Add ZooKeeper Module to Filebeat (#25128)

Adds a new module for ZooKeeper audit and service logs.
elastic · Apr 28, 2021 · d09dfb0 · d09dfb0
1 parent 89d2b36
commit d09dfb0
Show file tree

Hide file tree

Showing 24 changed files with 1,954 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -828,6 +828,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add `awsfargate` module to collect container logs from Amazon ECS on Fargate. {pull}25041[25041]
 - New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803]
 - Add `uri_parts` processor to Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules ingest pipelines. {issue}19088[19088] {pull}24699[24699]
+- New module `zookeeper` for Zookeeper service and audit logs {issue}25061[25061] {pull}25128[25128]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -91,6 +91,7 @@ grouped in the following categories:
 * <<exported-fields-tomcat>>
 * <<exported-fields-traefik>>
 * <<exported-fields-zeek>>
+* <<exported-fields-zookeeper>>
 * <<exported-fields-zoom>>
 * <<exported-fields-zscaler>>
 
@@ -164031,6 +164032,92 @@ type: boolean
 
 --
 
+[[exported-fields-zookeeper]]
+== ZooKeeper fields
+
+ZooKeeper Module
+
+
+
+[float]
+=== zookeeper
+
+
+
+
+[float]
+=== audit
+
+ZooKeeper Audit logs.
+
+
+
+*`zookeeper.audit.session`*::
++
+--
+Client session id
+
+
+type: keyword
+
+--
+
+*`zookeeper.audit.znode`*::
++
+--
+Path of the znode
+
+
+type: keyword
+
+--
+
+*`zookeeper.audit.znode_type`*::
++
+--
+Type of znode in case of creation operation
+
+
+type: keyword
+
+--
+
+*`zookeeper.audit.acl`*::
++
+--
+String representation of znode ACL like cdrwa(create, delete,read, write, admin). This is logged only for setAcl operation
+
+
+type: keyword
+
+--
+
+*`zookeeper.audit.result`*::
++
+--
+Result of the operation. Possible values are (success/failure/invoked). Result "invoked" is used for serverStop operation because stop is logged before ensuring that server actually stopped.
+
+
+type: keyword
+
+--
+
+*`zookeeper.audit.user`*::
++
+--
+Comma separated list of users who are associate with a client session
+
+
+type: keyword
+
+--
+
+[float]
+=== log
+
+ZooKeeper logs.
+
+
 [[exported-fields-zoom]]
 == Zoom fields
 

diff --git a/filebeat/docs/modules/zookeeper.asciidoc b/filebeat/docs/modules/zookeeper.asciidoc
@@ -0,0 +1,93 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[filebeat-module-zookeeper]]
+:modulename: zookeeper
+:has-dashboards: false
+
+== ZooKeeper module
+
+The +{modulename}+ module collects and parses the logs created by https://zookeeper.apache.org/[Apache ZooKeeper]
+
+include::../include/what-happens.asciidoc[]
+
+include::../include/gs-link.asciidoc[]
+
+[float]
+=== Compatibility
+
+The +{modulename}+ module was tested with logs from versions 3.7.0.
+
+include::../include/configuring-intro.asciidoc[]
+
+The following example shows how to set paths in the +modules.d/{modulename}.yml+
+file to override the default paths for logs:
+
+[source,yaml]
+-----
+- module: zookeeper
+  audit:
+    enabled: true
+    var.paths:
+      - "/path/to/logs/zookeeper_audit.log*"
+  log:
+    enabled: true
+    var.paths:
+      - "/path/to/logs/zookeeper.log*"
+-----
+
+
+To specify the same settings at the command line, you use:
+
+[source,yaml]
+-----
+-M "zookeeper.audit.var.paths=[/path/to/logs/zookeeper_audit.log*]" -M "zookeeper.log.var.paths=[/path/to/logs/zookeeper.log*]"
+-----
+
+[float]
+=== Audit logging
+
+Audit logging is available since Zookeeper 3.6.0, but it is disabled by default. To enable it, you can add the following setting to the configuration file:
+["source","sh"]
+----------------------
+audit.enable=true
+----------------------
+
+//set the fileset name used in the included example
+:fileset_ex: audit
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `audit` fileset settings
+
+include::../include/var-paths.asciidoc[]
+
+include::../include/timezone-support.asciidoc[]
+
+:fileset_ex!:
+
+//set the fileset name used in the included example
+:fileset_ex: log
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `log` fileset settings
+
+include::../include/var-paths.asciidoc[]
+
+include::../include/timezone-support.asciidoc[]
+
+:fileset_ex!:
+
+:modulename!:
+
+
+[float]
+=== Fields
+
+For a description of each field in the module, see the
+<<exported-fields-zookeeper,exported fields>> section.
+
diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc
@@ -70,6 +70,7 @@ This file is generated! See scripts/docs_collector.py
   * <<filebeat-module-tomcat>>
   * <<filebeat-module-traefik>>
   * <<filebeat-module-zeek>>
+  * <<filebeat-module-zookeeper>>
   * <<filebeat-module-zoom>>
   * <<filebeat-module-zscaler>>
 
