Skip to content

Ingest structured ES deprecation logs #10445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ycombinator merged 4 commits into from
Feb 1, 2019
Merged

Ingest structured ES deprecation logs #10445

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8b96c0b
parse structed ES deprecation logs
ycombinator Jan 31, 2019
2e4431b
Adding CHANGELOG entry
ycombinator Jan 31, 2019
3dc8b64
Add breaking change CHANGELOG entry
ycombinator Jan 31, 2019
cff42d3
Regenerating generated files
ycombinator Feb 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Several text fields in the Logstash module are now indexed as `keyword` fields with `text` multi-fields (ECS). {pull}10417[10417]
- Several text fields in the Elasticsearch module are now indexed as `keyword` fields with `text` multi-fields (ECS). {pull}10414[10414]
- Move dissect pattern for traefik.access fileset from Filbeat to Elasticsearch. {pull}10442[10442]
- The `elasticsearch/deprecation` fileset now indexes the `component` field under `elasticsearch` instead of `elasticsearch.server`. {pull}10445[10445]

*Heartbeat*

Expand Down Expand Up @@ -231,6 +232,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add support for Percona in the `slowlog` fileset of `mysql` module. {issue}6665[6665] {pull}10227[10227]
- Added support for ingesting structured Elasticsearch audit logs {pull}10352[10352]
- Added support for ingesting structured Elasticsearch slow logs {pull}10445[10445]
- Added support for ingesting structured Elasticsearch deprecation logs {pull}10445[10445]

*Heartbeat*

Expand Down
2 changes: 2 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4352,6 +4352,8 @@ UUID of the cluster
*`elasticsearch.cluster.name`*::
+
--
type: keyword

example: docker-cluster

Name of the cluster
Expand Down
1 change: 1 addition & 0 deletions filebeat/module/elasticsearch/_meta/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
- name: cluster.name
description: "Name of the cluster"
example: "docker-cluster"
type: keyword
- name: node.id
description: "ID of the node"
example: "DSiWcTyeThWtUXLB9J0BMw"
Expand Down
2 changes: 1 addition & 1 deletion filebeat/module/elasticsearch/deprecation/config/log.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ paths:
{{ end }}
exclude_files: [".gz$","_slowlog.log$","_access.log$"]
multiline:
pattern: '^\[[0-9]{4}-[0-9]{2}-[0-9]{2}'
pattern: '^(\[[0-9]{4}-[0-9]{2}-[0-9]{2}|{)'
negate: true
match: after

