message": "Deprecated field [inline] used, expected [source] instead", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T13:38:16.941Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.c.ParseField", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 118, + "message": "Deprecated field [inline] used, expected [source] instead", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T13:39:28.986Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 236, + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T13:39:36.339Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 362, + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T13:40:49.540Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 488, + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T14:08:37.413Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 614, + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T14:08:37.413Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 740, + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T14:08:46.006Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 866, + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-11-30T14:08:46.006Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.UidFieldMapper", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 992, + "message": "Fielddata access on the _uid field is deprecated, use _id instead", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-01T14:05:54.017Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 1118, + "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-01T14:05:54.019Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 1329, + "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-01T14:06:52.059Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.AllFieldMapper", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 1540, + "message": "[_all] is deprecated in 6.0+ and will be removed in 7.0. As a replacement, you can use [copy_to] on mapping fields to create your own catch all field.", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-01T14:46:10.428Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.s.a.InternalOrder$Parser", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 1751, + "message": "Deprecated aggregation order key [_term] used, replaced by [_key]", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-04T16:17:18.271Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 1882, + "message": "Deprecated field [template] used, replaced by [index_patterns]", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-04T16:17:18.282Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.MapperService", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 2019, + "message": "[_default_] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type", + "service.name": "elasticsearch" + }, + { + "@timestamp": "2017-12-04T16:20:43.248Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.d.i.m.MapperService", + "event.dataset": "deprecation", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 2192, + "message": "[_default_] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type", "service.name": "elasticsearch" } ] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/gc/test/test.log-expected.json b/filebeat/module/elasticsearch/gc/test/test.log-expected.json index a1ae8067967..7174efe18a6 100644 --- a/filebeat/module/elasticsearch/gc/test/test.log-expected.json +++ b/filebeat/module/elasticsearch/gc/test/test.log-expected.json @@ -1,62 +1,62 @@ [ { - "@timestamp": "2018-03-03T14:37:06.157Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.gc.heap.size_kb": "253440", - "elasticsearch.gc.heap.used_kb": "142444", - "elasticsearch.gc.jvm_runtime_sec": "14597.826", - "elasticsearch.gc.old_gen.size_kb": "174784", - "elasticsearch.gc.old_gen.used_kb": "131804", - "elasticsearch.gc.phase.cpu_time.real_sec": "0.00", - "elasticsearch.gc.phase.cpu_time.sys_sec": "0.00", - "elasticsearch.gc.phase.cpu_time.user_sec": "0.01", - "elasticsearch.gc.phase.duration_sec": "0.0021716", - "elasticsearch.gc.phase.name": "CMS Initial Mark", - "event.dataset": "gc", - "event.module": "elasticsearch", - "input.type": "log", - "log.offset": 0, - "message": "2018-03-03T19:37:06.157+0500: 14597.826: [GC (CMS Initial Mark) [1 CMS-initial-mark: 131804K(174784K)] 142444K(253440K), 0.0021716 secs] [Times: user=0.01 sys=0.00, real=0.00 secs]", + "@timestamp": "2018-03-03T14:37:06.157Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.gc.heap.size_kb": "253440", + "elasticsearch.gc.heap.used_kb": "142444", + "elasticsearch.gc.jvm_runtime_sec": "14597.826", + "elasticsearch.gc.old_gen.size_kb": "174784", + "elasticsearch.gc.old_gen.used_kb": "131804", + "elasticsearch.gc.phase.cpu_time.real_sec": "0.00", + "elasticsearch.gc.phase.cpu_time.sys_sec": "0.00", + "elasticsearch.gc.phase.cpu_time.user_sec": "0.01", + "elasticsearch.gc.phase.duration_sec": "0.0021716", + "elasticsearch.gc.phase.name": "CMS Initial Mark", + "event.dataset": "gc", + "event.module": "elasticsearch", + "input.type": "log", + "log.offset": 0, + "message": "2018-03-03T19:37:06.157+0500: 14597.826: [GC (CMS Initial Mark) [1 CMS-initial-mark: 131804K(174784K)] 142444K(253440K), 0.0021716 secs] [Times: user=0.01 sys=0.00, real=0.00 secs]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-11T01:53:11.382Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.gc.jvm_runtime_sec": "1396138.752", - "elasticsearch.gc.stopping_threads_time_sec": "0.0000702", - "elasticsearch.gc.threads_total_stop_time_sec": "0.0083760", - "event.dataset": "gc", - "event.module": "elasticsearch", - "input.type": "log", - "log.offset": 181, - "message": "2018-06-11T01:53:11.382+0000: 1396138.752: Total time for which application threads were stopped: 0.0083760 seconds, Stopping threads took: 0.0000702 seconds", + "@timestamp": "2018-06-11T01:53:11.382Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.gc.jvm_runtime_sec": "1396138.752", + "elasticsearch.gc.stopping_threads_time_sec": "0.0000702", + "elasticsearch.gc.threads_total_stop_time_sec": "0.0083760", + "event.dataset": "gc", + "event.module": "elasticsearch", + "input.type": "log", + "log.offset": 181, + "message": "2018-06-11T01:53:11.382+0000: 1396138.752: Total time for which application threads were stopped: 0.0083760 seconds, Stopping threads took: 0.0000702 seconds", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-30T11:35:26.632Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.gc.heap.size_kb": "506816", - "elasticsearch.gc.heap.used_kb": "391020", - "elasticsearch.gc.jvm_runtime_sec": "224.671", - "elasticsearch.gc.old_gen.size_kb": "349568", - "elasticsearch.gc.old_gen.used_kb": "277821", - "elasticsearch.gc.phase.class_unload_time_sec": "0.0188407", - "elasticsearch.gc.phase.cpu_time.real_sec": "0.04", - "elasticsearch.gc.phase.cpu_time.sys_sec": "0.00", - "elasticsearch.gc.phase.cpu_time.user_sec": "0.12", - "elasticsearch.gc.phase.duration_sec": "0.0457689", - "elasticsearch.gc.phase.name": "CMS Final Remark", - "elasticsearch.gc.phase.parallel_rescan_time_sec": "0.0148273", - "elasticsearch.gc.phase.scrub_string_table_time_sec": "0.0005253", - "elasticsearch.gc.phase.scrub_symbol_table_time_sec": "0.0100207", - "elasticsearch.gc.phase.weak_refs_processing_time_sec": "0.0003647", - "elasticsearch.gc.young_gen.size_kb": "157248", - "elasticsearch.gc.young_gen.used_kb": "113198", - "event.dataset": "gc", - "event.module": "elasticsearch", - "input.type": "log", - "log.offset": 339, - "message": "2018-06-30T16:35:26.632+0500: 224.671: [GC (CMS Final Remark) [YG occupancy: 113198 K (157248 K)]224.671: [Rescan (parallel) , 0.0148273 secs]224.686: [weak refs processing, 0.0003647 secs]224.687: [class unloading, 0.0188407 secs]224.705: [scrub symbol table, 0.0100207 secs]224.715: [scrub string table, 0.0005253 secs][1 CMS-remark: 277821K(349568K)] 391020K(506816K), 0.0457689 secs] [Times: user=0.12 sys=0.00, real=0.04 secs]", + "@timestamp": "2018-06-30T11:35:26.632Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.gc.heap.size_kb": "506816", + "elasticsearch.gc.heap.used_kb": "391020", + "elasticsearch.gc.jvm_runtime_sec": "224.671", + "elasticsearch.gc.old_gen.size_kb": "349568", + "elasticsearch.gc.old_gen.used_kb": "277821", + "elasticsearch.gc.phase.class_unload_time_sec": "0.0188407", + "elasticsearch.gc.phase.cpu_time.real_sec": "0.04", + "elasticsearch.gc.phase.cpu_time.sys_sec": "0.00", + "elasticsearch.gc.phase.cpu_time.user_sec": "0.12", + "elasticsearch.gc.phase.duration_sec": "0.0457689", + "elasticsearch.gc.phase.name": "CMS Final Remark", + "elasticsearch.gc.phase.parallel_rescan_time_sec": "0.0148273", + "elasticsearch.gc.phase.scrub_string_table_time_sec": "0.0005253", + "elasticsearch.gc.phase.scrub_symbol_table_time_sec": "0.0100207", + "elasticsearch.gc.phase.weak_refs_processing_time_sec": "0.0003647", + "elasticsearch.gc.young_gen.size_kb": "157248", + "elasticsearch.gc.young_gen.used_kb": "113198", + "event.dataset": "gc", + "event.module": "elasticsearch", + "input.type": "log", + "log.offset": 339, + "message": "2018-06-30T16:35:26.632+0500: 224.671: [GC (CMS Final Remark) [YG occupancy: 113198 K (157248 K)]224.671: [Rescan (parallel) , 0.0148273 secs]224.686: [weak refs processing, 0.0003647 secs]224.687: [class unloading, 0.0188407 secs]224.705: [scrub symbol table, 0.0100207 secs]224.715: [scrub string table, 0.0005253 secs][1 CMS-remark: 277821K(349568K)] 391020K(506816K), 0.0457689 secs] [Times: user=0.12 sys=0.00, real=0.04 secs]", "service.name": "elasticsearch" } ] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/server/test/test.log-expected.json b/filebeat/module/elasticsearch/server/test/test.log-expected.json index 3c603b8332f..5625b0d77a3 100644 --- a/filebeat/module/elasticsearch/server/test/test.log-expected.json +++ b/filebeat/module/elasticsearch/server/test/test.log-expected.json @@ -1,272 +1,272 @@ [ { - "@timestamp": "2018-05-17T08:29:12.177Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.index.name": "test-filebeat-modules", - "elasticsearch.node.name": "vWNJsZ3", - "elasticsearch.server.component": "o.e.c.m.MetaDataCreateIndexService", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 0, - "message": "creating index, cause [auto(bulk api)], templates [test-filebeat-modules], shards [5]/[1], mappings [doc]", + "@timestamp": "2018-05-17T08:29:12.177Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.index.name": "test-filebeat-modules", + "elasticsearch.node.name": "vWNJsZ3", + "elasticsearch.server.component": "o.e.c.m.MetaDataCreateIndexService", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 0, + "message": "creating index, cause [auto(bulk api)], templates [test-filebeat-modules], shards [5]/[1], mappings [doc]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-05-17T08:19:35.939Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "", - "elasticsearch.server.component": "o.e.n.Node", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 209, - "message": "initializing ...", + "@timestamp": "2018-05-17T08:19:35.939Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "", + "elasticsearch.server.component": "o.e.n.Node", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 209, + "message": "initializing ...", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-05-17T08:19:36.089Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "vWNJsZ3", - "elasticsearch.server.component": "o.e.e.NodeEnvironment", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 289, - "message": "using [1] data paths, mounts [[/ (/dev/disk1s1)]], net usable_space [32.4gb], net total_space [233.5gb], types [apfs]", + "@timestamp": "2018-05-17T08:19:36.089Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "vWNJsZ3", + "elasticsearch.server.component": "o.e.e.NodeEnvironment", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 289, + "message": "using [1] data paths, mounts [[/ (/dev/disk1s1)]], net usable_space [32.4gb], net total_space [233.5gb], types [apfs]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-05-17T08:19:36.090Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "vWNJsZ3", - "elasticsearch.server.component": "o.e.e.NodeEnvironment", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 477, - "message": "heap size [990.7mb], compressed ordinary object pointers [true]", + "@timestamp": "2018-05-17T08:19:36.090Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "vWNJsZ3", + "elasticsearch.server.component": "o.e.e.NodeEnvironment", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 477, + "message": "heap size [990.7mb], compressed ordinary object pointers [true]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-05-17T08:19:36.116Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "o.e.n.Node", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 611, - "message": "node name [vWNJsZ3] derived from node ID [vWNJsZ3nTIKh5a1ai-ftYQ]; set [node.name] to override", + "@timestamp": "2018-05-17T08:19:36.116Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "o.e.n.Node", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 611, + "message": "node name [vWNJsZ3] derived from node ID [vWNJsZ3nTIKh5a1ai-ftYQ]; set [node.name] to override", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-05-17T08:23:48.941Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "vWNJsZ3", - "elasticsearch.server.component": "o.e.c.r.a.DiskThresholdMonitor", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 766, - "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "@timestamp": "2018-05-17T08:23:48.941Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "vWNJsZ3", + "elasticsearch.server.component": "o.e.c.r.a.DiskThresholdMonitor", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 766, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-05-17T08:29:09.245Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.index.name": "filebeat-test-input", - "elasticsearch.node.name": "vWNJsZ3", - "elasticsearch.server.component": "o.e.c.m.MetaDataCreateIndexService", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 1034, - "message": "creating index, cause [auto(bulk api)], templates [filebeat-test-input], shards [5]/[1], mappings [doc]", + "@timestamp": "2018-05-17T08:29:09.245Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.index.name": "filebeat-test-input", + "elasticsearch.node.name": "vWNJsZ3", + "elasticsearch.server.component": "o.e.c.m.MetaDataCreateIndexService", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 1034, + "message": "creating index, cause [auto(bulk api)], templates [filebeat-test-input], shards [5]/[1], mappings [doc]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-05-17T08:29:09.576Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.index.id": "aOGgDwbURfCV57AScqbCgw", - "elasticsearch.index.name": "filebeat-test-input", - "elasticsearch.node.name": "vWNJsZ3", - "elasticsearch.server.component": "o.e.c.m.MetaDataMappingService", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 1239, - "message": "update_mapping [doc]", + "@timestamp": "2018-05-17T08:29:09.576Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.index.id": "aOGgDwbURfCV57AScqbCgw", + "elasticsearch.index.name": "filebeat-test-input", + "elasticsearch.node.name": "vWNJsZ3", + "elasticsearch.server.component": "o.e.c.m.MetaDataMappingService", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 1239, + "message": "update_mapping [doc]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-09T12:47:33.959Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.index.id": "3tWftqb4RLKdyCAga9syGA", - "elasticsearch.index.name": ".kibana", - "elasticsearch.node.name": "QGY1F5P", - "elasticsearch.server.component": "o.e.c.m.MetaDataMappingService", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 1380, - "message": "update_mapping [doc]", + "@timestamp": "2018-07-09T12:47:33.959Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.index.id": "3tWftqb4RLKdyCAga9syGA", + "elasticsearch.index.name": ".kibana", + "elasticsearch.node.name": "QGY1F5P", + "elasticsearch.server.component": "o.e.c.m.MetaDataMappingService", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 1380, + "message": "update_mapping [doc]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-05-17T08:29:25.598Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "vWNJsZ3", - "elasticsearch.server.component": "o.e.n.Node", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 1509, - "message": "closing ...", + "@timestamp": "2018-05-17T08:29:25.598Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "vWNJsZ3", + "elasticsearch.server.component": "o.e.n.Node", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 1509, + "message": "closing ...", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-05-17T08:29:25.612Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "vWNJsZ3", - "elasticsearch.server.component": "o.e.n.Node", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 1591, - "message": "closed", + "@timestamp": "2018-05-17T08:29:25.612Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "vWNJsZ3", + "elasticsearch.server.component": "o.e.n.Node", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 1591, + "message": "closed", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-03T11:45:48.548Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "srvmulpvlsk252_md", - "elasticsearch.server.component": "o.e.d.z.ZenDiscovery", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 1668, - "message": "master_left [{srvmulpvlsk250_md}{igrwSoPGSJ6u_5b8k26tgQ}{PuRqciBFRbiQvL2_lS7LrQ}{srvmulpvlsk250.loganalytics.santanderuk.corp}{180.39.9.91:9300}{ml.max_open_jobs=10, ml.enabled=true}], reason [failed to ping, tried [3] times, each with maximum [30s] timeout]", + "@timestamp": "2018-07-03T11:45:48.548Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "srvmulpvlsk252_md", + "elasticsearch.server.component": "o.e.d.z.ZenDiscovery", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 1668, + "message": "master_left [{srvmulpvlsk250_md}{igrwSoPGSJ6u_5b8k26tgQ}{PuRqciBFRbiQvL2_lS7LrQ}{srvmulpvlsk250.loganalytics.santanderuk.corp}{180.39.9.91:9300}{ml.max_open_jobs=10, ml.enabled=true}], reason [failed to ping, tried [3] times, each with maximum [30s] timeout]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-03T11:45:48.548Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "srvmulpvlsk252_md", - "elasticsearch.server.component": "o.e.d.z.ZenDiscovery", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", + "@timestamp": "2018-07-03T11:45:48.548Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "srvmulpvlsk252_md", + "elasticsearch.server.component": "o.e.d.z.ZenDiscovery", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "WARN", - "log.offset": 2008, - "message": "master left (reason = failed to ping, tried [3] times, each with maximum [30s] timeout), current nodes: nodes:\n {srvmulpvlsk252_md}{uc5xdiQgRhaBIY-sszgjvQ}{X9pC0t1UQQix_NNOM0J6JQ}{srvmulpvlsk252.loganalytics.santanderuk.corp}{180.39.9.93:9300}{ml.max_open_jobs=10, ml.enabled=true}, local\n {srvmulpvlsk258_md}{HgW6EDn5QCmWVmICy4saHw}{o8zku7OJR4CTp0IjY8Ag4Q}{srvmulpvlsk258.loganalytics.santanderuk.corp}{180.39.9.99:9300}{ml.max_open_jobs=10, ml.enabled=true}\n {srvmulpvlsk250_md}{igrwSoPGSJ6u_5b8k26tgQ}{PuRqciBFRbiQvL2_lS7LrQ}{srvmulpvlsk250.loganalytics.santanderuk.corp}{180.39.9.91:9300}{ml.max_open_jobs=10, ml.enabled=true}, master\n {srvmulpvlsk254_id}{wZYeAh2URc2NwBIHZolLWQ}{3nduupo-TzSPaXjQaNu4Sg}{srvmulpvlsk254.loganalytics.santanderuk.corp}{180.39.9.95:9300}{ml.max_open_jobs=10, ml.enabled=true}", + ], + "log.level": "WARN", + "log.offset": 2008, + "message": "master left (reason = failed to ping, tried [3] times, each with maximum [30s] timeout), current nodes: nodes:\n {srvmulpvlsk252_md}{uc5xdiQgRhaBIY-sszgjvQ}{X9pC0t1UQQix_NNOM0J6JQ}{srvmulpvlsk252.loganalytics.santanderuk.corp}{180.39.9.93:9300}{ml.max_open_jobs=10, ml.enabled=true}, local\n {srvmulpvlsk258_md}{HgW6EDn5QCmWVmICy4saHw}{o8zku7OJR4CTp0IjY8Ag4Q}{srvmulpvlsk258.loganalytics.santanderuk.corp}{180.39.9.99:9300}{ml.max_open_jobs=10, ml.enabled=true}\n {srvmulpvlsk250_md}{igrwSoPGSJ6u_5b8k26tgQ}{PuRqciBFRbiQvL2_lS7LrQ}{srvmulpvlsk250.loganalytics.santanderuk.corp}{180.39.9.91:9300}{ml.max_open_jobs=10, ml.enabled=true}, master\n {srvmulpvlsk254_id}{wZYeAh2URc2NwBIHZolLWQ}{3nduupo-TzSPaXjQaNu4Sg}{srvmulpvlsk254.loganalytics.santanderuk.corp}{180.39.9.95:9300}{ml.max_open_jobs=10, ml.enabled=true}", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-03T11:45:52.666Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "r.suppressed", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", + "@timestamp": "2018-07-03T11:45:52.666Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "r.suppressed", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "WARN", - "log.offset": 2907, - "message": "path: /_xpack/monitoring/_bulk, params: {system_id=logstash, system_api_version=2, interval=1s}\norg.elasticsearch.cluster.block.ClusterBlockException: blocked by: [SERVICE_UNAVAILABLE/2/no master];\n at org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedException(ClusterBlocks.java:165) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedRaiseException(ClusterBlocks.java:151) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.monitoring.action.TransportMonitoringBulkAction.doExecute(TransportMonitoringBulkAction.java:57) ~[?:?]\n at org.elasticsearch.xpack.monitoring.action.TransportMonitoringBulkAction.doExecute(TransportMonitoringBulkAction.java:40) ~[?:?]\n at org.elasticsearch.action.support.TransportAction.doExecute(TransportAction.java:146) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$apply$1(SecurityActionFilter.java:133) ~[?:?]\n at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:59) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$authorizeRequest$4(SecurityActionFilter.java:208) ~[?:?]\n at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.maybeRun(AuthorizationUtils.java:127) ~[?:?]\n at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.setRunAsRoles(AuthorizationUtils.java:121) ~[?:?]\n at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.authorize(AuthorizationUtils.java:109) ~[?:?]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:210) ~[?:?]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:186) ~[?:?]\n at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:59) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$2(AuthenticationService.java:212) ~[?:?]\n at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$4(AuthenticationService.java:246) ~[?:?]\n at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:257) ~[?:?]\n at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:210) ~[?:?]\n at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:159) ~[?:?]\n at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:122) ~[?:?]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:185) ~[?:?]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:145) ~[?:?]\n at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:84) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:83) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:72) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:408) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.ActionRequestBuilder.execute(ActionRequestBuilder.java:80) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.monitoring.rest.action.RestMonitoringBulkAction.lambda$doPrepareRequest$0(RestMonitoringBulkAction.java:77) ~[?:?]\n at org.elasticsearch.rest.BaseRestHandler.handleReques", + ], + "log.level": "WARN", + "log.offset": 2907, + "message": "path: /_xpack/monitoring/_bulk, params: {system_id=logstash, system_api_version=2, interval=1s}\norg.elasticsearch.cluster.block.ClusterBlockException: blocked by: [SERVICE_UNAVAILABLE/2/no master];\n at org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedException(ClusterBlocks.java:165) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.cluster.block.ClusterBlocks.globalBlockedRaiseException(ClusterBlocks.java:151) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.monitoring.action.TransportMonitoringBulkAction.doExecute(TransportMonitoringBulkAction.java:57) ~[?:?]\n at org.elasticsearch.xpack.monitoring.action.TransportMonitoringBulkAction.doExecute(TransportMonitoringBulkAction.java:40) ~[?:?]\n at org.elasticsearch.action.support.TransportAction.doExecute(TransportAction.java:146) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$apply$1(SecurityActionFilter.java:133) ~[?:?]\n at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:59) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$authorizeRequest$4(SecurityActionFilter.java:208) ~[?:?]\n at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.maybeRun(AuthorizationUtils.java:127) ~[?:?]\n at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.setRunAsRoles(AuthorizationUtils.java:121) ~[?:?]\n at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.authorize(AuthorizationUtils.java:109) ~[?:?]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:210) ~[?:?]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:186) ~[?:?]\n at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:59) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$2(AuthenticationService.java:212) ~[?:?]\n at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$4(AuthenticationService.java:246) ~[?:?]\n at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:257) ~[?:?]\n at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:210) ~[?:?]\n at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:159) ~[?:?]\n at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:122) ~[?:?]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:185) ~[?:?]\n at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:145) ~[?:?]\n at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:84) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:83) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:72) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:408) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.ActionRequestBuilder.execute(ActionRequestBuilder.java:80) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.monitoring.rest.action.RestMonitoringBulkAction.lambda$doPrepareRequest$0(RestMonitoringBulkAction.java:77) ~[?:?]