@@ -144,5 +145,6 @@ include::modules/threatintel.asciidoc[]
 include::modules/tomcat.asciidoc[]
 include::modules/traefik.asciidoc[]
 include::modules/zeek.asciidoc[]
+include::modules/zookeeper.asciidoc[]
 include::modules/zoom.asciidoc[]
 include::modules/zscaler.asciidoc[]
diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
@@ -2365,6 +2365,23 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#------------------------------ ZooKeeper Module ------------------------------
+- module: zookeeper
+  # All logs
+  audit:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+  # All logs
+  log:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #--------------------------------- Zoom Module ---------------------------------
 - module: zoom
   webhook:

diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go
diff --git a/x-pack/filebeat/module/zookeeper/_meta/config.yml b/x-pack/filebeat/module/zookeeper/_meta/config.yml
@@ -0,0 +1,15 @@
+- module: zookeeper
+  # All logs
+  audit:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+  # All logs
+  log:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
diff --git a/x-pack/filebeat/module/zookeeper/_meta/docs.asciidoc b/x-pack/filebeat/module/zookeeper/_meta/docs.asciidoc
@@ -0,0 +1,80 @@
+:modulename: zookeeper
+:has-dashboards: false
+
+== ZooKeeper module
+
+The +{modulename}+ module collects and parses the logs created by https://zookeeper.apache.org/[Apache ZooKeeper]
+
+include::../include/what-happens.asciidoc[]
+
+include::../include/gs-link.asciidoc[]
+
+[float]
+=== Compatibility
+
+The +{modulename}+ module was tested with logs from versions 3.7.0.
+
+include::../include/configuring-intro.asciidoc[]
+
+The following example shows how to set paths in the +modules.d/{modulename}.yml+
+file to override the default paths for logs:
+
+[source,yaml]
+-----
+- module: zookeeper
+  audit:
+    enabled: true
+    var.paths:
+      - "/path/to/logs/zookeeper_audit.log*"
+  log:
+    enabled: true
+    var.paths:
+      - "/path/to/logs/zookeeper.log*"
+-----
+
+
+To specify the same settings at the command line, you use:
+
+[source,yaml]
+-----
+-M "zookeeper.audit.var.paths=[/path/to/logs/zookeeper_audit.log*]" -M "zookeeper.log.var.paths=[/path/to/logs/zookeeper.log*]"
+-----
+
+[float]
+=== Audit logging
+
+Audit logging is available since Zookeeper 3.6.0, but it is disabled by default. To enable it, you can add the following setting to the configuration file:
+["source","sh"]
+----------------------
+audit.enable=true
+----------------------
+
+//set the fileset name used in the included example
+:fileset_ex: audit
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `audit` fileset settings
+
+include::../include/var-paths.asciidoc[]
+
+include::../include/timezone-support.asciidoc[]
+
+:fileset_ex!:
+
+//set the fileset name used in the included example
+:fileset_ex: log
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `log` fileset settings
+
+include::../include/var-paths.asciidoc[]
+
+include::../include/timezone-support.asciidoc[]
+
+:fileset_ex!:
+
+:modulename!:
diff --git a/x-pack/filebeat/module/zookeeper/_meta/fields.yml b/x-pack/filebeat/module/zookeeper/_meta/fields.yml
@@ -0,0 +1,10 @@
+- key: zookeeper
+  title: "ZooKeeper"
+  release: beta
+  description: >
+    ZooKeeper Module
+  fields:
+    - name: zookeeper
+      type: group
+      description: >
+      fields:
diff --git a/x-pack/filebeat/module/zookeeper/audit/_meta/fields.yml b/x-pack/filebeat/module/zookeeper/audit/_meta/fields.yml
@@ -0,0 +1,30 @@
+- name: audit
+  type: group
+  description: >
+    ZooKeeper Audit logs.
+  release: beta
+  fields:
+    - name: session
+      type: keyword
+      description: >
+        Client session id
+    - name: znode
+      type: keyword
+      description: >
+        Path of the znode
+    - name: znode_type
+      type: keyword
+      description: >
+        Type of znode in case of creation operation
+    - name: acl
+      type: keyword
+      description: >
+        String representation of znode ACL like cdrwa(create, delete,read, write, admin). This is logged only for setAcl operation
+    - name: result
+      type: keyword
+      description: >
+        Result of the operation. Possible values are (success/failure/invoked). Result "invoked" is used for serverStop operation because stop is logged before ensuring that server actually stopped.
+    - name: user
+      type: keyword
+      description: >
+        Comma separated list of users who are associate with a client session