Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Support injected routing rules during integration installation #157422

Open
Tracked by #151898
kpollich opened this issue May 11, 2023 · 9 comments
Open
Tracked by #151898

[Fleet] Support injected routing rules during integration installation #157422

kpollich opened this issue May 11, 2023 · 9 comments
Labels
Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@kpollich
Copy link
Member

kpollich commented May 11, 2023
edited
Loading

Ref elastic/package-spec#514
Follow-up from #155910

When integrations are installed, Fleet should honor all injected routing rules defined by a given data stream manifest in addition to all local rules. The local rules support is handled by #155910

Given a data stream manifest as follows

# nginx/data_stream/nginx/manifest.yml
title: Nginx logs
type: logs

# This is a catch-all "sink" data stream that routes documents to 
# other datasets based on conditions or variables
dataset: nginx

# Ensures agents have permissions to write data to `logs-nginx.*-*`
elasticsearch.dynamic_dataset: true
elasticsearch.dynamic_namespace: true

routing_rules:
  # "Local" routing rules are included under this current dataset, not a special case
  nginx:
    # Route error logs to `nginx.error` when they're sourced from an error logfile
    - dataset: nginx.error
      if: "ctx?.file?.path?.contains('/var/log/nginx/error')"
      namespace:
        - {{labels.data_stream.namespace}}
        - default

    # Route access logs to `nginx.access` when they're sourced from an access logfile
    - dataset: nginx.access
      if: "ctx?.file?.path?.contains('/var/log/nginx/access')"
      namespace:
        - {{labels.data_stream.namespace}}
        - default

  # --- Rules below this line are what we're supporting here
  
  # Route K8's container logs to this catch-all dataset for further routing
  k8s.router: 
    - dataset: nginx
      if: "ctx?.container?.image?.name == 'nginx'"
      namespace:
        - {{labels.data_stream.namespace}}
        - default
   
  # Route syslog entries tagged with nginx to this catch-all dataset
  syslog:
    - dataset: nginx
      if: "ctx?.tags?.contains('nginx')"
      namespace:
        - {{labels.data_stream.namespace}}
        - default

The ingest pipelines for the k8s.router and syslog datastreams should be updated as follows

// logs-k8s.router-1.2.3
{
    "processors": [
        {
            "reroute": {
                "tag": "logs-k8s.router",
                "if": "ctx?.container?.image?.name == 'nginx'",
                "dataset": "{{container.image.name}}",
                "namespace": [
                    "{{labels.data_stream.namespace}}",
                    "default"
                ]
            }
        }
    ]
}

// logs-syslog-1.2.3
{
    "processors": [
        {
            "reroute": {
                "tag": "logs-syslog",
                "dataset": "{{container.image.name}}",
                "if": "ctx?.tags?.contains('nginx')",
                "namespace": [
                    "{{labels.data_stream.namespace}}",
                    "default"
                ]
            }
        }
    ]
}

One important detail to note: injected routing rules always appear AFTER local routing rules for a given data stream. This prevent unintended short-circuiting.
@kpollich kpollich added the Team:Fleet Team label for Observability Data Collection Fleet team label May 11, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

This was referenced May 11, 2023
Closed
Closed
Closed
@joshdover
Copy link
Contributor

@kpollich are we still doing this one for the MVP or are we only focusing on #155910?

@kpollich
Copy link
Member Author

@joshdover We'll only be doing "local" routing rules for the MVP in 8.10. So yes, the scope has been pared down to #155910 for MVP.

@jlind23
Copy link
Contributor

jlind23 commented Jul 18, 2023

@juliaElastic Do we know how this should work with input-packages? Can we specify the input package dataset as target dataset for routing rules? Because the problem with input packages is that the dataset is set at the installation time by the user.

@juliaElastic
Copy link
Contributor

@jlind23 I think dynamic dataset name in input packages was not considered to be supported by this enhancement. We could come up with a way to support it (in a new issue?), though it's tricky as the dataset name can be anything.
E.g. use a wildcard to map to any dataset name under custom_logs input package

- source_dataset: k8s.router
  rules:
    - target_dataset: custom_logs.*
       if: "true == true"

@jlind23
Copy link
Contributor

jlind23 commented Jul 18, 2023

What about this one: elastic/package-spec#566 ?

@juliaElastic
Copy link
Contributor

What about this one: elastic/package-spec#566 ?

We can use that issue to add support for routing rules in input packages, that looks like a use case for local routing rules, not injected.

@joshdover
Copy link
Contributor

See my comment on the other issue - I'm skeptical that we need routing rules in input packages at all.

@flash1293
Copy link
Contributor

@kpollich Can this be closed or is there an aspect of this not implemented yet?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@flash1293 @joshdover @kpollich @elasticmachine @jlind23 @juliaElastic