\n at org.elasticsearch.rest.BaseRestHandler.handleReques", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-03T11:48:02.552Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.server.component": "r.suppressed", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", + "@timestamp": "2018-07-03T11:48:02.552Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.server.component": "r.suppressed", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "WARN", - "log.offset": 7412, - "message": "path: /_xpack/license, params: {}\norg.elasticsearch.discovery.MasterNotDiscoveredException: NodeDisconnectedException[[srvmulpvlsk250_md][180.39.9.91:9300][cluster:monitor/xpack/license/get] disconnected]\n at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction$4.onTimeout(TransportMasterNodeAction.java:209) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.cluster.ClusterStateObserver$ContextPreservingListener.onTimeout(ClusterStateObserver.java:311) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.cluster.ClusterStateObserver.waitForNextChange(ClusterStateObserver.java:139) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.cluster.ClusterStateObserver.waitForNextChange(ClusterStateObserver.java:111) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction.retry(TransportMasterNodeAction.java:194) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction.access$500(TransportMasterNodeAction.java:107) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction$3.handleException(TransportMasterNodeAction.java:183) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleException(TransportService.java:1067) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleException(TransportService.java:1067) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.transport.TransportService$Adapter.lambda$onConnectionClosed$6(TransportService.java:893) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:569) [elasticsearch-5.6.3.jar:5.6.3]\n at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_161]\n at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_161]\n at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]\nCaused by: org.elasticsearch.transport.NodeDisconnectedException: [srvmulpvlsk250_md][180.39.9.91:9300][cluster:monitor/xpack/license/get] disconnected", + ], + "log.level": "WARN", + "log.offset": 7412, + "message": "path: /_xpack/license, params: {}\norg.elasticsearch.discovery.MasterNotDiscoveredException: NodeDisconnectedException[[srvmulpvlsk250_md][180.39.9.91:9300][cluster:monitor/xpack/license/get] disconnected]\n at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction$4.onTimeout(TransportMasterNodeAction.java:209) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.cluster.ClusterStateObserver$ContextPreservingListener.onTimeout(ClusterStateObserver.java:311) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.cluster.ClusterStateObserver.waitForNextChange(ClusterStateObserver.java:139) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.cluster.ClusterStateObserver.waitForNextChange(ClusterStateObserver.java:111) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction.retry(TransportMasterNodeAction.java:194) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction.access$500(TransportMasterNodeAction.java:107) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction$3.handleException(TransportMasterNodeAction.java:183) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleException(TransportService.java:1067) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleException(TransportService.java:1067) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.transport.TransportService$Adapter.lambda$onConnectionClosed$6(TransportService.java:893) ~[elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:569) [elasticsearch-5.6.3.jar:5.6.3]\n at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_161]\n at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_161]\n at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]\nCaused by: org.elasticsearch.transport.NodeDisconnectedException: [srvmulpvlsk250_md][180.39.9.91:9300][cluster:monitor/xpack/license/get] disconnected", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-03T11:45:27.896Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "srvmulpvlsk252_md", - "elasticsearch.server.component": "o.e.m.j.JvmGcMonitorService", - "elasticsearch.server.gc.young.one": "3449979", - "elasticsearch.server.gc.young.two": "986594", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", + "@timestamp": "2018-07-03T11:45:27.896Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "srvmulpvlsk252_md", + "elasticsearch.server.component": "o.e.m.j.JvmGcMonitorService", + "elasticsearch.server.gc.young.one": "3449979", + "elasticsearch.server.gc.young.two": "986594", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "WARN", - "log.offset": 9873, - "message": "duration [3.8s], collections [1]/[4.3s], total [3.8s]/[8.8h], memory [16.5gb]->[15.7gb]/[30.8gb], all_po\nols {[young] [1.2gb]->[24mb]/[1.4gb]}{[survivor] [191.3mb]->[191.3mb]/[191.3mb]}{[old] [15.1gb]->[15.5gb]/[29.1gb]}", + ], + "log.level": "WARN", + "log.offset": 9873, + "message": "duration [3.8s], collections [1]/[4.3s], total [3.8s]/[8.8h], memory [16.5gb]->[15.7gb]/[30.8gb], all_po\nols {[young] [1.2gb]->[24mb]/[1.4gb]}{[survivor] [191.3mb]->[191.3mb]/[191.3mb]}{[old] [15.1gb]->[15.5gb]/[29.1gb]}", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-03T11:45:45.604Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "srvmulpvlsk252_md", - "elasticsearch.server.component": "o.e.m.j.JvmGcMonitorService", - "elasticsearch.server.gc.collection_duration.ms": 1600.0, - "elasticsearch.server.gc.observation_duration.ms": 1800.0, - "elasticsearch.server.gc.overhead_seq": "3449992", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 10205, - "message": "[2018-07-03T11:45:45,604][WARN ][o.e.m.j.JvmGcMonitorService] [srvmulpvlsk252_md] [gc][3449992] overhead, spent [1.6s] collecting in the last [1.8s]", + "@timestamp": "2018-07-03T11:45:45.604Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "srvmulpvlsk252_md", + "elasticsearch.server.component": "o.e.m.j.JvmGcMonitorService", + "elasticsearch.server.gc.collection_duration.ms": 1600.0, + "elasticsearch.server.gc.observation_duration.ms": 1800.0, + "elasticsearch.server.gc.overhead_seq": "3449992", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 10205, + "message": "[2018-07-03T11:45:45,604][WARN ][o.e.m.j.JvmGcMonitorService] [srvmulpvlsk252_md] [gc][3449992] overhead, spent [1.6s] collecting in the last [1.8s]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-03T11:48:02.541Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "srvmulpvlsk252_md", - "elasticsearch.server.component": "o.e.a.b.TransportShardBulkAction", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "WARN", - "log.offset": 10354, - "message": "[[pro_neocrmbigdata_paas-2018-27][0]] failed to perform indices:data/write/bulk[s] on replica [pro_neocrmbigdata_paas-2018-27][0], node[igrwSoPGSJ6u_5b8k26tgQ], [R], s[STARTED], a[id=DKK34YLHRMmJMkWg8jQH6w]", + "@timestamp": "2018-07-03T11:48:02.541Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "srvmulpvlsk252_md", + "elasticsearch.server.component": "o.e.a.b.TransportShardBulkAction", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "WARN", + "log.offset": 10354, + "message": "[[pro_neocrmbigdata_paas-2018-27][0]] failed to perform indices:data/write/bulk[s] on replica [pro_neocrmbigdata_paas-2018-27][0], node[igrwSoPGSJ6u_5b8k26tgQ], [R], s[STARTED], a[id=DKK34YLHRMmJMkWg8jQH6w]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-03T20:10:07.376Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.node.name": "srvmulpvlsk252_md", - "elasticsearch.server.component": "o.e.x.m.MonitoringService", - "event.dataset": "server", - "event.module": "elasticsearch", - "input.type": "log", + "@timestamp": "2018-07-03T20:10:07.376Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.node.name": "srvmulpvlsk252_md", + "elasticsearch.server.component": "o.e.x.m.MonitoringService", + "event.dataset": "server", + "event.module": "elasticsearch", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "WARN", - "log.offset": 10648, - "message": "monitoring execution failed\norg.elasticsearch.xpack.monitoring.exporter.ExportException: Exception when closing export bulk\n at org.elasticsearch.xpack.monitoring.exporter.ExportBulk$1$1.(ExportBulk.java:106) ~[?:?]\n at org.elasticsearch.xpack.monitoring.exporter.ExportBulk$1.onFailure(ExportBulk.java:104) ~[?:?]\n at org.elasticsearch.xpack.monitoring.exporter.ExportBulk$Compound$1.onResponse(ExportBulk.java:217) ~[?:?]\n at org.elasticsearch.xpack.monitoring.exporter.ExportBulk$Compound$1.onResponse(ExportBulk.java:211) ~[?:?]\n at org.elasticsearch.xpack.common.IteratingActionListener.onResponse(IteratingActionListener.java:108) ~[?:?]\n at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:59) [elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.monitoring.exporter.http.HttpExportBulk$1.onSuccess(HttpExportBulk.java:115) [x-pack-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.RestClient$FailureTrackingResponseListener.onSuccess(RestClient.java:597) [elasticsearch-rest-client-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.RestClient$1.completed(RestClient.java:352) [elasticsearch-rest-client-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.RestClient$1.completed(RestClient.java:343) [elasticsearch-rest-client-5.6.3.jar:5.6.3]\n at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:119) [httpcore-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:177) [httpasyncclient-4.1.2.jar:4.1.2]\n at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:436) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:326) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:265) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81) [httpasyncclient-4.1.2.jar:4.1.2]\n at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39) [httpasyncclient-4.1.2.jar:4.1.2]\n at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:114) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) [httpcore-nio-4.4.5.jar:4.4.5]\n at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]\n", + ], + "log.level": "WARN", + "log.offset": 10648, + "message": "monitoring execution failed\norg.elasticsearch.xpack.monitoring.exporter.ExportException: Exception when closing export bulk\n at org.elasticsearch.xpack.monitoring.exporter.ExportBulk$1$1.(ExportBulk.java:106) ~[?:?]\n at org.elasticsearch.xpack.monitoring.exporter.ExportBulk$1.onFailure(ExportBulk.java:104) ~[?:?]\n at org.elasticsearch.xpack.monitoring.exporter.ExportBulk$Compound$1.onResponse(ExportBulk.java:217) ~[?:?]\n at org.elasticsearch.xpack.monitoring.exporter.ExportBulk$Compound$1.onResponse(ExportBulk.java:211) ~[?:?]\n at org.elasticsearch.xpack.common.IteratingActionListener.onResponse(IteratingActionListener.java:108) ~[?:?]\n at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:59) [elasticsearch-5.6.3.jar:5.6.3]\n at org.elasticsearch.xpack.monitoring.exporter.http.HttpExportBulk$1.onSuccess(HttpExportBulk.java:115) [x-pack-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.RestClient$FailureTrackingResponseListener.onSuccess(RestClient.java:597) [elasticsearch-rest-client-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.RestClient$1.completed(RestClient.java:352) [elasticsearch-rest-client-5.6.3.jar:5.6.3]\n at org.elasticsearch.client.RestClient$1.completed(RestClient.java:343) [elasticsearch-rest-client-5.6.3.jar:5.6.3]\n at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:119) [httpcore-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:177) [httpasyncclient-4.1.2.jar:4.1.2]\n at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:436) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:326) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:265) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81) [httpasyncclient-4.1.2.jar:4.1.2]\n at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39) [httpasyncclient-4.1.2.jar:4.1.2]\n at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:114) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) [httpcore-nio-4.4.5.jar:4.4.5]\n at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) [httpcore-nio-4.4.5.jar:4.4.5]\n at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]\n", "service.name": "elasticsearch" } ] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/slowlog/test/test.log-expected.json b/filebeat/module/elasticsearch/slowlog/test/test.log-expected.json index efe533256be..21c18e90a8c 100644 --- a/filebeat/module/elasticsearch/slowlog/test/test.log-expected.json +++ b/filebeat/module/elasticsearch/slowlog/test/test.log-expected.json @@ -1,139 +1,139 @@ [ { - "@timestamp": "2018-06-29T10:06:14.933Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", - "elasticsearch.node.name": "v_VJhjV", - "elasticsearch.shard.id": "0", - "elasticsearch.slowlog.logger": "index.search.slowlog.query", - "elasticsearch.slowlog.search_type": "QUERY_THEN_FETCH", - "elasticsearch.slowlog.source_query": "{\"query\":{\"match_all\":{\"boost\":1.0}}}", - "elasticsearch.slowlog.stats": "", - "elasticsearch.slowlog.took": "4.5ms", - "elasticsearch.slowlog.took_millis": 4, - "elasticsearch.slowlog.total_hits": 19435, - "elasticsearch.slowlog.total_shards": 1, - "elasticsearch.slowlog.types": "", - "event.dataset": "slowlog", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 0, - "message": "[2018-06-29T10:06:14,933][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[4.5ms], took_millis[4], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"query\":{\"match_all\":{\"boost\":1.0}}}],", + "@timestamp": "2018-06-29T10:06:14.933Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", + "elasticsearch.node.name": "v_VJhjV", + "elasticsearch.shard.id": "0", + "elasticsearch.slowlog.logger": "index.search.slowlog.query", + "elasticsearch.slowlog.search_type": "QUERY_THEN_FETCH", + "elasticsearch.slowlog.source_query": "{\"query\":{\"match_all\":{\"boost\":1.0}}}", + "elasticsearch.slowlog.stats": "", + "elasticsearch.slowlog.took": "4.5ms", + "elasticsearch.slowlog.took_millis": 4, + "elasticsearch.slowlog.total_hits": 19435, + "elasticsearch.slowlog.total_shards": 1, + "elasticsearch.slowlog.types": "", + "event.dataset": "slowlog", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 0, + "message": "[2018-06-29T10:06:14,933][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[4.5ms], took_millis[4], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"query\":{\"match_all\":{\"boost\":1.0}}}],", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-29T10:06:14.943Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", - "elasticsearch.node.name": "v_VJhjV", - "elasticsearch.shard.id": "0", - "elasticsearch.slowlog.logger": "index.search.slowlog.fetch", - "elasticsearch.slowlog.search_type": "QUERY_THEN_FETCH", - "elasticsearch.slowlog.source_query": "{\"query\":{\"match_all\":{\"boost\":1.0}}}", - "elasticsearch.slowlog.stats": "", - "elasticsearch.slowlog.took": "10.8ms", - "elasticsearch.slowlog.took_millis": 10, - "elasticsearch.slowlog.total_hits": 19435, - "elasticsearch.slowlog.total_shards": 1, - "elasticsearch.slowlog.types": "", - "event.dataset": "slowlog", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 265, - "message": "[2018-06-29T10:06:14,943][INFO ][index.search.slowlog.fetch] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[10.8ms], took_millis[10], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"query\":{\"match_all\":{\"boost\":1.0}}}],", + "@timestamp": "2018-06-29T10:06:14.943Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", + "elasticsearch.node.name": "v_VJhjV", + "elasticsearch.shard.id": "0", + "elasticsearch.slowlog.logger": "index.search.slowlog.fetch", + "elasticsearch.slowlog.search_type": "QUERY_THEN_FETCH", + "elasticsearch.slowlog.source_query": "{\"query\":{\"match_all\":{\"boost\":1.0}}}", + "elasticsearch.slowlog.stats": "", + "elasticsearch.slowlog.took": "10.8ms", + "elasticsearch.slowlog.took_millis": 10, + "elasticsearch.slowlog.total_hits": 19435, + "elasticsearch.slowlog.total_shards": 1, + "elasticsearch.slowlog.types": "", + "event.dataset": "slowlog", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 265, + "message": "[2018-06-29T10:06:14,943][INFO ][index.search.slowlog.fetch] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[10.8ms], took_millis[10], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"query\":{\"match_all\":{\"boost\":1.0}}}],", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-29T09:01:01.821Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", - "elasticsearch.node.name": "v_VJhjV", - "elasticsearch.shard.id": "0", - "elasticsearch.slowlog.logger": "index.search.slowlog.query", - "elasticsearch.slowlog.search_type": "QUERY_THEN_FETCH", - "elasticsearch.slowlog.source_query": "{\"size\":500,\"query\":{\"match_none\":{\"boost\":1.0}},\"version\":true,\"_source\":{\"includes\":[],\"excludes\":[]},\"stored_fields\":\"*\",\"docvalue_fields\":[\"@timestamp\",\"ceph.monitor_health.last_updated\",\"docker.container.created\",\"docker.healthcheck.event.end_date\",\"docker.healthcheck.event.start_date\",\"docker.image.created\",\"kubernetes.container.start_time\",\"kubernetes.event.metadata.timestamp.created\",\"kubernetes.node.start_time\",\"kubernetes.pod.start_time\",\"kubernetes.system.start_time\",\"mongodb.status.background_flushing.last_finished\",\"mongodb.status.local_time\",\"php_fpm.pool.start_time\",\"postgresql.activity.backend_start\",\"postgresql.activity.query_start\",\"postgresql.activity.state_change\",\"postgresql.activity.transaction_start\",\"postgresql.bgwriter.stats_reset\",\"postgresql.database.stats_reset\",\"system.process.cpu.start_time\"],\"script_fields\":{},\"sort\":[{\"@timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"boolean\"}}],\"aggregations\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"time_zone\":\"Europe/Berlin\",\"interval\":\"30s\",\"offset\":0,\"order\":{\"_key\":\"asc\"},\"keyed\":false,\"min_doc_count\":1}}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fragment_size\":2147483647,\"fields\":{\"*\":{}}}}", - "elasticsearch.slowlog.stats": "", - "elasticsearch.slowlog.took": "124.3ms", - "elasticsearch.slowlog.took_millis": 124, - "elasticsearch.slowlog.total_hits": 0, - "elasticsearch.slowlog.total_shards": 1, - "elasticsearch.slowlog.types": "", - "event.dataset": "slowlog", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 532, - "message": "[2018-06-29T09:01:01,821][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[124.3ms], took_millis[124], total_hits[0], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"size\":500,\"query\":{\"match_none\":{\"boost\":1.0}},\"version\":true,\"_source\":{\"includes\":[],\"excludes\":[]},\"stored_fields\":\"*\",\"docvalue_fields\":[\"@timestamp\",\"ceph.monitor_health.last_updated\",\"docker.container.created\",\"docker.healthcheck.event.end_date\",\"docker.healthcheck.event.start_date\",\"docker.image.created\",\"kubernetes.container.start_time\",\"kubernetes.event.metadata.timestamp.created\",\"kubernetes.node.start_time\",\"kubernetes.pod.start_time\",\"kubernetes.system.start_time\",\"mongodb.status.background_flushing.last_finished\",\"mongodb.status.local_time\",\"php_fpm.pool.start_time\",\"postgresql.activity.backend_start\",\"postgresql.activity.query_start\",\"postgresql.activity.state_change\",\"postgresql.activity.transaction_start\",\"postgresql.bgwriter.stats_reset\",\"postgresql.database.stats_reset\",\"system.process.cpu.start_time\"],\"script_fields\":{},\"sort\":[{\"@timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"boolean\"}}],\"aggregations\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"time_zone\":\"Europe/Berlin\",\"interval\":\"30s\",\"offset\":0,\"order\":{\"_key\":\"asc\"},\"keyed\":false,\"min_doc_count\":1}}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fragment_size\":2147483647,\"fields\":{\"*\":{}}}}],", + "@timestamp": "2018-06-29T09:01:01.821Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", + "elasticsearch.node.name": "v_VJhjV", + "elasticsearch.shard.id": "0", + "elasticsearch.slowlog.logger": "index.search.slowlog.query", + "elasticsearch.slowlog.search_type": "QUERY_THEN_FETCH", + "elasticsearch.slowlog.source_query": "{\"size\":500,\"query\":{\"match_none\":{\"boost\":1.0}},\"version\":true,\"_source\":{\"includes\":[],\"excludes\":[]},\"stored_fields\":\"*\",\"docvalue_fields\":[\"@timestamp\",\"ceph.monitor_health.last_updated\",\"docker.container.created\",\"docker.healthcheck.event.end_date\",\"docker.healthcheck.event.start_date\",\"docker.image.created\",\"kubernetes.container.start_time\",\"kubernetes.event.metadata.timestamp.created\",\"kubernetes.node.start_time\",\"kubernetes.pod.start_time\",\"kubernetes.system.start_time\",\"mongodb.status.background_flushing.last_finished\",\"mongodb.status.local_time\",\"php_fpm.pool.start_time\",\"postgresql.activity.backend_start\",\"postgresql.activity.query_start\",\"postgresql.activity.state_change\",\"postgresql.activity.transaction_start\",\"postgresql.bgwriter.stats_reset\",\"postgresql.database.stats_reset\",\"system.process.cpu.start_time\"],\"script_fields\":{},\"sort\":[{\"@timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"boolean\"}}],\"aggregations\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"time_zone\":\"Europe/Berlin\",\"interval\":\"30s\",\"offset\":0,\"order\":{\"_key\":\"asc\"},\"keyed\":false,\"min_doc_count\":1}}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fragment_size\":2147483647,\"fields\":{\"*\":{}}}}", + "elasticsearch.slowlog.stats": "", + "elasticsearch.slowlog.took": "124.3ms", + "elasticsearch.slowlog.took_millis": 124, + "elasticsearch.slowlog.total_hits": 0, + "elasticsearch.slowlog.total_shards": 1, + "elasticsearch.slowlog.types": "", + "event.dataset": "slowlog", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 532, + "message": "[2018-06-29T09:01:01,821][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[124.3ms], took_millis[124], total_hits[0], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"size\":500,\"query\":{\"match_none\":{\"boost\":1.0}},\"version\":true,\"_source\":{\"includes\":[],\"excludes\":[]},\"stored_fields\":\"*\",\"docvalue_fields\":[\"@timestamp\",\"ceph.monitor_health.last_updated\",\"docker.container.created\",\"docker.healthcheck.event.end_date\",\"docker.healthcheck.event.start_date\",\"docker.image.created\",\"kubernetes.container.start_time\",\"kubernetes.event.metadata.timestamp.created\",\"kubernetes.node.start_time\",\"kubernetes.pod.start_time\",\"kubernetes.system.start_time\",\"mongodb.status.background_flushing.last_finished\",\"mongodb.status.local_time\",\"php_fpm.pool.start_time\",\"postgresql.activity.backend_start\",\"postgresql.activity.query_start\",\"postgresql.activity.state_change\",\"postgresql.activity.transaction_start\",\"postgresql.bgwriter.stats_reset\",\"postgresql.database.stats_reset\",\"system.process.cpu.start_time\"],\"script_fields\":{},\"sort\":[{\"@timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"boolean\"}}],\"aggregations\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"time_zone\":\"Europe/Berlin\",\"interval\":\"30s\",\"offset\":0,\"order\":{\"_key\":\"asc\"},\"keyed\":false,\"min_doc_count\":1}}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fragment_size\":2147483647,\"fields\":{\"*\":{}}}}],", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-06-29T09:01:01.827Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", - "elasticsearch.node.name": "v_VJhjV", - "elasticsearch.shard.id": "0", - "elasticsearch.slowlog.logger": "index.search.slowlog.fetch", - "elasticsearch.slowlog.search_type": "QUERY_THEN_FETCH", - "elasticsearch.slowlog.source_query": "{\"size\":500,\"query\":{\"match_none\":{\"boost\":1.0}},\"version\":true,\"_source\":{\"includes\":[],\"excludes\":[]},\"stored_fields\":\"*\",\"docvalue_fields\":[\"@timestamp\",\"ceph.monitor_health.last_updated\",\"docker.container.created\",\"docker.healthcheck.event.end_date\",\"docker.healthcheck.event.start_date\",\"docker.image.created\",\"kubernetes.container.start_time\",\"kubernetes.event.metadata.timestamp.created\",\"kubernetes.node.start_time\",\"kubernetes.pod.start_time\",\"kubernetes.system.start_time\",\"mongodb.status.background_flushing.last_finished\",\"mongodb.status.local_time\",\"php_fpm.pool.start_time\",\"postgresql.activity.backend_start\",\"postgresql.activity.query_start\",\"postgresql.activity.state_change\",\"postgresql.activity.transaction_start\",\"postgresql.bgwriter.stats_reset\",\"postgresql.database.stats_reset\",\"system.process.cpu.start_time\"],\"script_fields\":{},\"sort\":[{\"@timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"boolean\"}}],\"aggregations\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"time_zone\":\"Europe/Berlin\",\"interval\":\"30s\",\"offset\":0,\"order\":{\"_key\":\"asc\"},\"keyed\":false,\"min_doc_count\":1}}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fragment_size\":2147483647,\"fields\":{\"*\":{}}}}", - "elasticsearch.slowlog.stats": "", - "elasticsearch.slowlog.took": "7.2ms", - "elasticsearch.slowlog.took_millis": 7, - "elasticsearch.slowlog.total_hits": 0, - "elasticsearch.slowlog.total_shards": 1, - "elasticsearch.slowlog.types": "", - "event.dataset": "slowlog", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 1999, - "message": "[2018-06-29T09:01:01,827][INFO ][index.search.slowlog.fetch] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[7.2ms], took_millis[7], total_hits[0], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"size\":500,\"query\":{\"match_none\":{\"boost\":1.0}},\"version\":true,\"_source\":{\"includes\":[],\"excludes\":[]},\"stored_fields\":\"*\",\"docvalue_fields\":[\"@timestamp\",\"ceph.monitor_health.last_updated\",\"docker.container.created\",\"docker.healthcheck.event.end_date\",\"docker.healthcheck.event.start_date\",\"docker.image.created\",\"kubernetes.container.start_time\",\"kubernetes.event.metadata.timestamp.created\",\"kubernetes.node.start_time\",\"kubernetes.pod.start_time\",\"kubernetes.system.start_time\",\"mongodb.status.background_flushing.last_finished\",\"mongodb.status.local_time\",\"php_fpm.pool.start_time\",\"postgresql.activity.backend_start\",\"postgresql.activity.query_start\",\"postgresql.activity.state_change\",\"postgresql.activity.transaction_start\",\"postgresql.bgwriter.stats_reset\",\"postgresql.database.stats_reset\",\"system.process.cpu.start_time\"],\"script_fields\":{},\"sort\":[{\"@timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"boolean\"}}],\"aggregations\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"time_zone\":\"Europe/Berlin\",\"interval\":\"30s\",\"offset\":0,\"order\":{\"_key\":\"asc\"},\"keyed\":false,\"min_doc_count\":1}}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fragment_size\":2147483647,\"fields\":{\"*\":{}}}}],", + "@timestamp": "2018-06-29T09:01:01.827Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.index.name": "metricbeat-6.3.0-2018.06.26", + "elasticsearch.node.name": "v_VJhjV", + "elasticsearch.shard.id": "0", + "elasticsearch.slowlog.logger": "index.search.slowlog.fetch", + "elasticsearch.slowlog.search_type": "QUERY_THEN_FETCH", + "elasticsearch.slowlog.source_query": "{\"size\":500,\"query\":{\"match_none\":{\"boost\":1.0}},\"version\":true,\"_source\":{\"includes\":[],\"excludes\":[]},\"stored_fields\":\"*\",\"docvalue_fields\":[\"@timestamp\",\"ceph.monitor_health.last_updated\",\"docker.container.created\",\"docker.healthcheck.event.end_date\",\"docker.healthcheck.event.start_date\",\"docker.image.created\",\"kubernetes.container.start_time\",\"kubernetes.event.metadata.timestamp.created\",\"kubernetes.node.start_time\",\"kubernetes.pod.start_time\",\"kubernetes.system.start_time\",\"mongodb.status.background_flushing.last_finished\",\"mongodb.status.local_time\",\"php_fpm.pool.start_time\",\"postgresql.activity.backend_start\",\"postgresql.activity.query_start\",\"postgresql.activity.state_change\",\"postgresql.activity.transaction_start\",\"postgresql.bgwriter.stats_reset\",\"postgresql.database.stats_reset\",\"system.process.cpu.start_time\"],\"script_fields\":{},\"sort\":[{\"@timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"boolean\"}}],\"aggregations\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"time_zone\":\"Europe/Berlin\",\"interval\":\"30s\",\"offset\":0,\"order\":{\"_key\":\"asc\"},\"keyed\":false,\"min_doc_count\":1}}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fragment_size\":2147483647,\"fields\":{\"*\":{}}}}", + "elasticsearch.slowlog.stats": "", + "elasticsearch.slowlog.took": "7.2ms", + "elasticsearch.slowlog.took_millis": 7, + "elasticsearch.slowlog.total_hits": 0, + "elasticsearch.slowlog.total_shards": 1, + "elasticsearch.slowlog.types": "", + "event.dataset": "slowlog", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 1999, + "message": "[2018-06-29T09:01:01,827][INFO ][index.search.slowlog.fetch] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[7.2ms], took_millis[7], total_hits[0], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"size\":500,\"query\":{\"match_none\":{\"boost\":1.0}},\"version\":true,\"_source\":{\"includes\":[],\"excludes\":[]},\"stored_fields\":\"*\",\"docvalue_fields\":[\"@timestamp\",\"ceph.monitor_health.last_updated\",\"docker.container.created\",\"docker.healthcheck.event.end_date\",\"docker.healthcheck.event.start_date\",\"docker.image.created\",\"kubernetes.container.start_time\",\"kubernetes.event.metadata.timestamp.created\",\"kubernetes.node.start_time\",\"kubernetes.pod.start_time\",\"kubernetes.system.start_time\",\"mongodb.status.background_flushing.last_finished\",\"mongodb.status.local_time\",\"php_fpm.pool.start_time\",\"postgresql.activity.backend_start\",\"postgresql.activity.query_start\",\"postgresql.activity.state_change\",\"postgresql.activity.transaction_start\",\"postgresql.bgwriter.stats_reset\",\"postgresql.database.stats_reset\",\"system.process.cpu.start_time\"],\"script_fields\":{},\"sort\":[{\"@timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"boolean\"}}],\"aggregations\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"time_zone\":\"Europe/Berlin\",\"interval\":\"30s\",\"offset\":0,\"order\":{\"_key\":\"asc\"},\"keyed\":false,\"min_doc_count\":1}}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fragment_size\":2147483647,\"fields\":{\"*\":{}}}}],", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-04T13:48:07.452Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.index.id": "VLKxBLvUSYuIMKzpacGjRg", - "elasticsearch.index.name": "metricbeat-6.3.0-2018.07.04", - "elasticsearch.node.name": "v_VJhjV", - "elasticsearch.slowlog.id": "KUyMZWQBk9jw4gtg2y5-", - "elasticsearch.slowlog.logger": "index.indexing.slowlog.index", - "elasticsearch.slowlog.routing": "", - "elasticsearch.slowlog.source_query": "{\"@timestamp\":\"2018-07-04T13:47:50.747Z\",\"system\":{\"process\":{\"ppid\":34526,\"state\":\"running\",\"cpu\":{\"total\":{\"value\":734879,\"pct\":0.0173,\"norm\":{\"pct\":0.0043}},\"start_time\":\"2018-07-04T06:56:34.863Z\"},\"pgid\":34526,\"cmdline\":\"/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container -childID 1 -isForBrowser -prefsLen 22119 -schedulerPrefs 0001,2 -greomni /Applications/Firefox.app/Contents/Resources/omni.ja -appomni /Applications/Firefox.app/Contents/Resources/browser/omni.ja -appdir /Applications/Firefox.app/Contents/Resources/browser -profile /Users/rado/Library/Application Support/Firefox/Profiles/pt6eoq1j.default-1484133908360 34526 gecko-crash-server-pipe.34526 org.mozilla.machname.231926932 tab\",\"name\":\"plugin-containe\",\"memory\":{\"size\":7489249280,\"rss\":{\"bytes\":567619584,\"pct\":0.033},\"share\":0},\"pid\":34528,\"username\":\"rado\"}},\"metricset\":{\"name\":\"process\",\"module\":\"system\",\"rtt\":43856},\"beat\":{\"hostname\":\"Rados-MacBook-Pro.local\",\"version\":\"6.3.0\",\"name\":\"Rados-MacBook-Pro.local\"},\"host\":{\"name\":\"Rados-MacBook-Pro.local\"}}", - "elasticsearch.slowlog.took": "1.4ms", - "elasticsearch.slowlog.took_millis": 1, - "elasticsearch.slowlog.type": "doc", - "event.dataset": "slowlog", - "event.module": "elasticsearch", - "input.type": "log", - "log.level": "INFO", - "log.offset": 3462, - "message": "[2018-07-04T13:48:07,452][INFO ][index.indexing.slowlog.index] [v_VJhjV] [metricbeat-6.3.0-2018.07.04/VLKxBLvUSYuIMKzpacGjRg] took[1.4ms], took_millis[1], type[doc], id[KUyMZWQBk9jw4gtg2y5-], routing[], source[{\"@timestamp\":\"2018-07-04T13:47:50.747Z\",\"system\":{\"process\":{\"ppid\":34526,\"state\":\"running\",\"cpu\":{\"total\":{\"value\":734879,\"pct\":0.0173,\"norm\":{\"pct\":0.0043}},\"start_time\":\"2018-07-04T06:56:34.863Z\"},\"pgid\":34526,\"cmdline\":\"/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container -childID 1 -isForBrowser -prefsLen 22119 -schedulerPrefs 0001,2 -greomni /Applications/Firefox.app/Contents/Resources/omni.ja -appomni /Applications/Firefox.app/Contents/Resources/browser/omni.ja -appdir /Applications/Firefox.app/Contents/Resources/browser -profile /Users/rado/Library/Application Support/Firefox/Profiles/pt6eoq1j.default-1484133908360 34526 gecko-crash-server-pipe.34526 org.mozilla.machname.231926932 tab\",\"name\":\"plugin-containe\",\"memory\":{\"size\":7489249280,\"rss\":{\"bytes\":567619584,\"pct\":0.033},\"share\":0},\"pid\":34528,\"username\":\"rado\"}},\"metricset\":{\"name\":\"process\",\"module\":\"system\",\"rtt\":43856},\"beat\":{\"hostname\":\"Rados-MacBook-Pro.local\",\"version\":\"6.3.0\",\"name\":\"Rados-MacBook-Pro.local\"},\"host\":{\"name\":\"Rados-MacBook-Pro.local\"}}]", + "@timestamp": "2018-07-04T13:48:07.452Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.index.id": "VLKxBLvUSYuIMKzpacGjRg", + "elasticsearch.index.name": "metricbeat-6.3.0-2018.07.04", + "elasticsearch.node.name": "v_VJhjV", + "elasticsearch.slowlog.id": "KUyMZWQBk9jw4gtg2y5-", + "elasticsearch.slowlog.logger": "index.indexing.slowlog.index", + "elasticsearch.slowlog.routing": "", + "elasticsearch.slowlog.source_query": "{\"@timestamp\":\"2018-07-04T13:47:50.747Z\",\"system\":{\"process\":{\"ppid\":34526,\"state\":\"running\",\"cpu\":{\"total\":{\"value\":734879,\"pct\":0.0173,\"norm\":{\"pct\":0.0043}},\"start_time\":\"2018-07-04T06:56:34.863Z\"},\"pgid\":34526,\"cmdline\":\"/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container -childID 1 -isForBrowser -prefsLen 22119 -schedulerPrefs 0001,2 -greomni /Applications/Firefox.app/Contents/Resources/omni.ja -appomni /Applications/Firefox.app/Contents/Resources/browser/omni.ja -appdir /Applications/Firefox.app/Contents/Resources/browser -profile /Users/rado/Library/Application Support/Firefox/Profiles/pt6eoq1j.default-1484133908360 34526 gecko-crash-server-pipe.34526 org.mozilla.machname.231926932 tab\",\"name\":\"plugin-containe\",\"memory\":{\"size\":7489249280,\"rss\":{\"bytes\":567619584,\"pct\":0.033},\"share\":0},\"pid\":34528,\"username\":\"rado\"}},\"metricset\":{\"name\":\"process\",\"module\":\"system\",\"rtt\":43856},\"beat\":{\"hostname\":\"Rados-MacBook-Pro.local\",\"version\":\"6.3.0\",\"name\":\"Rados-MacBook-Pro.local\"},\"host\":{\"name\":\"Rados-MacBook-Pro.local\"}}", + "elasticsearch.slowlog.took": "1.4ms", + "elasticsearch.slowlog.took_millis": 1, + "elasticsearch.slowlog.type": "doc", + "event.dataset": "slowlog", + "event.module": "elasticsearch", + "input.type": "log", + "log.level": "INFO", + "log.offset": 3462, + "message": "[2018-07-04T13:48:07,452][INFO ][index.indexing.slowlog.index] [v_VJhjV] [metricbeat-6.3.0-2018.07.04/VLKxBLvUSYuIMKzpacGjRg] took[1.4ms], took_millis[1], type[doc], id[KUyMZWQBk9jw4gtg2y5-], routing[], source[{\"@timestamp\":\"2018-07-04T13:47:50.747Z\",\"system\":{\"process\":{\"ppid\":34526,\"state\":\"running\",\"cpu\":{\"total\":{\"value\":734879,\"pct\":0.0173,\"norm\":{\"pct\":0.0043}},\"start_time\":\"2018-07-04T06:56:34.863Z\"},\"pgid\":34526,\"cmdline\":\"/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container -childID 1 -isForBrowser -prefsLen 22119 -schedulerPrefs 0001,2 -greomni /Applications/Firefox.app/Contents/Resources/omni.ja -appomni /Applications/Firefox.app/Contents/Resources/browser/omni.ja -appdir /Applications/Firefox.app/Contents/Resources/browser -profile /Users/rado/Library/Application Support/Firefox/Profiles/pt6eoq1j.default-1484133908360 34526 gecko-crash-server-pipe.34526 org.mozilla.machname.231926932 tab\",\"name\":\"plugin-containe\",\"memory\":{\"size\":7489249280,\"rss\":{\"bytes\":567619584,\"pct\":0.033},\"share\":0},\"pid\":34528,\"username\":\"rado\"}},\"metricset\":{\"name\":\"process\",\"module\":\"system\",\"rtt\":43856},\"beat\":{\"hostname\":\"Rados-MacBook-Pro.local\",\"version\":\"6.3.0\",\"name\":\"Rados-MacBook-Pro.local\"},\"host\":{\"name\":\"Rados-MacBook-Pro.local\"}}]", "service.name": "elasticsearch" - }, + }, { - "@timestamp": "2018-07-04T21:51:30.411Z", - "ecs.version": "1.0.0-beta2", - "elasticsearch.index.id": "VLKxBLvUSYuIMKzpacGjRg", - "elasticsearch.index.name": "metricbeat-6.3.0-2018.07.04", - "elasticsearch.node.name": "v_VJhjV", - "elasticsearch.slowlog.id": "s01HZ2QBk9jw4gtgaFtn", - "elasticsearch.slowlog.logger": "index.indexing.slowlog.index", - "elasticsearch.slowlog.routing": "", - "elasticsearch.slowlog.source_query": "\n{\n \"@timestamp\":\"2018-07-04T21:27:30.730Z\",\n \"metricset\":{\n \"name\":\"network\",\n \"module\":\"system\",\n \"rtt\":7264},\n \"system\":{\n \"network\":{\n \"name\":\"lo0\",\n \"in\":{\n \"errors\":0,\n \"dropped\":0,\n \"bytes\":77666873,\n \"packets\":244595},\n \"out\":{\n \"packets\":244595,\n \"bytes\":77666873,\n \"errors\":0,\n \"dropped\":0\n }\n }\n },\n \"beat\":{\n \"name\":\"Rados-MacBook-Pro.local\",\n \"hostname\":\"Rados-MacBook-Pro.local\",\n \"version\":\"6.3.0\"\n },\n \"host\":{\n \"name\":\"Rados-MacBook-Pro.local\"\n }\n }", - "elasticsearch.slowlog.took": "1.7ms", - "elasticsearch.slowlog.took_millis": 1, - "elasticsearch.slowlog.type": "doc", - "event.dataset": "slowlog", - "event.module": "elasticsearch", - "input.type": "log", + "@timestamp": "2018-07-04T21:51:30.411Z", + "ecs.version": "1.0.0-beta2", + "elasticsearch.index.id": "VLKxBLvUSYuIMKzpacGjRg", + "elasticsearch.index.name": "metricbeat-6.3.0-2018.07.04", + "elasticsearch.node.name": "v_VJhjV", + "elasticsearch.slowlog.id": "s01HZ2QBk9jw4gtgaFtn", + "elasticsearch.slowlog.logger": "index.indexing.slowlog.index", + "elasticsearch.slowlog.routing": "", + "elasticsearch.slowlog.source_query": "\n{\n \"@timestamp\":\"2018-07-04T21:27:30.730Z\",\n \"metricset\":{\n \"name\":\"network\",\n \"module\":\"system\",\n \"rtt\":7264},\n \"system\":{\n \"network\":{\n \"name\":\"lo0\",\n \"in\":{\n \"errors\":0,\n \"dropped\":0,\n \"bytes\":77666873,\n \"packets\":244595},\n \"out\":{\n \"packets\":244595,\n \"bytes\":77666873,\n \"errors\":0,\n \"dropped\":0\n }\n }\n },\n \"beat\":{\n \"name\":\"Rados-MacBook-Pro.local\",\n \"hostname\":\"Rados-MacBook-Pro.local\",\n \"version\":\"6.3.0\"\n },\n \"host\":{\n \"name\":\"Rados-MacBook-Pro.local\"\n }\n }", + "elasticsearch.slowlog.took": "1.7ms", + "elasticsearch.slowlog.took_millis": 1, + "elasticsearch.slowlog.type": "doc", + "event.dataset": "slowlog", + "event.module": "elasticsearch", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "INFO", - "log.offset": 4753, - "message": "[2018-07-04T21:51:30,411][INFO ][index.indexing.slowlog.index] [v_VJhjV] [metricbeat-6.3.0-2018.07.04/VLKxBLvUSYuIMKzpacGjRg] took[1.7ms], took_millis[1], type[doc], id[s01HZ2QBk9jw4gtgaFtn], routing[], source[\n{\n \"@timestamp\":\"2018-07-04T21:27:30.730Z\",\n \"metricset\":{\n \"name\":\"network\",\n \"module\":\"system\",\n \"rtt\":7264},\n \"system\":{\n \"network\":{\n \"name\":\"lo0\",\n \"in\":{\n \"errors\":0,\n \"dropped\":0,\n \"bytes\":77666873,\n \"packets\":244595},\n \"out\":{\n \"packets\":244595,\n \"bytes\":77666873,\n \"errors\":0,\n \"dropped\":0\n }\n }\n },\n \"beat\":{\n \"name\":\"Rados-MacBook-Pro.local\",\n \"hostname\":\"Rados-MacBook-Pro.local\",\n \"version\":\"6.3.0\"\n },\n \"host\":{\n \"name\":\"Rados-MacBook-Pro.local\"\n }\n }]", + ], + "log.level": "INFO", + "log.offset": 4753, + "message": "[2018-07-04T21:51:30,411][INFO ][index.indexing.slowlog.index] [v_VJhjV] [metricbeat-6.3.0-2018.07.04/VLKxBLvUSYuIMKzpacGjRg] took[1.7ms], took_millis[1], type[doc], id[s01HZ2QBk9jw4gtgaFtn], routing[], source[\n{\n \"@timestamp\":\"2018-07-04T21:27:30.730Z\",\n \"metricset\":{\n \"name\":\"network\",\n \"module\":\"system\",\n \"rtt\":7264},\n \"system\":{\n \"network\":{\n \"name\":\"lo0\",\n \"in\":{\n \"errors\":0,\n \"dropped\":0,\n \"bytes\":77666873,\n \"packets\":244595},\n \"out\":{\n \"packets\":244595,\n \"bytes\":77666873,\n \"errors\":0,\n \"dropped\":0\n }\n }\n },\n \"beat\":{\n \"name\":\"Rados-MacBook-Pro.local\",\n \"hostname\":\"Rados-MacBook-Pro.local\",\n \"version\":\"6.3.0\"\n },\n \"host\":{\n \"name\":\"Rados-MacBook-Pro.local\"\n }\n }]", "service.name": "elasticsearch" } ] \ No newline at end of file diff --git a/filebeat/module/haproxy/log/test/default.log-expected.json b/filebeat/module/haproxy/log/test/default.log-expected.json index 851fc122fe8..203b6b16c71 100644 --- a/filebeat/module/haproxy/log/test/default.log-expected.json +++ b/filebeat/module/haproxy/log/test/default.log-expected.json @@ -1,24 +1,24 @@ [ { - "@timestamp": "2018-09-20T15:42:59.000Z", - "destination.ip": "1.2.3.4", - "destination.port": 5000, - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "haproxy", - "haproxy.client.ip": "1.2.3.4", - "haproxy.frontend_name": "main", - "haproxy.mode": "HTTP", - "haproxy.source": "1.2.3.4", - "input.type": "log", - "log.offset": 0, - "process.name": "haproxy", - "process.pid": 24551, - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.location.lat": 37.751, - "source.geo.location.lon": -97.822, - "source.ip": "1.2.3.4", + "@timestamp": "2018-09-20T15:42:59.000Z", + "destination.ip": "1.2.3.4", + "destination.port": 5000, + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "haproxy", + "haproxy.client.ip": "1.2.3.4", + "haproxy.frontend_name": "main", + "haproxy.mode": "HTTP", + "haproxy.source": "1.2.3.4", + "input.type": "log", + "log.offset": 0, + "process.name": "haproxy", + "process.pid": 24551, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "1.2.3.4", "source.port": 40780 } ] \ No newline at end of file diff --git a/filebeat/module/haproxy/log/test/haproxy.log-expected.json b/filebeat/module/haproxy/log/test/haproxy.log-expected.json index 86ce2ef5030..1b5b3524ab5 100644 --- a/filebeat/module/haproxy/log/test/haproxy.log-expected.json +++ b/filebeat/module/haproxy/log/test/haproxy.log-expected.json @@ -1,44 +1,44 @@ [ { - "@timestamp": "2018-07-30T09:03:52.726Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "haproxy", - "haproxy.backend_name": "docs_microservice", - "haproxy.backend_queue": 0, - "haproxy.bytes_read": 168, - "haproxy.client.ip": "1.2.3.4", - "haproxy.connection_wait_time_ms": 1, - "haproxy.connections.active": 6, - "haproxy.connections.backend": 0, - "haproxy.connections.frontend": 6, - "haproxy.connections.retries": 0, - "haproxy.connections.server": 0, - "haproxy.frontend_name": "incoming~", - "haproxy.http.request.captured_cookie": "-", + "@timestamp": "2018-07-30T09:03:52.726Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "haproxy", + "haproxy.backend_name": "docs_microservice", + "haproxy.backend_queue": 0, + "haproxy.bytes_read": 168, + "haproxy.client.ip": "1.2.3.4", + "haproxy.connection_wait_time_ms": 1, + "haproxy.connections.active": 6, + "haproxy.connections.backend": 0, + "haproxy.connections.frontend": 6, + "haproxy.connections.retries": 0, + "haproxy.connections.server": 0, + "haproxy.frontend_name": "incoming~", + "haproxy.http.request.captured_cookie": "-", "haproxy.http.request.captured_headers": [ "docs.example.internal" - ], - "haproxy.http.request.raw_request_line": "GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1", - "haproxy.http.request.time_active_ms": 2, - "haproxy.http.request.time_wait_ms": 0, - "haproxy.http.request.time_wait_without_data_ms": 0, - "haproxy.http.response.captured_cookie": "-", - "haproxy.http.response.captured_headers": [], - "haproxy.http.response.status_code": 304, - "haproxy.server_name": "docs", - "haproxy.server_queue": 0, - "haproxy.termination_state": "----", - "haproxy.total_waiting_time_ms": 0, - "input.type": "log", - "log.offset": 0, - "process.name": "haproxy", - "process.pid": 32450, - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.location.lat": 37.751, - "source.geo.location.lon": -97.822, - "source.ip": "1.2.3.4", + ], + "haproxy.http.request.raw_request_line": "GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1", + "haproxy.http.request.time_active_ms": 2, + "haproxy.http.request.time_wait_ms": 0, + "haproxy.http.request.time_wait_without_data_ms": 0, + "haproxy.http.response.captured_cookie": "-", + "haproxy.http.response.captured_headers": [], + "haproxy.http.response.status_code": 304, + "haproxy.server_name": "docs", + "haproxy.server_queue": 0, + "haproxy.termination_state": "----", + "haproxy.total_waiting_time_ms": 0, + "input.type": "log", + "log.offset": 0, + "process.name": "haproxy", + "process.pid": 32450, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "1.2.3.4", "source.port": 38862 } ] \ No newline at end of file diff --git a/filebeat/module/haproxy/log/test/tcplog.log-expected.json b/filebeat/module/haproxy/log/test/tcplog.log-expected.json index 8a93566fecd..baff3e338e5 100644 --- a/filebeat/module/haproxy/log/test/tcplog.log-expected.json +++ b/filebeat/module/haproxy/log/test/tcplog.log-expected.json @@ -1,31 +1,31 @@ [ { - "@timestamp": "2018-09-20T15:44:23.285Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "haproxy", - "haproxy.backend_name": "app", - "haproxy.backend_queue": 0, - "haproxy.bytes_read": 212, - "haproxy.client.ip": "127.0.0.1", - "haproxy.connection_wait_time_ms": -1, - "haproxy.connections.active": 1, - "haproxy.connections.backend": 0, - "haproxy.connections.frontend": 1, - "haproxy.connections.retries": 0, - "haproxy.connections.server": 0, - "haproxy.frontend_name": "main", - "haproxy.server_name": "", - "haproxy.server_queue": 0, - "haproxy.source": "127.0.0.1", - "haproxy.tcp.processing_time_ms": 0, - "haproxy.termination_state": "SC", - "haproxy.total_waiting_time_ms": -1, - "input.type": "log", - "log.offset": 0, - "process.name": "haproxy", - "process.pid": 25457, - "source.ip": "127.0.0.1", + "@timestamp": "2018-09-20T15:44:23.285Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "haproxy", + "haproxy.backend_name": "app", + "haproxy.backend_queue": 0, + "haproxy.bytes_read": 212, + "haproxy.client.ip": "127.0.0.1", + "haproxy.connection_wait_time_ms": -1, + "haproxy.connections.active": 1, + "haproxy.connections.backend": 0, + "haproxy.connections.frontend": 1, + "haproxy.connections.retries": 0, + "haproxy.connections.server": 0, + "haproxy.frontend_name": "main", + "haproxy.server_name": "", + "haproxy.server_queue": 0, + "haproxy.source": "127.0.0.1", + "haproxy.tcp.processing_time_ms": 0, + "haproxy.termination_state": "SC", + "haproxy.total_waiting_time_ms": -1, + "input.type": "log", + "log.offset": 0, + "process.name": "haproxy", + "process.pid": 25457, + "source.ip": "127.0.0.1", "source.port": 40962 } ] \ No newline at end of file diff --git a/filebeat/module/icinga/debug/test/test.log-expected.json b/filebeat/module/icinga/debug/test/test.log-expected.json index c63ebfb394d..b60f9810f9f 100644 --- a/filebeat/module/icinga/debug/test/test.log-expected.json +++ b/filebeat/module/icinga/debug/test/test.log-expected.json @@ -1,35 +1,35 @@ [ { - "@timestamp": "2017-04-04T11:43:09.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "debug", - "event.module": "icinga", - "icinga.debug.facility": "GraphiteWriter", - "input.type": "log", - "log.level": "debug", - "log.offset": 0, + "@timestamp": "2017-04-04T11:43:09.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "debug", + "event.module": "icinga", + "icinga.debug.facility": "GraphiteWriter", + "input.type": "log", + "log.level": "debug", + "log.offset": 0, "message": "Add to metric list:'icinga2.demo.services.procs.procs.perfdata.procs.warn 250 1491306189'." - }, + }, { - "@timestamp": "2017-04-04T11:43:09.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "debug", - "event.module": "icinga", - "icinga.debug.facility": "IdoMysqlConnection", - "input.type": "log", - "log.level": "debug", - "log.offset": 141, + "@timestamp": "2017-04-04T11:43:09.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "debug", + "event.module": "icinga", + "icinga.debug.facility": "IdoMysqlConnection", + "input.type": "log", + "log.level": "debug", + "log.offset": 141, "message": "Query: UPDATE icinga_servicestatus SET acknowledgement_type = '0', active_checks_enabled = '1', check_command = 'mysql_health', check_source = 'demo', check_type = '0', current_check_attempt = '1', current_notification_number = '180', current_state = '2', endpoint_object_id = 242, event_handler = '', event_handler_enabled = '1', execution_time = '0.355594', flap_detection_enabled = '0', has_been_checked = '1', instance_id = 1, is_flapping = '0', is_reachable = '1', last_check = FROM_UNIXTIME(1491306189), last_hard_state = '2', last_hard_state_change = FROM_UNIXTIME(1491290599), last_notification = FROM_UNIXTIME(1491304989), last_state_change = FROM_UNIXTIME(1491290599), last_time_critical = FROM_UNIXTIME(1491306189), last_time_unknown = FROM_UNIXTIME(1491290589), latency = '0.001466', long_output = '', max_check_attempts = '5', next_check = FROM_UNIXTIME(1491306198), next_notification = FROM_UNIXTIME(1491306789), normal_check_interval = '0.166667', notifications_enabled = '1', original_attributes = 'null', output = 'CRITICAL - cannot connect to information_schema. Access denied for user \\'test1\\'@\\'blerims-mbp.int.netways.de\\' (using password: YES)', passive_checks_enabled = '1', percent_state_change = '0', perfdata = '', problem_has_been_acknowledged = '0', process_performance_data = '1', retry_check_interval = '0.166667', scheduled_downtime_depth = '0', service_object_id = 333, should_be_scheduled = '1', state_type = '1', status_update_time = FROM_UNIXTIME(1491306189) WHERE service_object_id = 333" - }, + }, { - "@timestamp": "2017-04-04T11:43:11.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "debug", - "event.module": "icinga", - "icinga.debug.facility": "Process", - "input.type": "log", - "log.level": "notice", - "log.offset": 1763, + "@timestamp": "2017-04-04T11:43:11.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "debug", + "event.module": "icinga", + "icinga.debug.facility": "Process", + "input.type": "log", + "log.level": "notice", + "log.offset": 1763, "message": "Running command '/usr/lib/nagios/plugins/check_ping' '-H' 'mysql.icinga.com' '-c' '5000,100%' '-w' '3000,80%': PID 8288" } ] \ No newline at end of file diff --git a/filebeat/module/icinga/main/test/test.log-expected.json b/filebeat/module/icinga/main/test/test.log-expected.json index d1ffcdb0a27..18c0b3de1cd 100644 --- a/filebeat/module/icinga/main/test/test.log-expected.json +++ b/filebeat/module/icinga/main/test/test.log-expected.json @@ -1,38 +1,38 @@ [ { - "@timestamp": "2017-04-04T09:16:34.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "main", - "event.module": "icinga", - "icinga.main.facility": "Notification", - "input.type": "log", - "log.level": "information", - "log.offset": 0, + "@timestamp": "2017-04-04T09:16:34.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "main", + "event.module": "icinga", + "icinga.main.facility": "Notification", + "input.type": "log", + "log.level": "information", + "log.offset": 0, "message": "Sending 'Recovery' notification 'demo!load!mail-icingaadmin for user 'on-call'" - }, + }, { - "@timestamp": "2017-04-04T09:16:34.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "main", - "event.module": "icinga", - "icinga.main.facility": "PluginNotificationTask", - "input.type": "log", + "@timestamp": "2017-04-04T09:16:34.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "main", + "event.module": "icinga", + "icinga.main.facility": "PluginNotificationTask", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "warning", - "log.offset": 133, + ], + "log.level": "warning", + "log.offset": 133, "message": "Notification command for object 'demo!load' (PID: 19401, arguments: '/etc/icinga2/scripts/mail-service-notification.sh') terminated with exit code 127, output: /etc/icinga2/scripts/mail-service-notification.sh: 20: /etc/icinga2/scripts/mail-service-notification.sh: mail: not found\n/usr/bin/printf: write error: Broken pipe\n" - }, + }, { - "@timestamp": "2017-04-04T09:16:48.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "main", - "event.module": "icinga", - "icinga.main.facility": "IdoMysqlConnection", - "input.type": "log", - "log.level": "information", - "log.offset": 518, + "@timestamp": "2017-04-04T09:16:48.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "main", + "event.module": "icinga", + "icinga.main.facility": "IdoMysqlConnection", + "input.type": "log", + "log.level": "information", + "log.offset": 518, "message": "Query queue items: 0, query rate: 5.38333/s (323/min 1610/5min 4778/15min);" } ] \ No newline at end of file diff --git a/filebeat/module/icinga/startup/test/test.log-expected.json b/filebeat/module/icinga/startup/test/test.log-expected.json index 9c7fca5d376..59d67ed14ec 100644 --- a/filebeat/module/icinga/startup/test/test.log-expected.json +++ b/filebeat/module/icinga/startup/test/test.log-expected.json @@ -1,22 +1,22 @@ [ { - "ecs.version": "1.0.0-beta2", - "event.dataset": "startup", - "event.module": "icinga", - "icinga.startup.facility": "cli", - "input.type": "log", - "log.level": "information", - "log.offset": 0, + "ecs.version": "1.0.0-beta2", + "event.dataset": "startup", + "event.module": "icinga", + "icinga.startup.facility": "cli", + "input.type": "log", + "log.level": "information", + "log.offset": 0, "message": "Icinga application loader (version: r2.6.3-1)" - }, + }, { - "ecs.version": "1.0.0-beta2", - "event.dataset": "startup", - "event.module": "icinga", - "icinga.startup.facility": "cli", - "input.type": "log", - "log.level": "information", - "log.offset": 63, + "ecs.version": "1.0.0-beta2", + "event.dataset": "startup", + "event.module": "icinga", + "icinga.startup.facility": "cli", + "input.type": "log", + "log.level": "information", + "log.offset": 63, "message": "Loading configuration file(s)." } ] \ No newline at end of file diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index 47118807d4e..340d17e0d29 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -1,111 +1,111 @@ [ { - "@timestamp": "2018-01-01T08:09:10.000Z", - "destination.ip": "127.0.0.1", - "destination.port": 80, - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "iis", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 200, - "iis.access.request_time_ms": 123, - "iis.access.sub_status": 0, - "iis.access.win32_status": 0, - "input.type": "log", - "log.offset": 257, - "source.geo.city_name": "Berlin", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "DE", - "source.geo.location.lat": 52.4908, - "source.geo.location.lon": 13.3275, - "source.geo.region_iso_code": "DE-BE", - "source.geo.region_name": "Land Berlin", - "source.ip": "85.181.35.98", - "url.path": "/", - "url.query": "q=100", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.major": "57", - "user_agent.minor": "0", - "user_agent.name": "Firefox", - "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0", - "user_agent.os.full_name": "Windows 7", + "@timestamp": "2018-01-01T08:09:10.000Z", + "destination.ip": "127.0.0.1", + "destination.port": 80, + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "iis", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 200, + "iis.access.request_time_ms": 123, + "iis.access.sub_status": 0, + "iis.access.win32_status": 0, + "input.type": "log", + "log.offset": 257, + "source.geo.city_name": "Berlin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 52.4908, + "source.geo.location.lon": 13.3275, + "source.geo.region_iso_code": "DE-BE", + "source.geo.region_name": "Land Berlin", + "source.ip": "85.181.35.98", + "url.path": "/", + "url.query": "q=100", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "57", + "user_agent.minor": "0", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0", + "user_agent.os.full_name": "Windows 7", "user_agent.os.name": "Windows 7" - }, + }, { - "@timestamp": "2018-01-01T09:10:11.000Z", - "destination.domain": "example.com", - "destination.port": 80, - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "iis", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 200, - "iis.access.body_received.bytes": 456, - "iis.access.body_sent.bytes": 123, - "iis.access.cookie": "-", - "iis.access.request_time_ms": 789, - "iis.access.site_name": "W3SVC1", - "iis.access.sub_status": 0, - "iis.access.win32_status": 0, - "input.type": "log", - "log.offset": 709, - "source.ip": "127.0.0.1", - "url.path": "/", - "url.query": "-", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.major": "57", - "user_agent.minor": "0", - "user_agent.name": "Firefox", - "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0", - "user_agent.os.full_name": "Windows 7", + "@timestamp": "2018-01-01T09:10:11.000Z", + "destination.domain": "example.com", + "destination.port": 80, + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "iis", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 200, + "iis.access.body_received.bytes": 456, + "iis.access.body_sent.bytes": 123, + "iis.access.cookie": "-", + "iis.access.request_time_ms": 789, + "iis.access.site_name": "W3SVC1", + "iis.access.sub_status": 0, + "iis.access.win32_status": 0, + "input.type": "log", + "log.offset": 709, + "source.ip": "127.0.0.1", + "url.path": "/", + "url.query": "-", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "57", + "user_agent.minor": "0", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0", + "user_agent.os.full_name": "Windows 7", "user_agent.os.name": "Windows 7" - }, + }, { - "@timestamp": "2018-01-01T10:11:12.000Z", - "destination.domain": "example.com", - "destination.ip": "127.0.0.1", - "destination.port": 80, - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "iis", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 200, - "http.version": "1.1", - "iis.access.body_received.bytes": 456, - "iis.access.body_sent.bytes": 123, - "iis.access.cookie": "-", - "iis.access.request_time_ms": 789, - "iis.access.server_name": "MACHINE-NAME", - "iis.access.site_name": "W3SVC1", - "iis.access.sub_status": 0, - "iis.access.win32_status": 0, - "input.type": "log", - "log.offset": 1204, - "source.geo.city_name": "Berlin", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "DE", - "source.geo.location.lat": 52.4908, - "source.geo.location.lon": 13.3275, - "source.geo.region_iso_code": "DE-BE", - "source.geo.region_name": "Land Berlin", - "source.ip": "85.181.35.98", - "url.path": "/", - "url.query": "-", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.major": "70", - "user_agent.minor": "0", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", - "user_agent.os.full_name": "Mac OS X 10.14.0", - "user_agent.os.major": "10", - "user_agent.os.minor": "14", - "user_agent.os.name": "Mac OS X", + "@timestamp": "2018-01-01T10:11:12.000Z", + "destination.domain": "example.com", + "destination.ip": "127.0.0.1", + "destination.port": 80, + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "iis", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 200, + "http.version": "1.1", + "iis.access.body_received.bytes": 456, + "iis.access.body_sent.bytes": 123, + "iis.access.cookie": "-", + "iis.access.request_time_ms": 789, + "iis.access.server_name": "MACHINE-NAME", + "iis.access.site_name": "W3SVC1", + "iis.access.sub_status": 0, + "iis.access.win32_status": 0, + "input.type": "log", + "log.offset": 1204, + "source.geo.city_name": "Berlin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 52.4908, + "source.geo.location.lon": 13.3275, + "source.geo.region_iso_code": "DE-BE", + "source.geo.region_name": "Land Berlin", + "source.ip": "85.181.35.98", + "url.path": "/", + "url.query": "-", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "70", + "user_agent.minor": "0", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", + "user_agent.os.full_name": "Mac OS X 10.14.0", + "user_agent.os.major": "10", + "user_agent.os.minor": "14", + "user_agent.os.name": "Mac OS X", "user_agent.patch": "3538" } ] \ No newline at end of file diff --git a/filebeat/module/iis/error/test/test.log-expected.json b/filebeat/module/iis/error/test/test.log-expected.json index a241bef8b42..5c3354bdb8f 100644 --- a/filebeat/module/iis/error/test/test.log-expected.json +++ b/filebeat/module/iis/error/test/test.log-expected.json @@ -1,91 +1,91 @@ [ { - "@timestamp": "2018-01-01T08:09:10.