Add PostgresSQL module for Filebeat #4763
Conversation
kvch
added
Filebeat
kvch
force-pushed
the
feature/filebeat-postgresql-module
branch
2 times, most recently
from
528c9a5 to
5f93a94
Compare
| "ignore_missing": true, | ||
| "patterns": [ | ||
| "%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timeformat} \[%{NUMBER:postgresql.log.thread_id}\] %{USERNAME:postgresql.log.username}@%{HOSTNAME:postgresql.log.host} %{WORD:postgresql.log.level}: ?%{GREEDYDATA:postgresql.log.message}", | ||
| "%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timeformat} \[%{NUMBER:postgresql.log.thread_id}\] \[%{USERNAME:postgresql.username}\]@\[%{HOSTNAME:postgresql.log.host}\] %{WORD:postgresql.log.level}: ?%{GREEDYDATA:postgresql.log.message}", |
There was a problem hiding this comment.
s/postgresql.username/postgreseql.log.username/ ?
| "patterns": [ | ||
| "%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timeformat} \[%{NUMBER:postgresql.log.thread_id}\] %{USERNAME:postgresql.log.username}@%{HOSTNAME:postgresql.log.host} %{WORD:postgresql.log.level}: ?%{GREEDYDATA:postgresql.log.message}", | ||
| "%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timeformat} \[%{NUMBER:postgresql.log.thread_id}\] \[%{USERNAME:postgresql.username}\]@\[%{HOSTNAME:postgresql.log.host}\] %{WORD:postgresql.log.level}: ?%{GREEDYDATA:postgresql.log.message}", | ||
| "%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timeformat} \[%{NUMBER:postgresql.log.thread_id}\] %{WORD:postgresql.log.level}: ?%{GREEDYDATA:postgresql.log.message}" |
There was a problem hiding this comment.
I wonder if you need to use \\ here. grok is basically build on regular expressions. Plus this file being json might might affect the \ on read.
kvch
force-pushed
the
feature/filebeat-postgresql-module
branch
2 times, most recently
from
2335916 to
ceba36c
Compare
|
My initial problem was solved. Thank you for your help. :) I updated the TODO list based on the current state of the PR. |
kvch
force-pushed
the
feature/filebeat-postgresql-module
branch
5 times, most recently
from
bf388ab to
69234ae
Compare
|
This is green enough, the remaining failure is Metricbeat on Windows. |
|
@kvch It would be nice to also have a fileset for slow logs, like we have for MySQL. But totally fine to do that in a second PR. |
kvch
force-pushed
the
feature/filebeat-postgresql-module
branch
from
69234ae to
2781c17
Compare
|
@tsg I am trying to add slowlog parsing. It is not in a different fileset, because PostgreSQL puts slowlogs in the same file as the other logs by default. Again the Grok parser has failed me. :D I have worked out a regex for multiline query statements using Kibana Dev Tools, but it does not seem to work with Filebeat. |
kvch
force-pushed
the
feature/filebeat-postgresql-module
branch
2 times, most recently
from
4805b3b to
00bb4a3
Compare
|
The problem is fixed. Multiline configuration was missing from the module. |
|
@kvch Something else I noticed, I think you didn't yet add |
|
@tsg I will add it. Thanks. |
kvch
force-pushed
the
feature/filebeat-postgresql-module
branch
2 times, most recently
from
c66cae4 to
e1128f9
Compare
|
I have added a new commit containing a test refactor. |
This module includes a sample dashboard and two sample searches for Kibana.
Previously, only 10 logs could be in *.log and *-expected.json files, as it is the default page size of ES. However, to be more future proof the test was extended, so it can validate more than 10 logs and events.
kvch
force-pushed
the
feature/filebeat-postgresql-module
branch
from
e1128f9 to
c36915d
Compare
|
Remaining test failure is not related. Merging. |
|
|
||
| The second one shows the slowlogs of PostgreSQL. | ||
|
|
||
| image::./images/filebeat-postgresql-postgresql-overview.png[] |
There was a problem hiding this comment.
it should be images/filebeat-postgresql-slowlog-overview.png I think
|
|
||
| The second one shows the slowlogs of PostgreSQL. | ||
|
|
||
| image::./images/filebeat-postgresql-postgresql-overview.png[] |
There was a problem hiding this comment.
it should be images/filebeat-postgresql-slowlog-overview.png I think
|
2017-12-27 11:19:07 GMT [30072]-[14] session=5a43112b.7578 user=postgres db=postgres app=[unknown] client=10.0.2.73 LOG: duration: 1.229 ms statement: 2017-12-27 11:19:07 GMT [30072]-[15] session=5a43112b.7578 user=postgres db=postgres app=[unknown] client=10.0.2.73 LOG: duration: 0.334 ms parse : SELECT pg_database_size($1) AS size; How to resolve these logs, set up can not be resolved |
|
Provided Grok expressions do not match field value: [2017-12-27 13:54:07 GMT [30071]-[3741] session=5a43112b.7577 user=postgres db=postgres app=[unknown] client=10.0.2.73 LOG: duration: 0.180 ms bind : SELECT pg_database_size($1) AS size;] |
|
@liuqian1990 Could you please open a new topic on discuss for further discussions as this is a closed PR? https://discuss.elastic.co/c/beats/filebeat Please provide there your config and the filebeat version you are using + the logs as you did above. |
I have been working on a PostgreSQL module for Filebeat. Unfortunately, I got stuck at viewing logs in Kibana or maybe at indexing logs in Elasticsearch.
The fields for PostgreSQL I have defined are visible in the index. When I test the the pipeline I have created using the Simulate API with the sample logs in the commit, the fields are parsed properly. However, when I read logs of PostgreSQL using Filebeat, it does not seem to work when viewed in Kibana.
This is what I see:
I would expect the logs to be properly parsed, but I don't think it is what I see. To be honest, I am not sure what to expect. Could you give me some pointers on how to go on?
Also I have collected a few TODOs, but please let me know if I missed something.
TODO