Expand Down
102 changes: 102 additions & 0 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline-json.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
{
"description": "Pipeline for parsing the Elasticsearch deprecation log file in JSON format.",
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
],
"processors": [
{
"json": {
"field": "message",
"target_field": "elasticsearch.deprecation"
}
},
{
"drop": {
"if": "ctx.elasticsearch.deprecation.type != 'deprecation'"
}
},
{
"remove": {
"field": "elasticsearch.deprecation.type"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.level",
"target_field": "log.level"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.component",
"target_field": "elasticsearch.component"
}
},
{
"dot_expander": {
"field": "cluster.name",
"path": "elasticsearch.deprecation"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.cluster.name",
"target_field": "elasticsearch.cluster.name"
}
},
{
"dot_expander": {
"field": "node.name",
"path": "elasticsearch.deprecation"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.node.name",
"target_field": "elasticsearch.node.name"
}
},
{
"dot_expander": {
"field": "cluster.uuid",
"path": "elasticsearch.deprecation"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.cluster.uuid",
"target_field": "elasticsearch.cluster.uuid",
"ignore_missing": true
}
},
{
"dot_expander": {
"field": "node.id",
"path": "elasticsearch.deprecation"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.node.id",
"target_field": "elasticsearch.node.id",
"ignore_missing": true
}
},
{
"remove": {
"field": "message"
}
},
{
"rename": {
"field": "elasticsearch.deprecation.message",
"target_field": "message"
}
}
]
}
24 changes: 24 additions & 0 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline-plaintext.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"description": "Pipeline for parsing the Elasticsearch deprecation log file in plaintext format.",
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
],
"processors": [
{
"grok": {
"field": "message",
"pattern_definitions": {
"GREEDYMULTILINE": "(.|\n)*"
},
"patterns": [
"\\[%{TIMESTAMP_ISO8601:elasticsearch.deprecation.timestamp}\\]\\[%{LOGLEVEL:log.level}%{SPACE}*\\]\\[%{DATA:elasticsearch.component}%{SPACE}*\\] %{GREEDYMULTILINE:message}"
]
}
}
]
}
51 changes: 35 additions & 16 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline.json
100755 → 100644
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,5 @@
{
"description": "Pipeline for parsing the Elasticsearch deprecation log file.",
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
],
"description": "Pipeline for parsing elasticsearch deprecation logs",
"processors": [
{
"rename": {
Expand All @@ -18,17 +10,29 @@
{
"grok": {
"field": "message",
"pattern_definitions": {
"GREEDYMULTILINE": "(.|\n)*"
},
"patterns": [
"\\[%{TIMESTAMP_ISO8601:timestamp}\\]\\[%{LOGLEVEL:log.level}%{SPACE}*\\]\\[%{DATA:elasticsearch.server.component}%{SPACE}*\\] %{GREEDYMULTILINE:message}"
]
"^%{CHAR:first_char}"
],
"pattern_definitions": {
"CHAR": "."
}
}
},
{
"pipeline": {
"if": "ctx.first_char != '{'",
"name": "{< IngestPipeline "pipeline-plaintext" >}"
}
},
{
"pipeline": {
"if": "ctx.first_char == '{'",
"name": "{< IngestPipeline "pipeline-json" >}"
}
},
{
"date": {
"field": "timestamp",
"field": "elasticsearch.deprecation.timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
Expand All @@ -39,7 +43,22 @@
},
{
"remove": {
"field": "timestamp"
"field": "elasticsearch.deprecation.timestamp"
}
},
{
"remove": {
"field": [
"first_char"
]
}
}
],
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
]
Expand Down
8 changes: 7 additions & 1 deletion filebeat/module/elasticsearch/deprecation/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,13 @@ var:
- name: paths
default:
- /var/log/elasticsearch/*_deprecation.log
- /var/log/elasticsearch/*_deprecation.json
os.darwin:
- /usr/local/var/lib/elasticsearch/*_deprecation.log
- /usr/local/var/lib/elasticsearch/*_deprecation.json
os.windows:
- c:/ProgramData/Elastic/Elasticsearch/logs/*_deprecation.log
- c:/ProgramData/Elastic/Elasticsearch/logs/*_deprecation.json
- name: convert_timezone
default: false
# if ES < 6.1.0, this flag switches to false automatically when evaluating the
Expand All @@ -16,5 +19,8 @@ var:
version: 6.1.0
value: false

ingest_pipeline: ingest/pipeline.json
ingest_pipeline:
- ingest/pipeline.json
- ingest/pipeline-plaintext.json
- ingest/pipeline-json.json
input: config/log.yml
8 changes: 4 additions & 4 deletions filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
{
"@timestamp": "2018-04-23T16:40:13.737Z",
"ecs.version": "1.0.0-beta2",
"elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"elasticsearch.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"event.dataset": "elasticsearch.deprecation",
"event.module": "elasticsearch",
"fileset.name": "deprecation",
Expand All @@ -15,7 +15,7 @@
{
"@timestamp": "2018-04-23T16:40:13.862Z",
"ecs.version": "1.0.0-beta2",
"elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"elasticsearch.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"event.dataset": "elasticsearch.deprecation",
"event.module": "elasticsearch",
"fileset.name": "deprecation",
Expand All @@ -28,7 +28,7 @@
{
"@timestamp": "2018-04-23T16:40:14.792Z",
"ecs.version": "1.0.0-beta2",
"elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"elasticsearch.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"event.dataset": "elasticsearch.deprecation",
"event.module": "elasticsearch",
"fileset.name": "deprecation",
Expand All @@ -41,7 +41,7 @@
{
"@timestamp": "2018-04-23T16:40:15.127Z",
"ecs.version": "1.0.0-beta2",
"elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"elasticsearch.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
"event.dataset": "elasticsearch.deprecation",
"event.module": "elasticsearch",
"fileset.name": "deprecation",
Expand Down
Loading