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "error", - "event.module": "iis", - "iis.error.http_version": "1.1", - "iis.error.method": "GET", - "iis.error.queue_name": "-", - "iis.error.reason_phrase": "ConnLimit", - "iis.error.remote_ip": "172.31.77.6", - "iis.error.remote_port": "2094", - "iis.error.response_code": "503", - "iis.error.server_ip": "172.31.77.6", - "iis.error.server_port": "80", - "iis.error.url": "/qos/1kbfile.txt", - "input.type": "log", + "@timestamp": "2018-01-01T08:09:10.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "error", + "event.module": "iis", + "iis.error.http_version": "1.1", + "iis.error.method": "GET", + "iis.error.queue_name": "-", + "iis.error.reason_phrase": "ConnLimit", + "iis.error.remote_ip": "172.31.77.6", + "iis.error.remote_port": "2094", + "iis.error.response_code": "503", + "iis.error.server_ip": "172.31.77.6", + "iis.error.server_port": "80", + "iis.error.url": "/qos/1kbfile.txt", + "input.type": "log", "log.offset": 186 - }, + }, { - "@timestamp": "2018-01-01T09:10:11.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "error", - "event.module": "iis", - "iis.error.geoip.city_name": "Berlin", - "iis.error.geoip.continent_name": "Europe", - "iis.error.geoip.country_iso_code": "DE", - "iis.error.geoip.location.lat": 52.4908, - "iis.error.geoip.location.lon": 13.3275, - "iis.error.geoip.region_iso_code": "DE-BE", - "iis.error.geoip.region_name": "Land Berlin", - "iis.error.http_version": "1.1", - "iis.error.method": "GET", - "iis.error.queue_name": "-", - "iis.error.reason_phrase": "Hostname", - "iis.error.remote_ip": "85.181.35.98", - "iis.error.remote_port": "2780", - "iis.error.response_code": "400", - "iis.error.server_ip": "127.0.0.1", - "iis.error.server_port": "80", - "iis.error.url": "/ThisIsMyUrl.htm", - "input.type": "log", + "@timestamp": "2018-01-01T09:10:11.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "error", + "event.module": "iis", + "iis.error.geoip.city_name": "Berlin", + "iis.error.geoip.continent_name": "Europe", + "iis.error.geoip.country_iso_code": "DE", + "iis.error.geoip.location.lat": 52.4908, + "iis.error.geoip.location.lon": 13.3275, + "iis.error.geoip.region_iso_code": "DE-BE", + "iis.error.geoip.region_name": "Land Berlin", + "iis.error.http_version": "1.1", + "iis.error.method": "GET", + "iis.error.queue_name": "-", + "iis.error.reason_phrase": "Hostname", + "iis.error.remote_ip": "85.181.35.98", + "iis.error.remote_port": "2780", + "iis.error.response_code": "400", + "iis.error.server_ip": "127.0.0.1", + "iis.error.server_port": "80", + "iis.error.url": "/ThisIsMyUrl.htm", + "input.type": "log", "log.offset": 286 - }, + }, { - "@timestamp": "2018-01-01T10:11:12.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "error", - "event.module": "iis", - "iis.error.geoip.city_name": "Berlin", - "iis.error.geoip.continent_name": "Europe", - "iis.error.geoip.country_iso_code": "DE", - "iis.error.geoip.location.lat": 52.4908, - "iis.error.geoip.location.lon": 13.3275, - "iis.error.geoip.region_iso_code": "DE-BE", - "iis.error.geoip.region_name": "Land Berlin", - "iis.error.http_version": "2.0", - "iis.error.method": "GET", - "iis.error.queue_name": "-", - "iis.error.reason_phrase": "Version_N/S", - "iis.error.remote_ip": "85.181.35.98", - "iis.error.remote_port": "2894", - "iis.error.response_code": "505", - "iis.error.server_ip": "127.0.0.1", - "iis.error.server_port": "80", - "iis.error.url": "/", - "input.type": "log", + "@timestamp": "2018-01-01T10:11:12.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "error", + "event.module": "iis", + "iis.error.geoip.city_name": "Berlin", + "iis.error.geoip.continent_name": "Europe", + "iis.error.geoip.country_iso_code": "DE", + "iis.error.geoip.location.lat": 52.4908, + "iis.error.geoip.location.lon": 13.3275, + "iis.error.geoip.region_iso_code": "DE-BE", + "iis.error.geoip.region_name": "Land Berlin", + "iis.error.http_version": "2.0", + "iis.error.method": "GET", + "iis.error.queue_name": "-", + "iis.error.reason_phrase": "Version_N/S", + "iis.error.remote_ip": "85.181.35.98", + "iis.error.remote_port": "2894", + "iis.error.response_code": "505", + "iis.error.server_ip": "127.0.0.1", + "iis.error.server_port": "80", + "iis.error.url": "/", + "input.type": "log", "log.offset": 384 - }, + }, { - "@timestamp": "2018-01-01T11:12:13.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "error", - "event.module": "iis", - "iis.error.geoip.city_name": "Berlin", - "iis.error.geoip.continent_name": "Europe", - "iis.error.geoip.country_iso_code": "DE", - "iis.error.geoip.location.lat": 52.4908, - "iis.error.geoip.location.lon": 13.3275, - "iis.error.geoip.region_iso_code": "DE-BE", - "iis.error.geoip.region_name": "Land Berlin", - "iis.error.queue_name": "-", - "iis.error.reason_phrase": "Timer_MinBytesPerSecond", - "iis.error.remote_ip": "85.181.35.98", - "iis.error.remote_port": "64388", - "iis.error.server_ip": "127.0.0.1", - "iis.error.server_port": "80", - "input.type": "log", + "@timestamp": "2018-01-01T11:12:13.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "error", + "event.module": "iis", + "iis.error.geoip.city_name": "Berlin", + "iis.error.geoip.continent_name": "Europe", + "iis.error.geoip.country_iso_code": "DE", + "iis.error.geoip.location.lat": 52.4908, + "iis.error.geoip.location.lon": 13.3275, + "iis.error.geoip.region_iso_code": "DE-BE", + "iis.error.geoip.region_name": "Land Berlin", + "iis.error.queue_name": "-", + "iis.error.reason_phrase": "Timer_MinBytesPerSecond", + "iis.error.remote_ip": "85.181.35.98", + "iis.error.remote_port": "64388", + "iis.error.server_ip": "127.0.0.1", + "iis.error.server_port": "80", + "input.type": "log", "log.offset": 470 } ] \ No newline at end of file diff --git a/filebeat/module/kafka/log/test/controller.log-expected.json b/filebeat/module/kafka/log/test/controller.log-expected.json index 2c44ad28b94..56e106db1ec 100644 --- a/filebeat/module/kafka/log/test/controller.log-expected.json +++ b/filebeat/module/kafka/log/test/controller.log-expected.json @@ -1,242 +1,242 @@ [ { - "@timestamp": "2017-08-04T10:48:21.048Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.ControllerEventManager$ControllerEventThread", - "kafka.log.component": "controller-event-thread", - "log.level": "INFO", - "log.offset": 0, + "@timestamp": "2017-08-04T10:48:21.048Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.ControllerEventManager$ControllerEventThread", + "kafka.log.component": "controller-event-thread", + "log.level": "INFO", + "log.offset": 0, "message": "Starting" - }, - { - "@timestamp": "2017-08-04T10:48:21.063Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.KafkaController", - "kafka.log.component": "Controller 0", - "log.level": "INFO", - "log.offset": 131, + }, + { + "@timestamp": "2017-08-04T10:48:21.063Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller 0", + "log.level": "INFO", + "log.offset": 131, "message": "0 successfully elected as the controller" - }, - { - "@timestamp": "2017-08-04T10:48:21.064Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.KafkaController", - "kafka.log.component": "Controller 0", - "log.level": "INFO", - "log.offset": 254, + }, + { + "@timestamp": "2017-08-04T10:48:21.064Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller 0", + "log.level": "INFO", + "log.offset": 254, "message": "Broker 0 starting become controller state transition" - }, - { - "@timestamp": "2017-08-04T10:48:21.082Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.KafkaController", - "kafka.log.component": "Controller 0", - "log.level": "INFO", - "log.offset": 389, + }, + { + "@timestamp": "2017-08-04T10:48:21.082Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller 0", + "log.level": "INFO", + "log.offset": 389, "message": "Controller 0 incremented epoch to 1" - }, - { - "@timestamp": "2017-08-04T10:48:21.085Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.KafkaController", - "kafka.log.component": "Controller 0", - "log.level": "DEBUG", - "log.offset": 507, + }, + { + "@timestamp": "2017-08-04T10:48:21.085Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller 0", + "log.level": "DEBUG", + "log.offset": 507, "message": "Registering IsrChangeNotificationListener" - }, - { - "@timestamp": "2017-08-04T10:48:21.154Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.ReplicaStateMachine", - "kafka.log.component": "Replica state machine on controller 0", - "log.level": "INFO", - "log.offset": 632, + }, + { + "@timestamp": "2017-08-04T10:48:21.154Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.ReplicaStateMachine", + "kafka.log.component": "Replica state machine on controller 0", + "log.level": "INFO", + "log.offset": 632, "message": "Started replica state machine with initial state -> Map()" - }, - { - "@timestamp": "2017-08-04T10:48:21.156Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.PartitionStateMachine", - "kafka.log.component": "Partition state machine on Controller 0", - "log.level": "INFO", - "log.offset": 801, + }, + { + "@timestamp": "2017-08-04T10:48:21.156Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.PartitionStateMachine", + "kafka.log.component": "Partition state machine on Controller 0", + "log.level": "INFO", + "log.offset": 801, "message": "Started partition state machine with initial state -> Map()" - }, - { - "@timestamp": "2017-08-04T10:48:21.157Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.KafkaController", - "kafka.log.component": "Controller 0", - "log.level": "INFO", - "log.offset": 976, + }, + { + "@timestamp": "2017-08-04T10:48:21.157Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller 0", + "log.level": "INFO", + "log.offset": 976, "message": "Broker 0 is ready to serve as the new controller with epoch 1" - }, - { - "@timestamp": "2017-08-04T10:48:21.165Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.PartitionStateMachine", - "kafka.log.component": "Partition state machine on Controller 0", - "log.level": "INFO", - "log.offset": 1120, + }, + { + "@timestamp": "2017-08-04T10:48:21.165Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.PartitionStateMachine", + "kafka.log.component": "Partition state machine on Controller 0", + "log.level": "INFO", + "log.offset": 1120, "message": "Invoking state change to OnlinePartition for partitions " - }, - { - "@timestamp": "2017-08-04T11:44:22.588Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.KafkaController", - "kafka.log.component": "Controller 0", - "log.level": "DEBUG", - "log.offset": 1292, + }, + { + "@timestamp": "2017-08-04T11:44:22.588Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller 0", + "log.level": "DEBUG", + "log.offset": 1292, "message": "Live brokers: " - }, - { - "@timestamp": "2017-08-04T11:44:25.094Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.ControllerEventManager$ControllerEventThread", - "kafka.log.component": "controller-event-thread", - "log.level": "INFO", - "log.offset": 1390, + }, + { + "@timestamp": "2017-08-04T11:44:25.094Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.ControllerEventManager$ControllerEventThread", + "kafka.log.component": "controller-event-thread", + "log.level": "INFO", + "log.offset": 1390, "message": "Shutting down" - }, - { - "@timestamp": "2017-08-04T11:44:25.095Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.ControllerEventManager$ControllerEventThread", - "kafka.log.component": "controller-event-thread", - "log.level": "INFO", - "log.offset": 1526, + }, + { + "@timestamp": "2017-08-04T11:44:25.095Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.ControllerEventManager$ControllerEventThread", + "kafka.log.component": "controller-event-thread", + "log.level": "INFO", + "log.offset": 1526, "message": "Stopped" - }, - { - "@timestamp": "2017-08-04T11:44:25.097Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.ControllerEventManager$ControllerEventThread", - "kafka.log.component": "controller-event-thread", - "log.level": "INFO", - "log.offset": 1656, + }, + { + "@timestamp": "2017-08-04T11:44:25.097Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.ControllerEventManager$ControllerEventThread", + "kafka.log.component": "controller-event-thread", + "log.level": "INFO", + "log.offset": 1656, "message": "Shutdown completed" - }, - { - "@timestamp": "2017-08-04T11:44:25.099Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.KafkaController", - "kafka.log.component": "Controller 0", - "log.level": "DEBUG", - "log.offset": 1797, + }, + { + "@timestamp": "2017-08-04T11:44:25.099Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller 0", + "log.level": "DEBUG", + "log.offset": 1797, "message": "Controller resigning, broker id 0" - }, - { - "@timestamp": "2017-08-04T11:44:25.100Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.KafkaController", - "kafka.log.component": "Controller 0", - "log.level": "DEBUG", - "log.offset": 1914, + }, + { + "@timestamp": "2017-08-04T11:44:25.100Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller 0", + "log.level": "DEBUG", + "log.offset": 1914, "message": "De-registering IsrChangeNotificationListener" - }, - { - "@timestamp": "2017-08-04T11:44:25.105Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.PartitionStateMachine", - "kafka.log.component": "Partition state machine on Controller 0", - "log.level": "INFO", - "log.offset": 2042, + }, + { + "@timestamp": "2017-08-04T11:44:25.105Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.PartitionStateMachine", + "kafka.log.component": "Partition state machine on Controller 0", + "log.level": "INFO", + "log.offset": 2042, "message": "Stopped partition state machine" - }, - { - "@timestamp": "2017-08-04T11:44:25.111Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.ReplicaStateMachine", - "kafka.log.component": "Replica state machine on controller 0", - "log.level": "INFO", - "log.offset": 2189, + }, + { + "@timestamp": "2017-08-04T11:44:25.111Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.ReplicaStateMachine", + "kafka.log.component": "Replica state machine on controller 0", + "log.level": "INFO", + "log.offset": 2189, "message": "Stopped replica state machine" - }, - { - "@timestamp": "2017-08-04T11:44:25.112Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.RequestSendThread", - "kafka.log.component": "Controller-0-to-broker-0-send-thread", - "log.level": "INFO", - "log.offset": 2330, + }, + { + "@timestamp": "2017-08-04T11:44:25.112Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.RequestSendThread", + "kafka.log.component": "Controller-0-to-broker-0-send-thread", + "log.level": "INFO", + "log.offset": 2330, "message": "Shutting down" - }, - { - "@timestamp": "2017-08-04T11:44:25.112Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.RequestSendThread", - "kafka.log.component": "Controller-0-to-broker-0-send-thread", - "log.level": "INFO", - "log.offset": 2452, + }, + { + "@timestamp": "2017-08-04T11:44:25.112Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.RequestSendThread", + "kafka.log.component": "Controller-0-to-broker-0-send-thread", + "log.level": "INFO", + "log.offset": 2452, "message": "Stopped" - }, - { - "@timestamp": "2017-08-04T11:44:25.113Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.controller.RequestSendThread", - "kafka.log.component": "Controller-0-to-broker-0-send-thread", - "log.level": "INFO", - "log.offset": 2568, + }, + { + "@timestamp": "2017-08-04T11:44:25.113Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.controller.RequestSendThread", + "kafka.log.component": "Controller-0-to-broker-0-send-thread", + "log.level": "INFO", + "log.offset": 2568, "message": "Shutdown completed" } ] \ No newline at end of file diff --git a/filebeat/module/kafka/log/test/server.log-expected.json b/filebeat/module/kafka/log/test/server.log-expected.json index 554904189ec..add3334b64a 100644 --- a/filebeat/module/kafka/log/test/server.log-expected.json +++ b/filebeat/module/kafka/log/test/server.log-expected.json @@ -1,242 +1,242 @@ [ { - "@timestamp": "2017-08-04T10:48:20.377Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.server.KafkaServer", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 0, + "@timestamp": "2017-08-04T10:48:20.377Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.server.KafkaServer", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 0, "message": "starting" - }, - { - "@timestamp": "2017-08-04T10:48:20.379Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.server.KafkaServer", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 67, + }, + { + "@timestamp": "2017-08-04T10:48:20.379Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.server.KafkaServer", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 67, "message": "Connecting to zookeeper on localhost:2181" - }, - { - "@timestamp": "2017-08-04T10:48:20.400Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "org.apache.zookeeper.ZooKeeper", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 167, + }, + { + "@timestamp": "2017-08-04T10:48:20.400Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "org.apache.zookeeper.ZooKeeper", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 167, "message": "Client environment:java.io.tmpdir=/tmp" - }, - { - "@timestamp": "2017-08-04T10:48:20.400Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "org.apache.zookeeper.ZooKeeper", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 270, + }, + { + "@timestamp": "2017-08-04T10:48:20.400Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "org.apache.zookeeper.ZooKeeper", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 270, "message": "Client environment:java.compiler=" - }, - { - "@timestamp": "2017-08-04T10:48:20.401Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "org.apache.zookeeper.ZooKeeper", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 372, + }, + { + "@timestamp": "2017-08-04T10:48:20.401Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "org.apache.zookeeper.ZooKeeper", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 372, "message": "Initiating client connection, connectString=localhost:2181 sessionTimeout=6000 watcher=org.I0Itec.zkclient.ZkClient@5ffead27" - }, - { - "@timestamp": "2017-08-04T10:48:20.413Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "org.I0Itec.zkclient.ZkClient", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 561, + }, + { + "@timestamp": "2017-08-04T10:48:20.413Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "org.I0Itec.zkclient.ZkClient", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 561, "message": "Waiting for keeper state SyncConnected" - }, - { - "@timestamp": "2017-08-04T10:48:20.415Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "org.apache.zookeeper.ClientCnxn", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 662, + }, + { + "@timestamp": "2017-08-04T10:48:20.415Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "org.apache.zookeeper.ClientCnxn", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 662, "message": "Opening socket connection to server localhost/0:0:0:0:0:0:0:1:2181. Will not attempt to authenticate using SASL (unknown error)" - }, - { - "@timestamp": "2017-08-04T10:48:20.420Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "org.apache.zookeeper.ClientCnxn", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 855, + }, + { + "@timestamp": "2017-08-04T10:48:20.420Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "org.apache.zookeeper.ClientCnxn", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 855, "message": "Socket connection established to localhost/0:0:0:0:0:0:0:1:2181, initiating session" - }, - { - "@timestamp": "2017-08-04T10:48:20.457Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "org.apache.zookeeper.ClientCnxn", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 1004, + }, + { + "@timestamp": "2017-08-04T10:48:20.457Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "org.apache.zookeeper.ClientCnxn", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 1004, "message": "Session establishment complete on server localhost/0:0:0:0:0:0:0:1:2181, sessionid = 0x15dabf8d4140000, negotiated timeout = 6000" - }, - { - "@timestamp": "2017-08-04T10:48:20.458Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "org.I0Itec.zkclient.ZkClient", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 1199, + }, + { + "@timestamp": "2017-08-04T10:48:20.458Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "org.I0Itec.zkclient.ZkClient", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 1199, "message": "zookeeper state changed (SyncConnected)" - }, - { - "@timestamp": "2017-08-04T10:48:20.748Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.server.BrokerMetadataCheckpoint", - "kafka.log.component": "unknown", - "log.level": "WARN", - "log.offset": 1301, + }, + { + "@timestamp": "2017-08-04T10:48:20.748Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.server.BrokerMetadataCheckpoint", + "kafka.log.component": "unknown", + "log.level": "WARN", + "log.offset": 1301, "message": "No meta.properties file under dir /tmp/kafka-logs/meta.properties" - }, - { - "@timestamp": "2017-08-04T10:48:20.800Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.server.ClientQuotaManager$ThrottledRequestReaper", - "kafka.log.component": "ThrottledRequestReaper-Fetch", - "log.level": "INFO", - "log.offset": 1438, + }, + { + "@timestamp": "2017-08-04T10:48:20.800Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.server.ClientQuotaManager$ThrottledRequestReaper", + "kafka.log.component": "ThrottledRequestReaper-Fetch", + "log.level": "INFO", + "log.offset": 1438, "message": "Starting" - }, - { - "@timestamp": "2017-08-04T10:48:20.866Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.log.LogManager", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 1567, + }, + { + "@timestamp": "2017-08-04T10:48:20.866Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.log.LogManager", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 1567, "message": "Log directory '/tmp/kafka-logs' not found, creating it." - }, - { - "@timestamp": "2017-08-04T10:48:20.873Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.log.LogManager", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 1677, + }, + { + "@timestamp": "2017-08-04T10:48:20.873Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.log.LogManager", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 1677, "message": "Loading logs." - }, - { - "@timestamp": "2017-08-04T10:48:21.062Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.server.DelayedOperationPurgatory$ExpiredOperationReaper", - "kafka.log.component": "ExpirationReaper-0-Heartbeat", - "log.level": "INFO", - "log.offset": 1745, + }, + { + "@timestamp": "2017-08-04T10:48:21.062Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.server.DelayedOperationPurgatory$ExpiredOperationReaper", + "kafka.log.component": "ExpirationReaper-0-Heartbeat", + "log.level": "INFO", + "log.offset": 1745, "message": "Starting" - }, - { - "@timestamp": "2017-08-04T10:48:21.063Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.utils.ZKCheckedEphemeral", - "kafka.log.component": "unknown", - "log.level": "INFO", - "log.offset": 1881, + }, + { + "@timestamp": "2017-08-04T10:48:21.063Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.utils.ZKCheckedEphemeral", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 1881, "message": "Result of znode creation is: OK" - }, - { - "@timestamp": "2017-08-04T10:48:21.095Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.coordinator.group.GroupMetadataManager", - "kafka.log.component": "Group Metadata Manager on Broker 0", - "log.level": "INFO", - "log.offset": 1977, + }, + { + "@timestamp": "2017-08-04T10:48:21.095Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.coordinator.group.GroupMetadataManager", + "kafka.log.component": "Group Metadata Manager on Broker 0", + "log.level": "INFO", + "log.offset": 1977, "message": "Removed 0 expired offsets in 1 milliseconds." - }, - { - "@timestamp": "2017-08-04T10:48:21.127Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.coordinator.transaction.ProducerIdManager", - "kafka.log.component": "ProducerId Manager 0", - "log.level": "INFO", - "log.offset": 2138, + }, + { + "@timestamp": "2017-08-04T10:48:21.127Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.coordinator.transaction.ProducerIdManager", + "kafka.log.component": "ProducerId Manager 0", + "log.level": "INFO", + "log.offset": 2138, "message": "Acquired new producerId block (brokerId:0,blockStartProducerId:0,blockEndProducerId:999) by writing to Zk with path version 1" - }, - { - "@timestamp": "2017-08-04T10:48:21.162Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.coordinator.transaction.TransactionCoordinator", - "kafka.log.component": "Transaction Coordinator 0", - "log.level": "INFO", - "log.offset": 2369, + }, + { + "@timestamp": "2017-08-04T10:48:21.162Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.coordinator.transaction.TransactionCoordinator", + "kafka.log.component": "Transaction Coordinator 0", + "log.level": "INFO", + "log.offset": 2369, "message": "Starting up." - }, - { - "@timestamp": "2017-08-04T10:48:21.167Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "kafka.coordinator.transaction.TransactionMarkerChannelManager", - "kafka.log.component": "Transaction Marker Channel Manager 0", - "log.level": "INFO", - "log.offset": 2497, + }, + { + "@timestamp": "2017-08-04T10:48:21.167Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "kafka.coordinator.transaction.TransactionMarkerChannelManager", + "kafka.log.component": "Transaction Marker Channel Manager 0", + "log.level": "INFO", + "log.offset": 2497, "message": "Starting" } ] \ No newline at end of file diff --git a/filebeat/module/kafka/log/test/state-change-1.1.0.log-expected.json b/filebeat/module/kafka/log/test/state-change-1.1.0.log-expected.json index b2573f1b81d..1b54e7b0e27 100644 --- a/filebeat/module/kafka/log/test/state-change-1.1.0.log-expected.json +++ b/filebeat/module/kafka/log/test/state-change-1.1.0.log-expected.json @@ -1,14 +1,14 @@ [ { - "@timestamp": "2018-07-16T10:17:06.489Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "state.change.logger", - "kafka.log.component": "Broker id=30", - "log.level": "TRACE", - "log.offset": 0, + "@timestamp": "2018-07-16T10:17:06.489Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "state.change.logger", + "kafka.log.component": "Broker id=30", + "log.level": "TRACE", + "log.offset": 0, "message": "Cached leader info PartitionState(controllerEpoch=25, leader=-1, leaderEpoch=15, isr=[10], zkVersion=15, replicas=[10], offlineReplicas=[10]) for partition __consumer_offsets-16 in response to UpdateMetadata request sent by controller 20 epoch 25 with correlation id 8" } ] \ No newline at end of file diff --git a/filebeat/module/kafka/log/test/state-change-2.0.0.log-expected.json b/filebeat/module/kafka/log/test/state-change-2.0.0.log-expected.json index 492b52c8659..95b6ff6f974 100644 --- a/filebeat/module/kafka/log/test/state-change-2.0.0.log-expected.json +++ b/filebeat/module/kafka/log/test/state-change-2.0.0.log-expected.json @@ -1,17 +1,17 @@ [ { - "@timestamp": "2018-10-31T15:09:30.451Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "state.change.logger", - "kafka.log.component": "Broker id=20", + "@timestamp": "2018-10-31T15:09:30.451Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "state.change.logger", + "kafka.log.component": "Broker id=20", "log.flags": [ "multiline" - ], - "log.level": "TRACE", - "log.offset": 0, + ], + "log.level": "TRACE", + "log.offset": 0, "message": "Cached leader info PartitionState(controllerEpoch=5, leader=20, leaderEpoch=0, isr=[20], zkVersion=0, replicas=[20], offlineReplicas=[]) for partition foo-0 in response to UpdateMetadata request sent by controller 10 epoch 5 with correlation id 146" } ] \ No newline at end of file diff --git a/filebeat/module/kafka/log/test/state-change.log-expected.json b/filebeat/module/kafka/log/test/state-change.log-expected.json index 8edba78af43..be58b89cbb0 100644 --- a/filebeat/module/kafka/log/test/state-change.log-expected.json +++ b/filebeat/module/kafka/log/test/state-change.log-expected.json @@ -1,14 +1,14 @@ [ { - "@timestamp": "2017-08-04T10:48:21.428Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kafka", - "input.type": "log", - "kafka.log.class": "state.change.logger", - "kafka.log.component": "unknown", - "log.level": "TRACE", - "log.offset": 0, + "@timestamp": "2017-08-04T10:48:21.428Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kafka", + "input.type": "log", + "kafka.log.class": "state.change.logger", + "kafka.log.component": "unknown", + "log.level": "TRACE", + "log.offset": 0, "message": "Controller 0 epoch 1 received response {error_code=0} for a request sent to broker baldur:9092 (id: 0 rack: null)" } ] \ No newline at end of file diff --git a/filebeat/module/kibana/log/test/test.log-expected.json b/filebeat/module/kibana/log/test/test.log-expected.json index 600d27ade4e..133aaa5dfd0 100644 --- a/filebeat/module/kibana/log/test/test.log-expected.json +++ b/filebeat/module/kibana/log/test/test.log-expected.json @@ -1,73 +1,73 @@ [ { - "@timestamp": "2018-05-09T10:57:55.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kibana", - "http.request.method": "get", - "http.response.content_length": 9, - "http.response.elapsed_time": 26, - "http.response.status_code": 304, - "input.type": "log", - "kibana.log.meta.method": "get", - "kibana.log.meta.req.headers.accept": "*/*", - "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", - "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", - "kibana.log.meta.req.headers.connection": "keep-alive", - "kibana.log.meta.req.headers.host": "localhost:5601", - "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:28 GMT", - "kibana.log.meta.req.headers.if-none-match": "\"24234c1c81b3948758c1a0be8e5a65386ca94c52\"", - "kibana.log.meta.req.headers.origin": "http://localhost:5601", - "kibana.log.meta.req.headers.referer": "http://localhost:5601/app/kibana", - "kibana.log.meta.req.headers.user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36", - "kibana.log.meta.req.referer": "http://localhost:5601/app/kibana", - "kibana.log.meta.req.remoteAddress": "127.0.0.1", - "kibana.log.meta.req.url": "/ui/fonts/open_sans/open_sans_v15_latin_600.woff2", - "kibana.log.meta.req.userAgent": "127.0.0.1", - "kibana.log.meta.statusCode": 304, - "kibana.log.meta.type": "response", - "kibana.log.tags": [], - "log.offset": 0, - "message": "GET /ui/fonts/open_sans/open_sans_v15_latin_600.woff2 304 26ms - 9.0B", - "process.pid": 69410, + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kibana", + "http.request.method": "get", + "http.response.content_length": 9, + "http.response.elapsed_time": 26, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.method": "get", + "kibana.log.meta.req.headers.accept": "*/*", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:28 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"24234c1c81b3948758c1a0be8e5a65386ca94c52\"", + "kibana.log.meta.req.headers.origin": "http://localhost:5601", + "kibana.log.meta.req.headers.referer": "http://localhost:5601/app/kibana", + "kibana.log.meta.req.headers.user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36", + "kibana.log.meta.req.referer": "http://localhost:5601/app/kibana", + "kibana.log.meta.req.remoteAddress": "127.0.0.1", + "kibana.log.meta.req.url": "/ui/fonts/open_sans/open_sans_v15_latin_600.woff2", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.statusCode": 304, + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 0, + "message": "GET /ui/fonts/open_sans/open_sans_v15_latin_600.woff2 304 26ms - 9.0B", + "process.pid": 69410, "service.name": [ "kibana" ] - }, + }, { - "@timestamp": "2018-05-09T10:59:12.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kibana", - "input.type": "log", - "kibana.log.meta.type": "log", + "@timestamp": "2018-05-09T10:59:12.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kibana", + "input.type": "log", + "kibana.log.meta.type": "log", "kibana.log.tags": [ - "debug", - "monitoring-ui", + "debug", + "monitoring-ui", "kibana-monitoring" - ], - "log.offset": 920, - "message": "Fetching data from kibana_stats collector", - "process.pid": 69776, + ], + "log.offset": 920, + "message": "Fetching data from kibana_stats collector", + "process.pid": 69776, "service.name": [ "kibana" ] - }, + }, { - "@timestamp": "2018-05-09T10:59:12.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "kibana", - "input.type": "log", - "kibana.log.meta.type": "log", + "@timestamp": "2018-05-09T10:59:12.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "kibana", + "input.type": "log", + "kibana.log.meta.type": "log", "kibana.log.tags": [ - "reporting", - "debug", + "reporting", + "debug", "exportTypes" - ], - "log.offset": 1090, - "message": "Found exportType at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack/plugins/reporting/export_types/csv/server/index.js", - "process.pid": 69776, + ], + "log.offset": 1090, + "message": "Found exportType at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack/plugins/reporting/export_types/csv/server/index.js", + "process.pid": 69776, "service.name": [ "kibana" ] diff --git a/filebeat/module/logstash/log/test/logstash-plain.log-expected.json b/filebeat/module/logstash/log/test/logstash-plain.log-expected.json index 7be9e11d365..f50ce1f62c1 100644 --- a/filebeat/module/logstash/log/test/logstash-plain.log-expected.json +++ b/filebeat/module/logstash/log/test/logstash-plain.log-expected.json @@ -24,4 +24,4 @@ "logstash.log.message": "(0.058950s) Select Name as [person.name]\n, Address as [person.address]\nfrom people\n", "logstash.log.module": "logstash.inputs.jdbc " } -] +] \ No newline at end of file diff --git a/filebeat/module/logstash/slowlog/test/slowlog-plain.log-expected.json b/filebeat/module/logstash/slowlog/test/slowlog-plain.log-expected.json index bf15a2c23ad..34a7c675e65 100644 --- a/filebeat/module/logstash/slowlog/test/slowlog-plain.log-expected.json +++ b/filebeat/module/logstash/slowlog/test/slowlog-plain.log-expected.json @@ -16,4 +16,4 @@ "logstash.slowlog.took_in_millis": 3027, "logstash.slowlog.took_in_nanos": 3027675106 } -] +] \ No newline at end of file diff --git a/filebeat/module/mongodb/log/test/mongodb-debian-3.2.11.log-expected.json b/filebeat/module/mongodb/log/test/mongodb-debian-3.2.11.log-expected.json index 478a978f239..8327946a4f9 100644 --- a/filebeat/module/mongodb/log/test/mongodb-debian-3.2.11.log-expected.json +++ b/filebeat/module/mongodb/log/test/mongodb-debian-3.2.11.log-expected.json @@ -1,410 +1,410 @@ [ { - "@timestamp": "2018-02-05T12:44:56.657Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 0, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "git version: 009580ad490190ba33d1c6253ebd8d91808923e4", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.657Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 110, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "modules: none", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.657Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 180, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "OpenSSL version: OpenSSL 1.0.2l 25 May 2017", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.677Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 281, - "mongodb.log.component": "STORAGE", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "wiredtiger_open config: create,cache_size=8G,session_max=20000,eviction=(threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.724Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 621, - "mongodb.log.component": "FTDC", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "Initializing full-time diagnostic data capture with directory '/var/lib/mongodb/diagnostic.data'", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.724Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 774, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "HostnameCanonicalizationWorker", - "mongodb.log.message": "Starting hostname canonicalization worker", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.744Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 889, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "waiting for connections on port 27017", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:50:55.170Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 983, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "conn1", - "mongodb.log.message": "end connection 127.0.0.1:55404 (0 connections now open)", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:50:55.487Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 1087, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "connection accepted from 127.0.0.1:55406 #2 (1 connection now open)", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.606Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 1211, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "now exiting", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.606Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 1288, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "closing listening socket: 7", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.606Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 1381, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "removing socket file: /run/mongodb/mongodb-27017.sock", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.606Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 1500, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "shutdown: going to flush diaglog...", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.606Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 1601, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "shutdown: going to close sockets...", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.688Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 1702, - "mongodb.log.component": "STORAGE", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "shutdown: removing fs lock...", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.657Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 1797, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "db version v3.2.11", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.657Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 1872, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "build environment:", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.657Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 1947, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": " distarch: x86_64", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.657Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 2024, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "options: { config: \"/etc/mongodb.conf\", net: { bindIp: \"127.0.0.1\", unixDomainSocket: { pathPrefix: \"/run/mongodb\" } }, storage: { dbPath: \"/var/lib/mongodb\", journal: { enabled: true } }, systemLog: { destination: \"file\", logAppend: true, path: \"/var/log/mongodb/mongodb.log\" } }", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:50:55.170Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 2361, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "connection accepted from 127.0.0.1:55404 #1 (1 connection now open)", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:50:56.180Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 2485, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "conn3", - "mongodb.log.message": "end connection 127.0.0.1:55414 (0 connections now open)", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:15:42.095Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 2589, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "conn4", - "mongodb.log.message": "end connection 127.0.0.1:58336 (0 connections now open)", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.606Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 2693, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "shutdown: going to close listening sockets...", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.606Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 2804, - "mongodb.log.component": "STORAGE", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "WiredTigerKVEngine shutting down", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.688Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 2902, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "dbexit: rc: 0", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.657Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 2982, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "MongoDB starting : pid=29803 port=27017 dbpath=/var/lib/mongodb 64-bit host=sleipnir", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.657Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 3123, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "allocator: tcmalloc", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:44:56.657Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 3199, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": " target_arch: x86_64", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:50:55.487Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 3279, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "conn2", - "mongodb.log.message": "end connection 127.0.0.1:55406 (0 connections now open)", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T12:50:56.180Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 3383, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "connection accepted from 127.0.0.1:55414 #3 (1 connection now open)", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:11:41.401Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 3507, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "initandlisten", - "mongodb.log.message": "connection accepted from 127.0.0.1:58336 #4 (1 connection now open)", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.605Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 3631, - "mongodb.log.component": "CONTROL", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "got signal 15 (Terminated), will terminate after current cmd ends", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.605Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 3762, - "mongodb.log.component": "FTDC", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "Shutting down full-time diagnostic data capture", - "mongodb.log.severity": "I" - }, - { - "@timestamp": "2018-02-05T13:49:45.606Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "mongodb", - "input.type": "log", - "log.offset": 3875, - "mongodb.log.component": "NETWORK", - "mongodb.log.context": "signalProcessingThread", - "mongodb.log.message": "closing listening socket: 6", + "@timestamp": "2018-02-05T12:44:56.657Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 0, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "git version: 009580ad490190ba33d1c6253ebd8d91808923e4", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.657Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 110, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "modules: none", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.657Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 180, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "OpenSSL version: OpenSSL 1.0.2l 25 May 2017", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.677Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 281, + "mongodb.log.component": "STORAGE", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "wiredtiger_open config: create,cache_size=8G,session_max=20000,eviction=(threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.724Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 621, + "mongodb.log.component": "FTDC", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "Initializing full-time diagnostic data capture with directory '/var/lib/mongodb/diagnostic.data'", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.724Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 774, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "HostnameCanonicalizationWorker", + "mongodb.log.message": "Starting hostname canonicalization worker", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.744Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 889, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "waiting for connections on port 27017", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:50:55.170Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 983, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "conn1", + "mongodb.log.message": "end connection 127.0.0.1:55404 (0 connections now open)", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:50:55.487Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 1087, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "connection accepted from 127.0.0.1:55406 #2 (1 connection now open)", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.606Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 1211, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "now exiting", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.606Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 1288, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "closing listening socket: 7", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.606Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 1381, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "removing socket file: /run/mongodb/mongodb-27017.sock", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.606Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 1500, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "shutdown: going to flush diaglog...", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.606Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 1601, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "shutdown: going to close sockets...", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.688Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 1702, + "mongodb.log.component": "STORAGE", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "shutdown: removing fs lock...", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.657Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 1797, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "db version v3.2.11", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.657Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 1872, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "build environment:", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.657Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 1947, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": " distarch: x86_64", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.657Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 2024, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "options: { config: \"/etc/mongodb.conf\", net: { bindIp: \"127.0.0.1\", unixDomainSocket: { pathPrefix: \"/run/mongodb\" } }, storage: { dbPath: \"/var/lib/mongodb\", journal: { enabled: true } }, systemLog: { destination: \"file\", logAppend: true, path: \"/var/log/mongodb/mongodb.log\" } }", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:50:55.170Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 2361, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "connection accepted from 127.0.0.1:55404 #1 (1 connection now open)", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:50:56.180Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 2485, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "conn3", + "mongodb.log.message": "end connection 127.0.0.1:55414 (0 connections now open)", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:15:42.095Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 2589, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "conn4", + "mongodb.log.message": "end connection 127.0.0.1:58336 (0 connections now open)", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.606Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 2693, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "shutdown: going to close listening sockets...", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.606Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 2804, + "mongodb.log.component": "STORAGE", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "WiredTigerKVEngine shutting down", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.688Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 2902, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "dbexit: rc: 0", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.657Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 2982, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "MongoDB starting : pid=29803 port=27017 dbpath=/var/lib/mongodb 64-bit host=sleipnir", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.657Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 3123, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "allocator: tcmalloc", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:44:56.657Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 3199, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": " target_arch: x86_64", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:50:55.487Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 3279, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "conn2", + "mongodb.log.message": "end connection 127.0.0.1:55406 (0 connections now open)", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T12:50:56.180Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 3383, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "connection accepted from 127.0.0.1:55414 #3 (1 connection now open)", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:11:41.401Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 3507, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "initandlisten", + "mongodb.log.message": "connection accepted from 127.0.0.1:58336 #4 (1 connection now open)", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.605Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 3631, + "mongodb.log.component": "CONTROL", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "got signal 15 (Terminated), will terminate after current cmd ends", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.605Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 3762, + "mongodb.log.component": "FTDC", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "Shutting down full-time diagnostic data capture", + "mongodb.log.severity": "I" + }, + { + "@timestamp": "2018-02-05T13:49:45.606Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "mongodb", + "input.type": "log", + "log.offset": 3875, + "mongodb.log.component": "NETWORK", + "mongodb.log.context": "signalProcessingThread", + "mongodb.log.message": "closing listening socket: 6", "mongodb.log.severity": "I" } ] \ No newline at end of file diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json index 20131604e85..90cfddcea7b 100644 --- a/filebeat/module/nginx/access/test/test.log-expected.json +++ b/filebeat/module/nginx/access/test/test.log-expected.json @@ -1,219 +1,219 @@ [ { - "@timestamp": "2016-12-07T10:05:07.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "nginx", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 200, - "http.version": "1.1", - "input.type": "log", - "log.offset": 0, + "@timestamp": "2016-12-07T10:05:07.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "nginx", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 0, "network.forwarded_ip": [ - "10.0.0.2", - "10.0.0.1", + "10.0.0.2", + "10.0.0.1", "127.0.0.1" - ], - "nginx.access.body_sent.bytes": 571, - "source.ip": "10.0.0.2", - "url.original": "/ocelot", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.major": "49", - "user_agent.minor": "0", - "user_agent.name": "Firefox", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", - "user_agent.os.full_name": "Mac OS X 10.12", - "user_agent.os.major": "10", - "user_agent.os.minor": "12", + ], + "nginx.access.body_sent.bytes": 571, + "source.ip": "10.0.0.2", + "url.original": "/ocelot", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "49", + "user_agent.minor": "0", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", + "user_agent.os.full_name": "Mac OS X 10.12", + "user_agent.os.major": "10", + "user_agent.os.minor": "12", "user_agent.os.name": "Mac OS X" - }, + }, { - "@timestamp": "2017-05-29T19:02:48.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "nginx", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 404, - "http.version": "1.1", - "input.type": "log", - "log.offset": 183, + "@timestamp": "2017-05-29T19:02:48.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "nginx", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 183, "network.forwarded_ip": [ "172.17.0.1" - ], - "nginx.access.body_sent.bytes": 612, - "source.ip": "172.17.0.1", - "url.original": "/stringpatch", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.major": "15", - "user_agent.minor": "0", - "user_agent.name": "Firefox Alpha", - "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", - "user_agent.os.full_name": "Windows 7", - "user_agent.os.name": "Windows 7", + ], + "nginx.access.body_sent.bytes": 612, + "source.ip": "172.17.0.1", + "url.original": "/stringpatch", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "15", + "user_agent.minor": "0", + "user_agent.name": "Firefox Alpha", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2", + "user_agent.os.full_name": "Windows 7", + "user_agent.os.name": "Windows 7", "user_agent.patch": "a2" - }, + }, { - "@timestamp": "2016-12-07T10:05:07.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "nginx", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 200, - "http.version": "1.1", - "input.type": "log", - "log.offset": 341, + "@timestamp": "2016-12-07T10:05:07.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "nginx", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 341, "network.forwarded_ip": [ - "10.0.0.2", - "10.0.0.1", + "10.0.0.2", + "10.0.0.1", "85.181.35.98" - ], - "nginx.access.body_sent.bytes": 571, - "source.geo.city_name": "Berlin", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "DE", - "source.geo.location.lat": 52.4908, - "source.geo.location.lon": 13.3275, - "source.geo.region_iso_code": "DE-BE", - "source.geo.region_name": "Land Berlin", - "source.ip": "85.181.35.98", - "url.original": "/ocelot", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.major": "49", - "user_agent.minor": "0", - "user_agent.name": "Firefox", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", - "user_agent.os.full_name": "Mac OS X 10.12", - "user_agent.os.major": "10", - "user_agent.os.minor": "12", + ], + "nginx.access.body_sent.bytes": 571, + "source.geo.city_name": "Berlin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 52.4908, + "source.geo.location.lon": 13.3275, + "source.geo.region_iso_code": "DE-BE", + "source.geo.region_name": "Land Berlin", + "source.ip": "85.181.35.98", + "url.original": "/ocelot", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "49", + "user_agent.minor": "0", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", + "user_agent.os.full_name": "Mac OS X 10.12", + "user_agent.os.major": "10", + "user_agent.os.minor": "12", "user_agent.os.name": "Mac OS X" - }, + }, { - "@timestamp": "2016-12-07T10:05:07.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "nginx", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 200, - "http.version": "1.1", - "input.type": "log", - "log.offset": 527, + "@timestamp": "2016-12-07T10:05:07.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "nginx", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 527, "network.forwarded_ip": [ "85.181.35.98" - ], - "nginx.access.body_sent.bytes": 571, - "source.geo.city_name": "Berlin", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "DE", - "source.geo.location.lat": 52.4908, - "source.geo.location.lon": 13.3275, - "source.geo.region_iso_code": "DE-BE", - "source.geo.region_name": "Land Berlin", - "source.ip": "85.181.35.98", - "url.original": "/ocelot", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.major": "70", - "user_agent.minor": "0", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", - "user_agent.os.full_name": "Mac OS X 10.14.0", - "user_agent.os.major": "10", - "user_agent.os.minor": "14", - "user_agent.os.name": "Mac OS X", + ], + "nginx.access.body_sent.bytes": 571, + "source.geo.city_name": "Berlin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 52.4908, + "source.geo.location.lon": 13.3275, + "source.geo.region_iso_code": "DE-BE", + "source.geo.region_name": "Land Berlin", + "source.ip": "85.181.35.98", + "url.original": "/ocelot", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.major": "70", + "user_agent.minor": "0", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", + "user_agent.os.full_name": "Mac OS X 10.14.0", + "user_agent.os.major": "10", + "user_agent.os.minor": "14", + "user_agent.os.name": "Mac OS X", "user_agent.patch": "3538" - }, + }, { - "@timestamp": "2016-01-22T13:18:29.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "nginx", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 200, - "http.version": "1.1", - "input.type": "log", - "log.offset": 732, + "@timestamp": "2016-01-22T13:18:29.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "nginx", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 732, "network.forwarded_ip": [ - "10.5.102.222", - "199.96.1.1", - "204.246.1.1", + "10.5.102.222", + "199.96.1.1", + "204.246.1.1", "10.2.1.185" - ], - "nginx.access.body_sent.bytes": 25507, - "source.geo.city_name": "Springfield", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "US", - "source.geo.location.lat": 39.772, - "source.geo.location.lon": -89.6859, - "source.geo.region_iso_code": "US-IL", - "source.geo.region_name": "Illinois", - "source.ip": "199.96.1.1", - "url.original": "/assets/xxxx?q=100", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.name": "Other", - "user_agent.original": "Amazon CloudFront", - "user_agent.os.full_name": "Other", + ], + "nginx.access.body_sent.bytes": 25507, + "source.geo.city_name": "Springfield", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 39.772, + "source.geo.location.lon": -89.6859, + "source.geo.region_iso_code": "US-IL", + "source.geo.region_name": "Illinois", + "source.ip": "199.96.1.1", + "url.original": "/assets/xxxx?q=100", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.name": "Other", + "user_agent.original": "Amazon CloudFront", + "user_agent.os.full_name": "Other", "user_agent.os.name": "Other" - }, + }, { - "@timestamp": "2016-12-30T06:47:09.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "nginx", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 404, - "http.version": "1.1", - "input.type": "log", - "log.offset": 884, + "@timestamp": "2016-12-30T06:47:09.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "nginx", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 884, "network.forwarded_ip": [ - "2a03:0000:10ff:f00f:0000:0000:0:8000", - "10.225.192.17", + "2a03:0000:10ff:f00f:0000:0000:0:8000", + "10.225.192.17", "10.2.2.121" - ], - "nginx.access.body_sent.bytes": 8571, - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "PT", - "source.geo.location.lat": 39.5, - "source.geo.location.lon": -8.0, - "source.ip": "2a03:0000:10ff:f00f:0000:0000:0:8000", - "url.original": "/test.html", - "user.name": "-", - "user_agent.device": "Spider", - "user_agent.major": "1", - "user_agent.minor": "0", - "user_agent.name": "Facebot", - "user_agent.original": "Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)", - "user_agent.os.full_name": "Other", + ], + "nginx.access.body_sent.bytes": 8571, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PT", + "source.geo.location.lat": 39.5, + "source.geo.location.lon": -8.0, + "source.ip": "2a03:0000:10ff:f00f:0000:0000:0:8000", + "url.original": "/test.html", + "user.name": "-", + "user_agent.device": "Spider", + "user_agent.major": "1", + "user_agent.minor": "0", + "user_agent.name": "Facebot", + "user_agent.original": "Mozilla/5.0 (compatible; Facebot 1.0; https://developers.facebook.com/docs/sharing/webmasters/crawler)", + "user_agent.os.full_name": "Other", "user_agent.os.name": "Other" - }, + }, { - "@timestamp": "2018-04-12T07:48:40.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "nginx", - "http.request.referrer": "-", - "http.response.status_code": 400, - "input.type": "log", - "log.offset": 1124, + "@timestamp": "2018-04-12T07:48:40.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "nginx", + "http.request.referrer": "-", + "http.response.status_code": 400, + "input.type": "log", + "log.offset": 1124, "network.forwarded_ip": [ "127.0.0.1" - ], - "nginx.access.body_sent.bytes": 0, - "source.ip": "127.0.0.1", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.name": "Other", - "user_agent.original": "-", - "user_agent.os.full_name": "Other", + ], + "nginx.access.body_sent.bytes": 0, + "source.ip": "127.0.0.1", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.name": "Other", + "user_agent.original": "-", + "user_agent.os.full_name": "Other", "user_agent.os.name": "Other" } ] \ No newline at end of file diff --git a/filebeat/module/nginx/error/test/error.log-expected.json b/filebeat/module/nginx/error/test/error.log-expected.json index adda62341f8..bcc4c2a1e2d 100644 --- a/filebeat/module/nginx/error/test/error.log-expected.json +++ b/filebeat/module/nginx/error/test/error.log-expected.json @@ -1,28 +1,28 @@ [ { - "@timestamp": "2016-10-25T14:49:34.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "error", - "event.module": "nginx", - "input.type": "log", - "log.offset": 0, - "nginx.error.connection_id": "1", - "nginx.error.level": "error", - "nginx.error.message": "open() \"/usr/local/Cellar/nginx/1.10.2_1/html/favicon.ico\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"GET /favicon.ico HTTP/1.1\", host: \"localhost:8080\", referrer: \"http://localhost:8080/\"", - "nginx.error.pid": "54053", + "@timestamp": "2016-10-25T14:49:34.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "error", + "event.module": "nginx", + "input.type": "log", + "log.offset": 0, + "nginx.error.connection_id": "1", + "nginx.error.level": "error", + "nginx.error.message": "open() \"/usr/local/Cellar/nginx/1.10.2_1/html/favicon.ico\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"GET /favicon.ico HTTP/1.1\", host: \"localhost:8080\", referrer: \"http://localhost:8080/\"", + "nginx.error.pid": "54053", "nginx.error.tid": "0" - }, + }, { - "@timestamp": "2016-10-25T14:50:44.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "error", - "event.module": "nginx", - "input.type": "log", - "log.offset": 273, - "nginx.error.connection_id": "3", - "nginx.error.level": "error", - "nginx.error.message": "open() \"/usr/local/Cellar/nginx/1.10.2_1/html/adsasd\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"GET /adsasd HTTP/1.1\", host: \"localhost:8080\"", - "nginx.error.pid": "54053", + "@timestamp": "2016-10-25T14:50:44.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "error", + "event.module": "nginx", + "input.type": "log", + "log.offset": 273, + "nginx.error.connection_id": "3", + "nginx.error.level": "error", + "nginx.error.message": "open() \"/usr/local/Cellar/nginx/1.10.2_1/html/adsasd\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"GET /adsasd HTTP/1.1\", host: \"localhost:8080\"", + "nginx.error.pid": "54053", "nginx.error.tid": "0" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/test.log-expected.json b/filebeat/module/osquery/result/test/test.log-expected.json index 01d8af310d5..855187f72e4 100644 --- a/filebeat/module/osquery/result/test/test.log-expected.json +++ b/filebeat/module/osquery/result/test/test.log-expected.json @@ -1,30 +1,30 @@ [ { - "@timestamp": "2017-12-28T14:40:08.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "result", - "event.module": "osquery", - "input.type": "log", - "log.offset": 0, - "osquery.result.action": "removed", - "osquery.result.calendar_time": "Thu Dec 28 14:40:08 2017 UTC", - "osquery.result.columns.blocks": "122061322", - "osquery.result.columns.blocks_available": "75966945", - "osquery.result.columns.blocks_free": "121274885", - "osquery.result.columns.blocks_size": "4096", - "osquery.result.columns.device": "/dev/disk1s4", - "osquery.result.columns.device_alias": "/dev/disk1s4", - "osquery.result.columns.flags": "345018372", - "osquery.result.columns.inodes": "9223372036854775807", - "osquery.result.columns.inodes_free": "9223372036854775804", - "osquery.result.columns.path": "/private/var/vm", - "osquery.result.columns.type": "apfs", - "osquery.result.counter": "1", - "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", - "osquery.result.decorations.username": "tsg", - "osquery.result.epoch": "0", - "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", - "osquery.result.name": "pack_it-compliance_mounts", + "@timestamp": "2017-12-28T14:40:08.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "result", + "event.module": "osquery", + "input.type": "log", + "log.offset": 0, + "osquery.result.action": "removed", + "osquery.result.calendar_time": "Thu Dec 28 14:40:08 2017 UTC", + "osquery.result.columns.blocks": "122061322", + "osquery.result.columns.blocks_available": "75966945", + "osquery.result.columns.blocks_free": "121274885", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "/dev/disk1s4", + "osquery.result.columns.device_alias": "/dev/disk1s4", + "osquery.result.columns.flags": "345018372", + "osquery.result.columns.inodes": "9223372036854775807", + "osquery.result.columns.inodes_free": "9223372036854775804", + "osquery.result.columns.path": "/private/var/vm", + "osquery.result.columns.type": "apfs", + "osquery.result.counter": "1", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1514472008" } ] \ No newline at end of file diff --git a/filebeat/module/postgresql/log/test/postgresql-9.6-debian-with-slowlog.log-expected.json b/filebeat/module/postgresql/log/test/postgresql-9.6-debian-with-slowlog.log-expected.json index f45fcf4f9d4..9e98d75b2c4 100644 --- a/filebeat/module/postgresql/log/test/postgresql-9.6-debian-with-slowlog.log-expected.json +++ b/filebeat/module/postgresql/log/test/postgresql-9.6-debian-with-slowlog.log-expected.json @@ -1,312 +1,312 @@ [ { - "@timestamp": "2017-07-31T13:36:42.585Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 0, - "message": "database system was shut down at 2017-06-17 16:58:04 CEST", - "postgresql.log.timestamp": "2017-07-31 13:36:42.585", + "@timestamp": "2017-07-31T13:36:42.585Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 0, + "message": "database system was shut down at 2017-06-17 16:58:04 CEST", + "postgresql.log.timestamp": "2017-07-31 13:36:42.585", "process.pid": 4974 - }, + }, { - "@timestamp": "2017-07-31T13:36:42.605Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 100, - "message": "MultiXact member wraparound protections are now enabled", - "postgresql.log.timestamp": "2017-07-31 13:36:42.605", + "@timestamp": "2017-07-31T13:36:42.605Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 100, + "message": "MultiXact member wraparound protections are now enabled", + "postgresql.log.timestamp": "2017-07-31 13:36:42.605", "process.pid": 4974 - }, + }, { - "@timestamp": "2017-07-31T13:36:42.615Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 198, - "message": "autovacuum launcher started", - "postgresql.log.timestamp": "2017-07-31 13:36:42.615", + "@timestamp": "2017-07-31T13:36:42.615Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 198, + "message": "autovacuum launcher started", + "postgresql.log.timestamp": "2017-07-31 13:36:42.615", "process.pid": 4978 - }, + }, { - "@timestamp": "2017-07-31T13:36:42.616Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 268, - "message": "database system is ready to accept connections", - "postgresql.log.timestamp": "2017-07-31 13:36:42.616", + "@timestamp": "2017-07-31T13:36:42.616Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 268, + "message": "database system is ready to accept connections", + "postgresql.log.timestamp": "2017-07-31 13:36:42.616", "process.pid": 4973 - }, + }, { - "@timestamp": "2017-07-31T13:36:42.956Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 357, - "message": "incomplete startup packet", - "postgresql.log.database": "unknown", - "postgresql.log.timestamp": "2017-07-31 13:36:42.956", - "process.pid": 4980, + "@timestamp": "2017-07-31T13:36:42.956Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 357, + "message": "incomplete startup packet", + "postgresql.log.database": "unknown", + "postgresql.log.timestamp": "2017-07-31 13:36:42.956", + "process.pid": 4980, "user.name": "unknown" - }, + }, { - "@timestamp": "2017-07-31T13:36:43.557Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 37118000, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", + "@timestamp": "2017-07-31T13:36:43.557Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 37118000, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "LOG", - "log.offset": 445, - "message": "2017-07-31 13:36:43.557 CEST [4983] postgres@postgres LOG: duration: 37.118 ms statement: SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", - "postgresql.log.database": "postgres", - "postgresql.log.duration": 37.118, - "postgresql.log.query": "SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", - "postgresql.log.timestamp": "2017-07-31 13:36:43.557", - "process.pid": 4983, + ], + "log.level": "LOG", + "log.offset": 445, + "message": "2017-07-31 13:36:43.557 CEST [4983] postgres@postgres LOG: duration: 37.118 ms statement: SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", + "postgresql.log.database": "postgres", + "postgresql.log.duration": 37.118, + "postgresql.log.query": "SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", + "postgresql.log.timestamp": "2017-07-31 13:36:43.557", + "process.pid": 4983, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:36:44.104Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 2895000, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", + "@timestamp": "2017-07-31T13:36:44.104Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 2895000, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "LOG", - "log.offset": 873, - "message": "2017-07-31 13:36:44.104 CEST [4986] postgres@postgres LOG: duration: 2.895 ms statement: SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", - "postgresql.log.database": "postgres", - "postgresql.log.duration": 2.895, - "postgresql.log.query": "SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", - "postgresql.log.timestamp": "2017-07-31 13:36:44.104", - "process.pid": 4986, + ], + "log.level": "LOG", + "log.offset": 873, + "message": "2017-07-31 13:36:44.104 CEST [4986] postgres@postgres LOG: duration: 2.895 ms statement: SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", + "postgresql.log.database": "postgres", + "postgresql.log.duration": 2.895, + "postgresql.log.query": "SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", + "postgresql.log.timestamp": "2017-07-31 13:36:44.104", + "process.pid": 4986, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:36:44.642Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 2809000, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", + "@timestamp": "2017-07-31T13:36:44.642Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 2809000, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "LOG", - "log.offset": 1300, - "message": "2017-07-31 13:36:44.642 CEST [4989] postgres@postgres LOG: duration: 2.809 ms statement: SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", - "postgresql.log.database": "postgres", - "postgresql.log.duration": 2.809, - "postgresql.log.query": "SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", - "postgresql.log.timestamp": "2017-07-31 13:36:44.642", - "process.pid": 4989, + ], + "log.level": "LOG", + "log.offset": 1300, + "message": "2017-07-31 13:36:44.642 CEST [4989] postgres@postgres LOG: duration: 2.809 ms statement: SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", + "postgresql.log.database": "postgres", + "postgresql.log.duration": 2.809, + "postgresql.log.query": "SELECT d.datname as \"Name\",\n\t pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n\t pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n\t d.datcollate as \"Collate\",\n\t d.datctype as \"Ctype\",\n\t pg_catalog.array_to_string(d.datacl, E'\\n') AS \"Access privileges\"\n\tFROM pg_catalog.pg_database d\n\tORDER BY 1;", + "postgresql.log.timestamp": "2017-07-31 13:36:44.642", + "process.pid": 4989, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:39:16.249Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "FATAL", - "log.offset": 1727, - "message": "database \"users\" does not exist", - "postgresql.log.database": "users", - "postgresql.log.timestamp": "2017-07-31 13:39:16.249", - "process.pid": 5407, + "@timestamp": "2017-07-31T13:39:16.249Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "FATAL", + "log.offset": 1727, + "message": "database \"users\" does not exist", + "postgresql.log.database": "users", + "postgresql.log.timestamp": "2017-07-31 13:39:16.249", + "process.pid": 5407, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:39:17.945Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "FATAL", - "log.offset": 1818, - "message": "database \"user\" does not exist", - "postgresql.log.database": "user", - "postgresql.log.timestamp": "2017-07-31 13:39:17.945", - "process.pid": 5500, + "@timestamp": "2017-07-31T13:39:17.945Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "FATAL", + "log.offset": 1818, + "message": "database \"user\" does not exist", + "postgresql.log.database": "user", + "postgresql.log.timestamp": "2017-07-31 13:39:17.945", + "process.pid": 5500, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:39:21.025Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 37598000, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", + "@timestamp": "2017-07-31T13:39:21.025Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 37598000, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "LOG", - "log.offset": 1907, - "message": "2017-07-31 13:39:21.025 CEST [5404] postgres@postgres LOG: duration: 37.598 ms statement: SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", - "postgresql.log.database": "postgres", - "postgresql.log.duration": 37.598, - "postgresql.log.query": "SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", - "postgresql.log.timestamp": "2017-07-31 13:39:21.025", - "process.pid": 5404, + ], + "log.level": "LOG", + "log.offset": 1907, + "message": "2017-07-31 13:39:21.025 CEST [5404] postgres@postgres LOG: duration: 37.598 ms statement: SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", + "postgresql.log.database": "postgres", + "postgresql.log.duration": 37.598, + "postgresql.log.query": "SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", + "postgresql.log.timestamp": "2017-07-31 13:39:21.025", + "process.pid": 5404, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:39:31.619Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 9482000, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 2620, - "message": "2017-07-31 13:39:31.619 CEST [5502] postgres@clients LOG: duration: 9.482 ms statement: select * from clients;", - "postgresql.log.database": "clients", - "postgresql.log.duration": 9.482, - "postgresql.log.query": "select * from clients;", - "postgresql.log.timestamp": "2017-07-31 13:39:31.619", - "process.pid": 5502, + "@timestamp": "2017-07-31T13:39:31.619Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 9482000, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 2620, + "message": "2017-07-31 13:39:31.619 CEST [5502] postgres@clients LOG: duration: 9.482 ms statement: select * from clients;", + "postgresql.log.database": "clients", + "postgresql.log.duration": 9.482, + "postgresql.log.query": "select * from clients;", + "postgresql.log.timestamp": "2017-07-31 13:39:31.619", + "process.pid": 5502, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:39:40.147Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 765000, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 2733, - "message": "2017-07-31 13:39:40.147 CEST [5502] postgres@clients LOG: duration: 0.765 ms statement: select id from clients;", - "postgresql.log.database": "clients", - "postgresql.log.duration": 0.765, - "postgresql.log.query": "select id from clients;", - "postgresql.log.timestamp": "2017-07-31 13:39:40.147", - "process.pid": 5502, + "@timestamp": "2017-07-31T13:39:40.147Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 765000, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 2733, + "message": "2017-07-31 13:39:40.147 CEST [5502] postgres@clients LOG: duration: 0.765 ms statement: select id from clients;", + "postgresql.log.database": "clients", + "postgresql.log.duration": 0.765, + "postgresql.log.query": "select id from clients;", + "postgresql.log.timestamp": "2017-07-31 13:39:40.147", + "process.pid": 5502, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:40:54.310Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 26082001, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", + "@timestamp": "2017-07-31T13:40:54.310Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 26082001, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "LOG", - "log.offset": 2847, - "message": "2017-07-31 13:40:54.310 CEST [5502] postgres@clients LOG: duration: 26.082 ms statement: SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", - "postgresql.log.database": "clients", - "postgresql.log.duration": 26.082, - "postgresql.log.query": "SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", - "postgresql.log.timestamp": "2017-07-31 13:40:54.310", - "process.pid": 5502, + ], + "log.level": "LOG", + "log.offset": 2847, + "message": "2017-07-31 13:40:54.310 CEST [5502] postgres@clients LOG: duration: 26.082 ms statement: SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", + "postgresql.log.database": "clients", + "postgresql.log.duration": 26.082, + "postgresql.log.query": "SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", + "postgresql.log.timestamp": "2017-07-31 13:40:54.310", + "process.pid": 5502, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:43:22.645Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 36161999, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 3559, - "message": "2017-07-31 13:43:22.645 CEST [5502] postgres@clients LOG: duration: 36.162 ms statement: create table cats(name varchar(50) primary key, toy varchar (50) not null, born timestamp not null);", - "postgresql.log.database": "clients", - "postgresql.log.duration": 36.162, - "postgresql.log.query": "create table cats(name varchar(50) primary key, toy varchar (50) not null, born timestamp not null);", - "postgresql.log.timestamp": "2017-07-31 13:43:22.645", - "process.pid": 5502, + "@timestamp": "2017-07-31T13:43:22.645Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 36161999, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3559, + "message": "2017-07-31 13:43:22.645 CEST [5502] postgres@clients LOG: duration: 36.162 ms statement: create table cats(name varchar(50) primary key, toy varchar (50) not null, born timestamp not null);", + "postgresql.log.database": "clients", + "postgresql.log.duration": 36.162, + "postgresql.log.query": "create table cats(name varchar(50) primary key, toy varchar (50) not null, born timestamp not null);", + "postgresql.log.timestamp": "2017-07-31 13:43:22.645", + "process.pid": 5502, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:46:02.670Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 10540000, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 3751, - "message": "2017-07-31 13:46:02.670 CEST [5502] postgres@c$lients LOG: duration: 10.540 ms statement: insert into cats(name, toy, born) values('kate', 'ball', now());", - "postgresql.log.database": "c$lients", - "postgresql.log.duration": 10.54, - "postgresql.log.query": "insert into cats(name, toy, born) values('kate', 'ball', now());", - "postgresql.log.timestamp": "2017-07-31 13:46:02.670", - "process.pid": 5502, + "@timestamp": "2017-07-31T13:46:02.670Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 10540000, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3751, + "message": "2017-07-31 13:46:02.670 CEST [5502] postgres@c$lients LOG: duration: 10.540 ms statement: insert into cats(name, toy, born) values('kate', 'ball', now());", + "postgresql.log.database": "c$lients", + "postgresql.log.duration": 10.54, + "postgresql.log.query": "insert into cats(name, toy, born) values('kate', 'ball', now());", + "postgresql.log.timestamp": "2017-07-31 13:46:02.670", + "process.pid": 5502, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:46:23.016Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 5156000, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 3908, - "message": "2017-07-31 13:46:23.016 CEST [5502] postgres@_clients$db LOG: duration: 5.156 ms statement: insert into cats(name, toy, born) values('frida', 'horse', now());", - "postgresql.log.database": "_clients$db", - "postgresql.log.duration": 5.156, - "postgresql.log.query": "insert into cats(name, toy, born) values('frida', 'horse', now());", - "postgresql.log.timestamp": "2017-07-31 13:46:23.016", - "process.pid": 5502, + "@timestamp": "2017-07-31T13:46:23.016Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 5156000, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3908, + "message": "2017-07-31 13:46:23.016 CEST [5502] postgres@_clients$db LOG: duration: 5.156 ms statement: insert into cats(name, toy, born) values('frida', 'horse', now());", + "postgresql.log.database": "_clients$db", + "postgresql.log.duration": 5.156, + "postgresql.log.query": "insert into cats(name, toy, born) values('frida', 'horse', now());", + "postgresql.log.timestamp": "2017-07-31 13:46:23.016", + "process.pid": 5502, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:46:55.637Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 25871000, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 4069, - "message": "2017-07-31 13:46:55.637 CEST [5502] postgres@clients_db LOG: duration: 25.871 ms statement: create table dogs(name varchar(50) primary key, owner varchar (50) not null, born timestamp not null);", - "postgresql.log.database": "clients_db", - "postgresql.log.duration": 25.871, - "postgresql.log.query": "create table dogs(name varchar(50) primary key, owner varchar (50) not null, born timestamp not null);", - "postgresql.log.timestamp": "2017-07-31 13:46:55.637", - "process.pid": 5502, + "@timestamp": "2017-07-31T13:46:55.637Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 25871000, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4069, + "message": "2017-07-31 13:46:55.637 CEST [5502] postgres@clients_db LOG: duration: 25.871 ms statement: create table dogs(name varchar(50) primary key, owner varchar (50) not null, born timestamp not null);", + "postgresql.log.database": "clients_db", + "postgresql.log.duration": 25.871, + "postgresql.log.query": "create table dogs(name varchar(50) primary key, owner varchar (50) not null, born timestamp not null);", + "postgresql.log.timestamp": "2017-07-31 13:46:55.637", + "process.pid": 5502, "user.name": "postgres" } ] \ No newline at end of file diff --git a/filebeat/module/postgresql/log/test/postgresql-9.6-multi-core.log-expected.json b/filebeat/module/postgresql/log/test/postgresql-9.6-multi-core.log-expected.json index 956ac3523f8..e479f8b24ed 100644 --- a/filebeat/module/postgresql/log/test/postgresql-9.6-multi-core.log-expected.json +++ b/filebeat/module/postgresql/log/test/postgresql-9.6-multi-core.log-expected.json @@ -1,130 +1,130 @@ [ { - "@timestamp": "2017-04-03T22:32:14.322Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 0, - "message": "incomplete startup packet", - "postgresql.log.core_id": 1, - "postgresql.log.database": "unknown", - "postgresql.log.timestamp": "2017-04-03 22:32:14.322", - "process.pid": 12975, + "@timestamp": "2017-04-03T22:32:14.322Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 0, + "message": "incomplete startup packet", + "postgresql.log.core_id": 1, + "postgresql.log.database": "unknown", + "postgresql.log.timestamp": "2017-04-03 22:32:14.322", + "process.pid": 12975, "user.name": "unknown" - }, + }, { - "@timestamp": "2017-04-03T22:32:14.322Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", - "log.level": "FATAL", - "log.offset": 91, - "message": "database \"user\" does not exist", - "postgresql.log.core_id": 1, - "postgresql.log.database": "user", - "postgresql.log.timestamp": "2017-04-03 22:32:14.322", - "process.pid": 5404, + "@timestamp": "2017-04-03T22:32:14.322Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", + "log.level": "FATAL", + "log.offset": 91, + "message": "database \"user\" does not exist", + "postgresql.log.core_id": 1, + "postgresql.log.database": "user", + "postgresql.log.timestamp": "2017-04-03 22:32:14.322", + "process.pid": 5404, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-04-03T22:35:22.389Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.duration": 37598000, - "event.module": "postgresql", - "event.timezone": "CEST", - "input.type": "log", + "@timestamp": "2017-04-03T22:35:22.389Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.duration": 37598000, + "event.module": "postgresql", + "event.timezone": "CEST", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.level": "LOG", - "log.offset": 182, - "message": "2017-04-03 22:35:22.389 CEST [5404-2] postgres@postgres LOG: duration: 37.598 ms statement: SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", - "postgresql.log.core_id": 2, - "postgresql.log.database": "postgres", - "postgresql.log.duration": 37.598, - "postgresql.log.query": "SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", - "postgresql.log.timestamp": "2017-04-03 22:35:22.389", - "process.pid": 5404, + ], + "log.level": "LOG", + "log.offset": 182, + "message": "2017-04-03 22:35:22.389 CEST [5404-2] postgres@postgres LOG: duration: 37.598 ms statement: SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", + "postgresql.log.core_id": 2, + "postgresql.log.database": "postgres", + "postgresql.log.duration": 37.598, + "postgresql.log.query": "SELECT n.nspname as \"Schema\",\n\t c.relname as \"Name\",\n\t CASE c.relkind WHEN 'r' THEN 'table' WHEN 'v' THEN 'view' WHEN 'm' THEN 'materialized view' WHEN 'i' THEN 'index' WHEN 'S' THEN 'sequence' WHEN 's' THEN 'special' WHEN 'f' THEN 'foreign table' END as \"Type\",\n\t pg_catalog.pg_get_userbyid(c.relowner) as \"Owner\"\n\tFROM pg_catalog.pg_class c\n\t LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n\tWHERE c.relkind IN ('r','')\n\t AND n.nspname <> 'pg_catalog'\n\t AND n.nspname <> 'information_schema'\n\t AND n.nspname !~ '^pg_toast'\n\t AND pg_catalog.pg_table_is_visible(c.oid)\n\tORDER BY 1,2;", + "postgresql.log.timestamp": "2017-04-03 22:35:22.389", + "process.pid": 5404, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:36:43.557Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "EST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 897, - "message": "autovacuum launcher started", - "postgresql.log.core_id": 1, - "postgresql.log.timestamp": "2017-07-31 13:36:43.557", + "@timestamp": "2017-07-31T13:36:43.557Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "EST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 897, + "message": "autovacuum launcher started", + "postgresql.log.core_id": 1, + "postgresql.log.timestamp": "2017-07-31 13:36:43.557", "process.pid": 835 - }, + }, { - "@timestamp": "2017-07-31T13:36:44.227Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "EST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 967, - "message": "checkpoints are occurring too frequently (25 seconds apart)", - "postgresql.log.core_id": 1, - "postgresql.log.timestamp": "2017-07-31 13:36:44.227", + "@timestamp": "2017-07-31T13:36:44.227Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "EST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 967, + "message": "checkpoints are occurring too frequently (25 seconds apart)", + "postgresql.log.core_id": 1, + "postgresql.log.timestamp": "2017-07-31 13:36:44.227", "process.pid": 832 - }, + }, { - "@timestamp": "2017-07-31T13:46:02.670Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "EST", - "input.type": "log", - "log.level": "HINT", - "log.offset": 1069, - "message": "Consider increasing the configuration parameter \"max_wal_size\".", - "postgresql.log.core_id": 2, - "postgresql.log.timestamp": "2017-07-31 13:46:02.670", + "@timestamp": "2017-07-31T13:46:02.670Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "EST", + "input.type": "log", + "log.level": "HINT", + "log.offset": 1069, + "message": "Consider increasing the configuration parameter \"max_wal_size\".", + "postgresql.log.core_id": 2, + "postgresql.log.timestamp": "2017-07-31 13:46:02.670", "process.pid": 832 - }, + }, { - "@timestamp": "2017-07-31T13:46:23.016Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "EST", - "input.type": "log", - "log.level": "FATAL", - "log.offset": 1176, - "message": "the database system is starting up", - "postgresql.log.core_id": 1, - "postgresql.log.database": "postgres", - "postgresql.log.timestamp": "2017-07-31 13:46:23.016", - "process.pid": 768, + "@timestamp": "2017-07-31T13:46:23.016Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "EST", + "input.type": "log", + "log.level": "FATAL", + "log.offset": 1176, + "message": "the database system is starting up", + "postgresql.log.core_id": 1, + "postgresql.log.database": "postgres", + "postgresql.log.timestamp": "2017-07-31 13:46:23.016", + "process.pid": 768, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:46:55.637Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "EST", - "input.type": "log", - "log.level": "FATAL", - "log.offset": 1273, - "message": "the database system is starting up", - "postgresql.log.core_id": 1, - "postgresql.log.database": "postgres", - "postgresql.log.timestamp": "2017-07-31 13:46:55.637", - "process.pid": 771, + "@timestamp": "2017-07-31T13:46:55.637Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "EST", + "input.type": "log", + "log.level": "FATAL", + "log.offset": 1273, + "message": "the database system is starting up", + "postgresql.log.core_id": 1, + "postgresql.log.database": "postgres", + "postgresql.log.timestamp": "2017-07-31 13:46:55.637", + "process.pid": 771, "user.name": "postgres" } ] \ No newline at end of file diff --git a/filebeat/module/postgresql/log/test/postgresql-9.6-new-timestamp.log-expected.json b/filebeat/module/postgresql/log/test/postgresql-9.6-new-timestamp.log-expected.json index e498c6196c3..f7cbcd112e8 100644 --- a/filebeat/module/postgresql/log/test/postgresql-9.6-new-timestamp.log-expected.json +++ b/filebeat/module/postgresql/log/test/postgresql-9.6-new-timestamp.log-expected.json @@ -1,76 +1,76 @@ [ { - "@timestamp": "2017-07-31T13:36:43.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "EST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 0, - "message": "autovacuum launcher started", - "postgresql.log.core_id": 1, - "postgresql.log.timestamp": "2017-07-31 13:36:43", + "@timestamp": "2017-07-31T13:36:43.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "EST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 0, + "message": "autovacuum launcher started", + "postgresql.log.core_id": 1, + "postgresql.log.timestamp": "2017-07-31 13:36:43", "process.pid": 835 - }, + }, { - "@timestamp": "2017-07-31T13:36:44.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "EST", - "input.type": "log", - "log.level": "LOG", - "log.offset": 66, - "message": "checkpoints are occurring too frequently (25 seconds apart)", - "postgresql.log.core_id": 1, - "postgresql.log.timestamp": "2017-07-31 13:36:44", + "@timestamp": "2017-07-31T13:36:44.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "EST", + "input.type": "log", + "log.level": "LOG", + "log.offset": 66, + "message": "checkpoints are occurring too frequently (25 seconds apart)", + "postgresql.log.core_id": 1, + "postgresql.log.timestamp": "2017-07-31 13:36:44", "process.pid": 832 - }, + }, { - "@timestamp": "2017-07-31T13:46:02.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "EST", - "input.type": "log", - "log.level": "HINT", - "log.offset": 164, - "message": "Consider increasing the configuration parameter \"max_wal_size\".", - "postgresql.log.core_id": 2, - "postgresql.log.timestamp": "2017-07-31 13:46:02", + "@timestamp": "2017-07-31T13:46:02.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "EST", + "input.type": "log", + "log.level": "HINT", + "log.offset": 164, + "message": "Consider increasing the configuration parameter \"max_wal_size\".", + "postgresql.log.core_id": 2, + "postgresql.log.timestamp": "2017-07-31 13:46:02", "process.pid": 832 - }, + }, { - "@timestamp": "2017-07-31T13:46:23.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "EST", - "input.type": "log", - "log.level": "FATAL", - "log.offset": 267, - "message": "the database system is starting up", - "postgresql.log.core_id": 1, - "postgresql.log.database": "postgres", - "postgresql.log.timestamp": "2017-07-31 13:46:23", - "process.pid": 768, + "@timestamp": "2017-07-31T13:46:23.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "EST", + "input.type": "log", + "log.level": "FATAL", + "log.offset": 267, + "message": "the database system is starting up", + "postgresql.log.core_id": 1, + "postgresql.log.database": "postgres", + "postgresql.log.timestamp": "2017-07-31 13:46:23", + "process.pid": 768, "user.name": "postgres" - }, + }, { - "@timestamp": "2017-07-31T13:46:55.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "postgresql", - "event.timezone": "EST", - "input.type": "log", - "log.level": "FATAL", - "log.offset": 360, - "message": "the database system is starting up", - "postgresql.log.core_id": 1, - "postgresql.log.database": "postgres", - "postgresql.log.timestamp": "2017-07-31 13:46:55", - "process.pid": 771, + "@timestamp": "2017-07-31T13:46:55.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "postgresql", + "event.timezone": "EST", + "input.type": "log", + "log.level": "FATAL", + "log.offset": 360, + "message": "the database system is starting up", + "postgresql.log.core_id": 1, + "postgresql.log.database": "postgres", + "postgresql.log.timestamp": "2017-07-31 13:46:55", + "process.pid": 771, "user.name": "postgres" } ] \ No newline at end of file diff --git a/filebeat/module/redis/log/test/test.log-expected.json b/filebeat/module/redis/log/test/test.log-expected.json index a2d2afa9802..d89672f91a1 100644 --- a/filebeat/module/redis/log/test/test.log-expected.json +++ b/filebeat/module/redis/log/test/test.log-expected.json @@ -1,44 +1,44 @@ [ { - "@timestamp": "2018-05-30T12:23:52.442Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "redis", - "input.type": "log", - "log.level": "notice", - "log.offset": 0, - "message": "Saving the final RDB snapshot before exiting.", - "process.pid": 98738, + "@timestamp": "2018-05-30T12:23:52.442Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "redis", + "input.type": "log", + "log.level": "notice", + "log.offset": 0, + "message": "Saving the final RDB snapshot before exiting.", + "process.pid": 98738, "redis.log.role": "master" - }, + }, { - "@timestamp": "2018-05-30T10:05:20.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "redis", - "input.type": "log", - "log.level": "debug", - "log.offset": 76, + "@timestamp": "2018-05-30T10:05:20.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "redis", + "input.type": "log", + "log.level": "debug", + "log.offset": 76, "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects." - }, + }, { - "@timestamp": "2018-05-31T04:32:08.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "redis", - "input.type": "log", - "log.level": "notice", - "log.offset": 165, + "@timestamp": "2018-05-31T04:32:08.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "redis", + "input.type": "log", + "log.level": "notice", + "log.offset": 165, "message": "The server is now ready to accept connections on port 6379\"" - }, + }, { - "@timestamp": "2017-05-30T10:57:24.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "redis", - "input.type": "log", - "log.offset": 250, - "message": "Received SIGINT scheduling shutdown...", + "@timestamp": "2017-05-30T10:57:24.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "redis", + "input.type": "log", + "log.offset": 250, + "message": "Received SIGINT scheduling shutdown...", "process.pid": 5092 } ] \ No newline at end of file diff --git a/filebeat/module/santa/log/test/santa.log-expected.json b/filebeat/module/santa/log/test/santa.log-expected.json index 3b7d0235fee..cbb8e4c120b 100644 --- a/filebeat/module/santa/log/test/santa.log-expected.json +++ b/filebeat/module/santa/log/test/santa.log-expected.json @@ -1,273 +1,273 @@ [ { - "@timestamp": "2018-12-10T06:45:16.802Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "santa", - "group.id": "0", - "group.name": "wheel", - "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", - "input.type": "log", - "log.offset": 0, - "log.original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", + "@timestamp": "2018-12-10T06:45:16.802Z", + "certificate.common_name": "Software Signing", + "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "santa", + "group.id": "0", + "group.name": "wheel", + "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", + "input.type": "log", + "log.offset": 0, + "log.original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ "/usr/sbin/newsyslog" - ], - "process.executable": "/usr/libexec/xpcproxy", - "process.pid": 29678, - "process.ppid": 1, - "process.start": "2018-12-10T06:45:16.802Z", - "santa.action": "EXEC", - "santa.decision": "ALLOW", - "santa.mode": "M", - "santa.reason": "CERT", - "user.id": "0", + ], + "process.executable": "/usr/libexec/xpcproxy", + "process.pid": 29678, + "process.ppid": 1, + "process.start": "2018-12-10T06:45:16.802Z", + "santa.action": "EXEC", + "santa.decision": "ALLOW", + "santa.mode": "M", + "santa.reason": "CERT", + "user.id": "0", "user.name": "root" - }, + }, { - "@timestamp": "2018-12-10T06:45:16.802Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "santa", - "group.id": "0", - "group.name": "wheel", - "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", - "input.type": "log", - "log.offset": 360, - "log.original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.systemstats.daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", + "@timestamp": "2018-12-10T06:45:16.802Z", + "certificate.common_name": "Software Signing", + "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "santa", + "group.id": "0", + "group.name": "wheel", + "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", + "input.type": "log", + "log.offset": 360, + "log.original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.systemstats.daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ - "xpcproxy", + "xpcproxy", "com.apple.systemstats.daily" - ], - "process.executable": "/usr/libexec/xpcproxy", - "process.pid": 29679, - "process.ppid": 1, - "process.start": "2018-12-10T06:45:16.802Z", - "santa.action": "EXEC", - "santa.decision": "ALLOW", - "santa.mode": "M", - "santa.reason": "CERT", - "user.id": "0", + ], + "process.executable": "/usr/libexec/xpcproxy", + "process.pid": 29679, + "process.ppid": 1, + "process.start": "2018-12-10T06:45:16.802Z", + "santa.action": "EXEC", + "santa.decision": "ALLOW", + "santa.mode": "M", + "santa.reason": "CERT", + "user.id": "0", "user.name": "root" - }, + }, { - "@timestamp": "2018-12-10T06:45:16.851Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "santa", - "group.id": "0", - "group.name": "wheel", - "hash.sha256": "746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d", - "input.type": "log", - "log.offset": 737, - "log.original": "[2018-12-10T06:45:16.851Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d|path=/usr/sbin/newsyslog|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", + "@timestamp": "2018-12-10T06:45:16.851Z", + "certificate.common_name": "Software Signing", + "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "santa", + "group.id": "0", + "group.name": "wheel", + "hash.sha256": "746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d", + "input.type": "log", + "log.offset": 737, + "log.original": "[2018-12-10T06:45:16.851Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d|path=/usr/sbin/newsyslog|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ "/usr/sbin/newsyslog" - ], - "process.executable": "/usr/sbin/newsyslog", - "process.pid": 29678, - "process.ppid": 1, - "process.start": "2018-12-10T06:45:16.851Z", - "santa.action": "EXEC", - "santa.decision": "ALLOW", - "santa.mode": "M", - "santa.reason": "CERT", - "user.id": "0", + ], + "process.executable": "/usr/sbin/newsyslog", + "process.pid": 29678, + "process.ppid": 1, + "process.start": "2018-12-10T06:45:16.851Z", + "santa.action": "EXEC", + "santa.decision": "ALLOW", + "santa.mode": "M", + "santa.reason": "CERT", + "user.id": "0", "user.name": "root" - }, + }, { - "@timestamp": "2018-12-10T06:45:16.859Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "santa", - "group.id": "0", - "group.name": "wheel", - "hash.sha256": "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f", - "input.type": "log", - "log.offset": 1095, - "log.original": "[2018-12-10T06:45:16.859Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f|path=/usr/sbin/systemstats|args=/usr/sbin/systemstats --daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", + "@timestamp": "2018-12-10T06:45:16.859Z", + "certificate.common_name": "Software Signing", + "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "santa", + "group.id": "0", + "group.name": "wheel", + "hash.sha256": "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f", + "input.type": "log", + "log.offset": 1095, + "log.original": "[2018-12-10T06:45:16.859Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f|path=/usr/sbin/systemstats|args=/usr/sbin/systemstats --daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ - "/usr/sbin/systemstats", + "/usr/sbin/systemstats", "--daily" - ], - "process.executable": "/usr/sbin/systemstats", - "process.pid": 29679, - "process.ppid": 1, - "process.start": "2018-12-10T06:45:16.859Z", - "santa.action": "EXEC", - "santa.decision": "ALLOW", - "santa.mode": "M", - "santa.reason": "CERT", - "user.id": "0", + ], + "process.executable": "/usr/sbin/systemstats", + "process.pid": 29679, + "process.ppid": 1, + "process.start": "2018-12-10T06:45:16.859Z", + "santa.action": "EXEC", + "santa.decision": "ALLOW", + "santa.mode": "M", + "santa.reason": "CERT", + "user.id": "0", "user.name": "root" - }, + }, { - "@timestamp": "2018-12-10T08:45:27.810Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "santa", - "group.id": "0", - "group.name": "wheel", - "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", - "input.type": "log", - "log.offset": 1465, - "log.original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29681|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", + "@timestamp": "2018-12-10T08:45:27.810Z", + "certificate.common_name": "Software Signing", + "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "santa", + "group.id": "0", + "group.name": "wheel", + "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", + "input.type": "log", + "log.offset": 1465, + "log.original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29681|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ "/usr/sbin/newsyslog" - ], - "process.executable": "/usr/libexec/xpcproxy", - "process.pid": 29681, - "process.ppid": 1, - "process.start": "2018-12-10T08:45:27.810Z", - "santa.action": "EXEC", - "santa.decision": "ALLOW", - "santa.mode": "M", - "santa.reason": "CERT", - "user.id": "0", + ], + "process.executable": "/usr/libexec/xpcproxy", + "process.pid": 29681, + "process.ppid": 1, + "process.start": "2018-12-10T08:45:27.810Z", + "santa.action": "EXEC", + "santa.decision": "ALLOW", + "santa.mode": "M", + "santa.reason": "CERT", + "user.id": "0", "user.name": "root" - }, + }, { - "@timestamp": "2018-12-10T08:45:27.810Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "santa", - "group.id": "0", - "group.name": "wheel", - "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", - "input.type": "log", - "log.offset": 1825, - "log.original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.adobe.AAM.Scheduler-1.0|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29680|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", + "@timestamp": "2018-12-10T08:45:27.810Z", + "certificate.common_name": "Software Signing", + "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "santa", + "group.id": "0", + "group.name": "wheel", + "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", + "input.type": "log", + "log.offset": 1825, + "log.original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.adobe.AAM.Scheduler-1.0|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29680|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ - "xpcproxy", + "xpcproxy", "com.adobe.AAM.Scheduler-1.0" - ], - "process.executable": "/usr/libexec/xpcproxy", - "process.pid": 29680, - "process.ppid": 1, - "process.start": "2018-12-10T08:45:27.810Z", - "santa.action": "EXEC", - "santa.decision": "ALLOW", - "santa.mode": "M", - "santa.reason": "CERT", - "user.id": "0", + ], + "process.executable": "/usr/libexec/xpcproxy", + "process.pid": 29680, + "process.ppid": 1, + "process.start": "2018-12-10T08:45:27.810Z", + "santa.action": "EXEC", + "santa.decision": "ALLOW", + "santa.mode": "M", + "santa.reason": "CERT", + "user.id": "0", "user.name": "root" - }, + }, { - "@timestamp": "2018-12-10T21:37:27.247Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "santa", - "group.id": "0", - "group.name": "wheel", - "hash.sha256": "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1", - "input.type": "log", - "log.offset": 2202, - "log.original": "[2018-12-10T21:37:27.247Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1|path=/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd|args=/usr/local/bin/osqueryd --flagfile=/private/var/osquery/osquery.flags --logger_min_stderr=1|pid=45084|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", + "@timestamp": "2018-12-10T21:37:27.247Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "santa", + "group.id": "0", + "group.name": "wheel", + "hash.sha256": "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1", + "input.type": "log", + "log.offset": 2202, + "log.original": "[2018-12-10T21:37:27.247Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1|path=/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd|args=/usr/local/bin/osqueryd --flagfile=/private/var/osquery/osquery.flags --logger_min_stderr=1|pid=45084|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ - "/usr/local/bin/osqueryd", - "--flagfile=/private/var/osquery/osquery.flags", + "/usr/local/bin/osqueryd", + "--flagfile=/private/var/osquery/osquery.flags", "--logger_min_stderr=1" - ], - "process.executable": "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd", - "process.pid": 45084, - "process.ppid": 1, - "process.start": "2018-12-10T21:37:27.247Z", - "santa.action": "EXEC", - "santa.decision": "ALLOW", - "santa.mode": "M", - "santa.reason": "UNKNOWN", - "user.id": "0", + ], + "process.executable": "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd", + "process.pid": 45084, + "process.ppid": 1, + "process.start": "2018-12-10T21:37:27.247Z", + "santa.action": "EXEC", + "santa.decision": "ALLOW", + "santa.mode": "M", + "santa.reason": "UNKNOWN", + "user.id": "0", "user.name": "root" - }, + }, { - "@timestamp": "2018-12-10T16:24:43.992Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "santa", - "group.id": "20", - "group.name": "staff", - "hash.sha256": "63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106", - "input.type": "log", - "log.offset": 2560, - "log.original": "[2018-12-10T16:24:43.992Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106|path=/usr/bin/basename|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=40757|ppid=40756|uid=501|user=akroh|gid=20|group=staff|mode=M", - "process.executable": "/usr/bin/basename", - "process.pid": 40757, - "process.ppid": 40756, - "process.start": "2018-12-10T16:24:43.992Z", - "santa.action": "EXEC", - "santa.decision": "ALLOW", - "santa.mode": "M", - "santa.reason": "CERT", - "user.id": "501", + "@timestamp": "2018-12-10T16:24:43.992Z", + "certificate.common_name": "Software Signing", + "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "santa", + "group.id": "20", + "group.name": "staff", + "hash.sha256": "63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106", + "input.type": "log", + "log.offset": 2560, + "log.original": "[2018-12-10T16:24:43.992Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106|path=/usr/bin/basename|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=40757|ppid=40756|uid=501|user=akroh|gid=20|group=staff|mode=M", + "process.executable": "/usr/bin/basename", + "process.pid": 40757, + "process.ppid": 40756, + "process.start": "2018-12-10T16:24:43.992Z", + "santa.action": "EXEC", + "santa.decision": "ALLOW", + "santa.mode": "M", + "santa.reason": "CERT", + "user.id": "501", "user.name": "akroh" - }, + }, { - "@timestamp": "2018-12-14T05:35:38.313Z", - "certificate.common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)", - "certificate.sha256": "345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "santa", - "group.id": "20", - "group.name": "staff", - "hash.sha256": "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7", - "input.type": "log", - "log.offset": 2899, - "log.original": "[2018-12-14T05:35:38.313Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7|path=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper|args=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --field-trial-handle=120122713615061869,9401617251746517350,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10458143409865682077 --seatbelt-client=262|cert_sha256=345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5|cert_cn=Developer ID Application: Google, Inc. (EQHXZ8M8AV)|pid=89238|ppid=704|uid=501|user=akroh|gid=20|group=staff|mode=M", + "@timestamp": "2018-12-14T05:35:38.313Z", + "certificate.common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)", + "certificate.sha256": "345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "santa", + "group.id": "20", + "group.name": "staff", + "hash.sha256": "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7", + "input.type": "log", + "log.offset": 2899, + "log.original": "[2018-12-14T05:35:38.313Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7|path=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper|args=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --field-trial-handle=120122713615061869,9401617251746517350,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10458143409865682077 --seatbelt-client=262|cert_sha256=345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5|cert_cn=Developer ID Application: Google, Inc. (EQHXZ8M8AV)|pid=89238|ppid=704|uid=501|user=akroh|gid=20|group=staff|mode=M", "process.args": [ - "/Applications/Google", - "Chrome.app/Contents/Versions/70.0.3538.110/Google", - "Chrome", - "Helper.app/Contents/MacOS/Google", - "Chrome", - "Helper", - "--type=utility", - "--field-trial-handle=120122713615061869,9401617251746517350,131072", - "--lang=en-US", - "--service-sandbox-type=utility", - "--service-request-channel-token=10458143409865682077", + "/Applications/Google", + "Chrome.app/Contents/Versions/70.0.3538.110/Google", + "Chrome", + "Helper.app/Contents/MacOS/Google", + "Chrome", + "Helper", + "--type=utility", + "--field-trial-handle=120122713615061869,9401617251746517350,131072", + "--lang=en-US", + "--service-sandbox-type=utility", + "--service-request-channel-token=10458143409865682077", "--seatbelt-client=262" - ], - "process.executable": "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", - "process.pid": 89238, - "process.ppid": 704, - "process.start": "2018-12-14T05:35:38.313Z", - "santa.action": "EXEC", - "santa.decision": "ALLOW", - "santa.mode": "M", - "santa.reason": "UNKNOWN", - "user.id": "501", + ], + "process.executable": "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", + "process.pid": 89238, + "process.ppid": 704, + "process.start": "2018-12-14T05:35:38.313Z", + "santa.action": "EXEC", + "santa.decision": "ALLOW", + "santa.mode": "M", + "santa.reason": "UNKNOWN", + "user.id": "501", "user.name": "akroh" - }, + }, { - "@timestamp": "2018-12-17T03:03:52.337Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "log", - "event.module": "santa", - "input.type": "log", - "log.offset": 3712, - "log.original": "[2018-12-17T03:03:52.337Z] I santad: action=DISKAPPEAR|mount=/Volumes/Recovery|volume=Recovery|bsdname=disk1s3|fs=apfs|model=APPLE SSD SM0512L|serial=C026495006UHCHH1Q|bus=PCI-Express|dmgpath=", - "santa.action": "DISKAPPEAR", - "santa.disk.bsdname": "disk1s3", - "santa.disk.bus": "PCI-Express", - "santa.disk.fs": "apfs", - "santa.disk.model": "APPLE SSD SM0512L", - "santa.disk.mount": "/Volumes/Recovery", - "santa.disk.serial": "C026495006UHCHH1Q", + "@timestamp": "2018-12-17T03:03:52.337Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "log", + "event.module": "santa", + "input.type": "log", + "log.offset": 3712, + "log.original": "[2018-12-17T03:03:52.337Z] I santad: action=DISKAPPEAR|mount=/Volumes/Recovery|volume=Recovery|bsdname=disk1s3|fs=apfs|model=APPLE SSD SM0512L|serial=C026495006UHCHH1Q|bus=PCI-Express|dmgpath=", + "santa.action": "DISKAPPEAR", + "santa.disk.bsdname": "disk1s3", + "santa.disk.bus": "PCI-Express", + "santa.disk.fs": "apfs", + "santa.disk.model": "APPLE SSD SM0512L", + "santa.disk.mount": "/Volumes/Recovery", + "santa.disk.serial": "C026495006UHCHH1Q", "santa.disk.volume": "Recovery" } ] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index a2e6e6f1635..28bea8874dc 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -1,153 +1,153 @@ [ { - "@timestamp": "2018-02-21T21:54:44.000Z", - "ecs.version": "1.0.0-beta2", - "event.action": "Accepted", - "event.dataset": "auth", - "event.module": "system", - "host.hostname": "localhost", - "input.type": "log", - "log.offset": 0, - "process.pid": 3402, - "source.ip": "10.0.2.2", - "source.port": 63673, - "system.auth.ssh.method": "publickey", - "system.auth.ssh.signature": "RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84", + "@timestamp": "2018-02-21T21:54:44.000Z", + "ecs.version": "1.0.0-beta2", + "event.action": "Accepted", + "event.dataset": "auth", + "event.module": "system", + "host.hostname": "localhost", + "input.type": "log", + "log.offset": 0, + "process.pid": 3402, + "source.ip": "10.0.2.2", + "source.port": 63673, + "system.auth.ssh.method": "publickey", + "system.auth.ssh.signature": "RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84", "user.name": "vagrant" - }, + }, { - "@timestamp": "2018-02-23T00:13:35.000Z", - "ecs.version": "1.0.0-beta2", - "event.action": "Accepted", - "event.dataset": "auth", - "event.module": "system", - "host.hostname": "localhost", - "input.type": "log", - "log.offset": 152, - "process.pid": 7483, - "source.ip": "192.168.33.1", - "source.port": 58803, - "system.auth.ssh.method": "password", + "@timestamp": "2018-02-23T00:13:35.000Z", + "ecs.version": "1.0.0-beta2", + "event.action": "Accepted", + "event.dataset": "auth", + "event.module": "system", + "host.hostname": "localhost", + "input.type": "log", + "log.offset": 152, + "process.pid": 7483, + "source.ip": "192.168.33.1", + "source.port": 58803, + "system.auth.ssh.method": "password", "user.name": "vagrant" - }, + }, { - "@timestamp": "2018-02-21T21:56:12.000Z", - "ecs.version": "1.0.0-beta2", - "event.action": "Invalid", - "event.dataset": "auth", - "event.module": "system", - "host.hostname": "localhost", - "input.type": "log", - "log.offset": 254, - "process.pid": 3430, - "source.ip": "10.0.2.2", + "@timestamp": "2018-02-21T21:56:12.000Z", + "ecs.version": "1.0.0-beta2", + "event.action": "Invalid", + "event.dataset": "auth", + "event.module": "system", + "host.hostname": "localhost", + "input.type": "log", + "log.offset": 254, + "process.pid": 3430, + "source.ip": "10.0.2.2", "user.name": "test" - }, + }, { - "@timestamp": "2018-02-20T08:35:22.000Z", - "ecs.version": "1.0.0-beta2", - "event.action": "Failed", - "event.dataset": "auth", - "event.module": "system", - "host.hostname": "slave22", - "input.type": "log", - "log.offset": 324, - "process.pid": 5774, - "source.geo.continent_name": "Asia", - "source.geo.country_iso_code": "CN", - "source.geo.location.lat": 23.1167, - "source.geo.location.lon": 113.25, - "source.geo.region_iso_code": "CN-GD", - "source.geo.region_name": "Guangdong", - "source.ip": "116.31.116.24", - "source.port": 29160, - "system.auth.ssh.method": "password", + "@timestamp": "2018-02-20T08:35:22.000Z", + "ecs.version": "1.0.0-beta2", + "event.action": "Failed", + "event.dataset": "auth", + "event.module": "system", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 324, + "process.pid": 5774, + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 23.1167, + "source.geo.location.lon": 113.25, + "source.geo.region_iso_code": "CN-GD", + "source.geo.region_name": "Guangdong", + "source.ip": "116.31.116.24", + "source.port": 29160, + "system.auth.ssh.method": "password", "user.name": "root" - }, + }, { - "@timestamp": "2018-02-21T23:35:33.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "auth", - "event.module": "system", - "host.hostname": "localhost", - "input.type": "log", - "log.offset": 420, - "system.auth.sudo.command": "/bin/ls", - "system.auth.sudo.pwd": "/home/vagrant", - "system.auth.sudo.tty": "pts/0", - "system.auth.sudo.user": "root", + "@timestamp": "2018-02-21T23:35:33.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "auth", + "event.module": "system", + "host.hostname": "localhost", + "input.type": "log", + "log.offset": 420, + "system.auth.sudo.command": "/bin/ls", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", "user.name": "vagrant" - }, + }, { - "@timestamp": "2018-02-19T15:30:04.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "auth", - "event.module": "system", - "host.hostname": "slave22", - "input.type": "log", - "log.offset": 522, - "process.pid": 18406, - "source.geo.continent_name": "Asia", - "source.geo.country_iso_code": "CN", - "source.geo.location.lat": 34.7725, - "source.geo.location.lon": 113.7266, - "source.ip": "123.57.245.163", + "@timestamp": "2018-02-19T15:30:04.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "auth", + "event.module": "system", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 522, + "process.pid": 18406, + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 34.7725, + "source.geo.location.lon": 113.7266, + "source.ip": "123.57.245.163", "system.auth.ssh.dropped_ip": "123.57.245.163" - }, + }, { - "@timestamp": "2018-02-23T00:08:48.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "auth", - "event.module": "system", - "host.hostname": "localhost", - "input.type": "log", - "log.offset": 617, - "system.auth.sudo.command": "/bin/cat /var/log/secure", - "system.auth.sudo.pwd": "/home/vagrant", - "system.auth.sudo.tty": "pts/1", - "system.auth.sudo.user": "root", + "@timestamp": "2018-02-23T00:08:48.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "auth", + "event.module": "system", + "host.hostname": "localhost", + "input.type": "log", + "log.offset": 617, + "system.auth.sudo.command": "/bin/cat /var/log/secure", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/1", + "system.auth.sudo.user": "root", "user.name": "vagrant" - }, + }, { - "@timestamp": "2018-02-24T00:13:02.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "auth", - "event.module": "system", - "host.hostname": "precise32", - "input.type": "log", - "log.offset": 736, - "system.auth.sudo.command": "/bin/ls", - "system.auth.sudo.error": "user NOT in sudoers", - "system.auth.sudo.pwd": "/home/vagrant", - "system.auth.sudo.tty": "pts/1", - "system.auth.sudo.user": "root", + "@timestamp": "2018-02-24T00:13:02.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "auth", + "event.module": "system", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 736, + "system.auth.sudo.command": "/bin/ls", + "system.auth.sudo.error": "user NOT in sudoers", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/1", + "system.auth.sudo.user": "root", "user.name": "tsg" - }, + }, { - "@timestamp": "2018-02-22T11:47:05.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "auth", - "event.module": "system", - "group.id": 48, - "group.name": "apache", - "host.hostname": "localhost", - "input.type": "log", - "log.offset": 861, + "@timestamp": "2018-02-22T11:47:05.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "auth", + "event.module": "system", + "group.id": 48, + "group.name": "apache", + "host.hostname": "localhost", + "input.type": "log", + "log.offset": 861, "process.pid": 6991 - }, + }, { - "@timestamp": "2018-02-22T11:47:05.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "auth", - "event.module": "system", - "group.id": 48, - "host.hostname": "localhost", - "input.type": "log", - "log.offset": 934, - "process.pid": 6995, - "system.auth.useradd.home": "/usr/share/httpd", - "system.auth.useradd.shell": "/sbin/nologin", - "user.id": 48, + "@timestamp": "2018-02-22T11:47:05.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "auth", + "event.module": "system", + "group.id": 48, + "host.hostname": "localhost", + "input.type": "log", + "log.offset": 934, + "process.pid": 6995, + "system.auth.useradd.home": "/usr/share/httpd", + "system.auth.useradd.shell": "/sbin/nologin", + "user.id": 48, "user.name": "apache" } ] \ No newline at end of file diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json index 785ee3a4b11..9c1c6c2e605 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json @@ -1,38 +1,38 @@ [ { - "@timestamp": "2018-12-13T11:35:28.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "syslog", - "event.module": "system", - "host.hostname": "a-mac-with-esc-key", - "input.type": "log", + "@timestamp": "2018-12-13T11:35:28.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "syslog", + "event.module": "system", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", "log.flags": [ "multiline" - ], - "log.offset": 0, - "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>", - "process.name": "GoogleSoftwareUpdateAgent", + ], + "log.offset": 0, + "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>", + "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412 - }, + }, { - "@timestamp": "2018-12-13T11:35:28.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "syslog", - "event.module": "system", - "host.hostname": "a-mac-with-esc-key", - "input.type": "log", - "log.offset": 907, - "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", - "process.name": "GoogleSoftwareUpdateAgent", + "@timestamp": "2018-12-13T11:35:28.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "syslog", + "event.module": "system", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 907, + "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", + "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412 - }, + }, { - "@timestamp": "2018-04-04T03:39:57.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "syslog", - "event.module": "system", - "input.type": "log", - "log.offset": 1176, + "@timestamp": "2018-04-04T03:39:57.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "syslog", + "event.module": "system", + "input.type": "log", + "log.offset": 1176, "message": "--- last message repeated 1 time ---" } ] \ No newline at end of file diff --git a/filebeat/module/traefik/access/test/test.log-expected.json b/filebeat/module/traefik/access/test/test.log-expected.json index 93fc524b741..ea0175c9c6d 100644 --- a/filebeat/module/traefik/access/test/test.log-expected.json +++ b/filebeat/module/traefik/access/test/test.log-expected.json @@ -1,226 +1,226 @@ [ { - "@timestamp": "2017-10-02T20:22:07.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.duration": 2000000, - "event.module": "traefik", - "http.request.method": "GET", - "http.request.referrer": "http://example.com/login", - "http.response.status_code": 304, - "http.version": "1.1", - "input.type": "log", - "log.offset": 0, - "source.address": "192.168.33.1", - "source.ip": "192.168.33.1", - "traefik.access.backend_url": "http://172.19.0.3:5601", - "traefik.access.body_sent.bytes": 0, - "traefik.access.duration": 2, - "traefik.access.frontend_name": "Host-host-1", - "traefik.access.request_count": 262, - "traefik.access.user_identifier": "-", - "url.original": "/ui/favicons/favicon-16x16.png", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36", - "user_agent.os.full_name": "Linux", - "user_agent.os.name": "Linux", - "user_agent.os.version": "..", + "@timestamp": "2017-10-02T20:22:07.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.duration": 2000000, + "event.module": "traefik", + "http.request.method": "GET", + "http.request.referrer": "http://example.com/login", + "http.response.status_code": 304, + "http.version": "1.1", + "input.type": "log", + "log.offset": 0, + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1", + "traefik.access.backend_url": "http://172.19.0.3:5601", + "traefik.access.body_sent.bytes": 0, + "traefik.access.duration": 2, + "traefik.access.frontend_name": "Host-host-1", + "traefik.access.request_count": 262, + "traefik.access.user_identifier": "-", + "url.original": "/ui/favicons/favicon-16x16.png", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36", + "user_agent.os.full_name": "Linux", + "user_agent.os.name": "Linux", + "user_agent.os.version": "..", "user_agent.version": "61.0.3163" - }, + }, { - "@timestamp": "2017-10-02T20:22:08.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.duration": 3000000, - "event.module": "traefik", - "http.request.method": "GET", - "http.request.referrer": "http://example.com/login", - "http.response.status_code": 304, - "http.version": "1.1", - "input.type": "log", - "log.offset": 280, - "source.address": "85.181.35.98", - "source.geo.city_name": "Berlin", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "DE", - "source.geo.location.lat": 52.4908, - "source.geo.location.lon": 13.3275, - "source.geo.region_iso_code": "DE-BE", - "source.geo.region_name": "Land Berlin", - "source.ip": "85.181.35.98", - "traefik.access.backend_url": "http://172.19.0.3:5601", - "traefik.access.body_sent.bytes": 0, - "traefik.access.duration": 3, - "traefik.access.frontend_name": "Host-host1", - "traefik.access.request_count": 271, - "traefik.access.user_identifier": "-", - "url.original": "/ui/favicons/favicon.ico", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.name": "Chrome", - "user_agent.original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36", - "user_agent.os.full_name": "Linux", - "user_agent.os.name": "Linux", - "user_agent.os.version": "..", + "@timestamp": "2017-10-02T20:22:08.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.duration": 3000000, + "event.module": "traefik", + "http.request.method": "GET", + "http.request.referrer": "http://example.com/login", + "http.response.status_code": 304, + "http.version": "1.1", + "input.type": "log", + "log.offset": 280, + "source.address": "85.181.35.98", + "source.geo.city_name": "Berlin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 52.4908, + "source.geo.location.lon": 13.3275, + "source.geo.region_iso_code": "DE-BE", + "source.geo.region_name": "Land Berlin", + "source.ip": "85.181.35.98", + "traefik.access.backend_url": "http://172.19.0.3:5601", + "traefik.access.body_sent.bytes": 0, + "traefik.access.duration": 3, + "traefik.access.frontend_name": "Host-host1", + "traefik.access.request_count": 271, + "traefik.access.user_identifier": "-", + "url.original": "/ui/favicons/favicon.ico", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36", + "user_agent.os.full_name": "Linux", + "user_agent.os.name": "Linux", + "user_agent.os.version": "..", "user_agent.version": "61.0.3163" - }, + }, { - "@timestamp": "2018-02-28T17:30:33.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.duration": 247000000, - "event.module": "traefik", - "http.request.method": "GET", - "http.response.status_code": 200, - "http.version": "2.0", - "input.type": "log", - "log.offset": 553, - "source.address": "70.29.80.15", - "source.geo.city_name": "Ottawa", - "source.geo.continent_name": "North America", - "source.geo.country_iso_code": "CA", - "source.geo.location.lat": 45.2691, - "source.geo.location.lon": -75.7518, - "source.geo.region_iso_code": "CA-ON", - "source.geo.region_name": "Ontario", - "source.ip": "70.29.80.15", - "traefik.access.backend_url": "http://172.19.0.6:14008", - "traefik.access.body_sent.bytes": 2814, - "traefik.access.duration": 247, - "traefik.access.frontend_name": "Host-host1-com-0", - "traefik.access.request_count": 13, - "traefik.access.user_identifier": "-", - "url.original": "/en/", - "user.name": "-", - "user_agent.device": "iPhone", - "user_agent.name": "Mobile Safari", - "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1", - "user_agent.os.full_name": "iOS 11.2.5", - "user_agent.os.name": "iOS", - "user_agent.os.version": "11.2.", + "@timestamp": "2018-02-28T17:30:33.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.duration": 247000000, + "event.module": "traefik", + "http.request.method": "GET", + "http.response.status_code": 200, + "http.version": "2.0", + "input.type": "log", + "log.offset": 553, + "source.address": "70.29.80.15", + "source.geo.city_name": "Ottawa", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "CA", + "source.geo.location.lat": 45.2691, + "source.geo.location.lon": -75.7518, + "source.geo.region_iso_code": "CA-ON", + "source.geo.region_name": "Ontario", + "source.ip": "70.29.80.15", + "traefik.access.backend_url": "http://172.19.0.6:14008", + "traefik.access.body_sent.bytes": 2814, + "traefik.access.duration": 247, + "traefik.access.frontend_name": "Host-host1-com-0", + "traefik.access.request_count": 13, + "traefik.access.user_identifier": "-", + "url.original": "/en/", + "user.name": "-", + "user_agent.device": "iPhone", + "user_agent.name": "Mobile Safari", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1", + "user_agent.os.full_name": "iOS 11.2.5", + "user_agent.os.name": "iOS", + "user_agent.os.version": "11.2.", "user_agent.version": "11.0." - }, + }, { - "@timestamp": "2018-11-29T15:03:51.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.duration": 0, - "event.module": "traefik", - "http.request.method": "GET", - "http.request.referrer": "-", - "http.response.status_code": 404, - "http.version": "1.1", - "input.type": "log", - "log.offset": 821, - "source.address": "::1", - "source.ip": "::1", - "traefik.access.backend_url": "/", - "traefik.access.body_sent.bytes": 19, - "traefik.access.duration": 0, - "traefik.access.frontend_name": "backend not found", - "traefik.access.request_count": 10, - "traefik.access.user_identifier": "-", - "url.original": "/", - "user.name": "-", - "user_agent.device": "Other", - "user_agent.name": "curl", - "user_agent.original": "curl/7.62.0", - "user_agent.os.full_name": "Other", - "user_agent.os.name": "Other", - "user_agent.os.version": "..", + "@timestamp": "2018-11-29T15:03:51.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.duration": 0, + "event.module": "traefik", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 821, + "source.address": "::1", + "source.ip": "::1", + "traefik.access.backend_url": "/", + "traefik.access.body_sent.bytes": 19, + "traefik.access.duration": 0, + "traefik.access.frontend_name": "backend not found", + "traefik.access.request_count": 10, + "traefik.access.user_identifier": "-", + "url.original": "/", + "user.name": "-", + "user_agent.device": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.62.0", + "user_agent.os.full_name": "Other", + "user_agent.os.name": "Other", + "user_agent.os.version": "..", "user_agent.version": "7.62.0" - }, + }, { - "@timestamp": "2018-01-19T10:01:02.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.duration": 13000000, - "event.module": "traefik", - "http.request.method": "GET", - "http.response.status_code": 200, - "http.version": "1.1", - "input.type": "log", - "log.offset": 931, - "source.address": "94.254.131.115", - "source.geo.city_name": "Warsaw", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "PL", - "source.geo.location.lat": 52.25, - "source.geo.location.lon": 21.0, - "source.geo.region_iso_code": "PL-MZ", - "source.geo.region_name": "Mazovia", - "source.ip": "94.254.131.115", - "traefik.access.backend_url": "http://172.25.0.9:4140", - "traefik.access.body_sent.bytes": 85, - "traefik.access.duration": 13, - "traefik.access.frontend_name": "Host-api-wearerealitygames-com-2", - "traefik.access.request_count": 623112, - "traefik.access.user_identifier": "-", - "url.original": "/assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo", - "user.name": "-", - "user_agent.device": "Generic Smartphone", - "user_agent.name": "Other", - "user_agent.original": "Android", - "user_agent.os.full_name": "Android", - "user_agent.os.name": "Android", - "user_agent.os.version": "..", + "@timestamp": "2018-01-19T10:01:02.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.duration": 13000000, + "event.module": "traefik", + "http.request.method": "GET", + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 931, + "source.address": "94.254.131.115", + "source.geo.city_name": "Warsaw", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 52.25, + "source.geo.location.lon": 21.0, + "source.geo.region_iso_code": "PL-MZ", + "source.geo.region_name": "Mazovia", + "source.ip": "94.254.131.115", + "traefik.access.backend_url": "http://172.25.0.9:4140", + "traefik.access.body_sent.bytes": 85, + "traefik.access.duration": 13, + "traefik.access.frontend_name": "Host-api-wearerealitygames-com-2", + "traefik.access.request_count": 623112, + "traefik.access.user_identifier": "-", + "url.original": "/assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo", + "user.name": "-", + "user_agent.device": "Generic Smartphone", + "user_agent.name": "Other", + "user_agent.original": "Android", + "user_agent.os.full_name": "Android", + "user_agent.os.name": "Android", + "user_agent.os.version": "..", "user_agent.version": ".." - }, + }, { - "@timestamp": "2018-01-19T10:01:02.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.duration": 8000000, - "event.module": "traefik", - "http.request.method": "GET", - "http.response.status_code": 200, - "http.version": "1.1", - "input.type": "log", - "log.offset": 1267, - "source.address": "89.64.35.193", - "source.geo.city_name": "Katowice", - "source.geo.continent_name": "Europe", - "source.geo.country_iso_code": "PL", - "source.geo.location.lat": 50.2194, - "source.geo.location.lon": 18.9737, - "source.geo.region_iso_code": "PL-SL", - "source.geo.region_name": "Silesia", - "source.ip": "89.64.35.193", - "traefik.access.backend_url": "http://172.25.0.6:4140", - "traefik.access.body_sent.bytes": 150, - "traefik.access.duration": 8, - "traefik.access.frontend_name": "Host-api-wearerealitygames-com-2", - "traefik.access.request_count": 623114, - "traefik.access.user_identifier": "-", - "url.original": "/marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM", - "user.name": "-", - "user_agent.device": "Generic Smartphone", - "user_agent.name": "Other", - "user_agent.original": "Android", - "user_agent.os.full_name": "Android", - "user_agent.os.name": "Android", - "user_agent.os.version": "..", + "@timestamp": "2018-01-19T10:01:02.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.duration": 8000000, + "event.module": "traefik", + "http.request.method": "GET", + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 1267, + "source.address": "89.64.35.193", + "source.geo.city_name": "Katowice", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 50.2194, + "source.geo.location.lon": 18.9737, + "source.geo.region_iso_code": "PL-SL", + "source.geo.region_name": "Silesia", + "source.ip": "89.64.35.193", + "traefik.access.backend_url": "http://172.25.0.6:4140", + "traefik.access.body_sent.bytes": 150, + "traefik.access.duration": 8, + "traefik.access.frontend_name": "Host-api-wearerealitygames-com-2", + "traefik.access.request_count": 623114, + "traefik.access.user_identifier": "-", + "url.original": "/marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM", + "user.name": "-", + "user_agent.device": "Generic Smartphone", + "user_agent.name": "Other", + "user_agent.original": "Android", + "user_agent.os.full_name": "Android", + "user_agent.os.name": "Android", + "user_agent.os.version": "..", "user_agent.version": ".." - }, + }, { - "@timestamp": "2000-10-10T20:55:36.000Z", - "ecs.version": "1.0.0-beta2", - "event.dataset": "access", - "event.module": "traefik", - "http.request.method": "GET", - "http.response.status_code": 200, - "http.version": "1.0", - "input.type": "log", - "log.offset": 1581, - "source.address": "127.0.0.1", - "source.ip": "127.0.0.1", - "traefik.access.body_sent.bytes": 2326, - "traefik.access.user_identifier": "-", - "url.original": "/apache_pb.gif", - "user.name": "frank", - "user_agent.os.version": "..", + "@timestamp": "2000-10-10T20:55:36.000Z", + "ecs.version": "1.0.0-beta2", + "event.dataset": "access", + "event.module": "traefik", + "http.request.method": "GET", + "http.response.status_code": 200, + "http.version": "1.0", + "input.type": "log", + "log.offset": 1581, + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "traefik.access.body_sent.bytes": 2326, + "traefik.access.user_identifier": "-", + "url.original": "/apache_pb.gif", + "user.name": "frank", + "user_agent.os.version": "..", "user_agent.version": ".." } ] \ No newline at end of file diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 154b612c275..10218e70c57 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -168,7 +168,7 @@ def _test_expected_events(self, test_file, objects): objects[k] = self.flatten_object(obj, {}, "") clean_keys(objects[k]) - json.dump(objects, f, indent=4, sort_keys=True) + json.dump(objects, f, indent=4, separators=(',', ': '), sort_keys=True) with open(test_file + "-expected.json", "r") as f: expected = json.load(f)