Ingest structured ES slow logs

CHANGELOG.next.asciidoc

@@ -230,6 +230,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add convert_timezone to nginx module. {issue}9839[9839] {pull}10148[10148]
 - Add support for Percona in the `slowlog` fileset of `mysql` module. {issue}6665[6665] {pull}10227[10227]
 - Added support for ingesting structured Elasticsearch audit logs {pull}10352[10352]
+- Added support for ingesting structured Elasticsearch slow logs {pull}10445[10445]
 
 *Heartbeat*
 

filebeat/docs/fields.asciidoc

@@ -4327,6 +4327,37 @@ elasticsearch Module
 
 
 
+*`elasticsearch.component`*::
++
+--
+type: keyword
+
+example: o.e.c.m.MetaDataCreateIndexService
+
+Elasticsearch component from where the log event originated
+
+--
+
+*`elasticsearch.cluster.uuid`*::
++
+--
+type: keyword
+
+example: GmvrbHlNTiSVYiPf8kxg9g
+
+UUID of the cluster
+
+--
+
+*`elasticsearch.cluster.name`*::
++
+--
+example: docker-cluster
+
+Name of the cluster
+
+--
+
 *`elasticsearch.node.id`*::
 +
 --

filebeat/module/elasticsearch/_meta/fields.yml

@@ -7,6 +7,17 @@
       type: group
       description: >
       fields:
+        - name: component
+          description: "Elasticsearch component from where the log event originated"
+          example: "o.e.c.m.MetaDataCreateIndexService"
+          type: keyword
+        - name: cluster.uuid
+          description: "UUID of the cluster"
+          example: "GmvrbHlNTiSVYiPf8kxg9g"
+          type: keyword
+        - name: cluster.name
+          description: "Name of the cluster"
+          example: "docker-cluster"
         - name: node.id
           description: "ID of the node"
           example: "DSiWcTyeThWtUXLB9J0BMw"

filebeat/module/elasticsearch/slowlog/config/slowlog.yml

@@ -6,7 +6,7 @@ paths:
 exclude_files: [".gz$"]
 
 multiline:
-  pattern: '^\[?[0-9]{4}-[0-9]{2}-[0-9]{2}'
+  pattern: '^(\[?[0-9]{4}-[0-9]{2}-[0-9]{2}|{)'
   negate: true
   match: after
 

filebeat/module/elasticsearch/slowlog/ingest/pipeline-json.json

@@ -0,0 +1,108 @@
+{
+    "description": "Pipeline for parsing the Elasticsearch slow logs in JSON format.",
+    "on_failure": [
+        {
+            "set": {
+                "field": "error.message",
+                "value": "{{ _ingest.on_failure_message }}"
+            }
+        }
+    ],
+    "processors": [
+        {
+            "json": {
+                "field": "message",
+                "target_field": "elasticsearch.slowlog"
+            }
+        },
+        {
+            "drop": {
+                "if": "ctx.elasticsearch.slowlog.type != 'index_indexing_slowlog' && ctx.elasticsearch.slowlog.type != 'index_search_slowlog'"
+            }
+        },
+        {
+            "remove": {
+                "field": "elasticsearch.slowlog.type"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.slowlog.level",
+                "target_field": "log.level"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.slowlog.component",
+                "target_field": "elasticsearch.component"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "cluster.name",
+                "path": "elasticsearch.slowlog"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.slowlog.cluster.name",
+                "target_field": "elasticsearch.cluster.name"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "node.name",
+                "path": "elasticsearch.slowlog"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.slowlog.node.name",
+                "target_field": "elasticsearch.node.name"
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "cluster.uuid",
+                "path": "elasticsearch.slowlog"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.slowlog.cluster.uuid",
+                "target_field": "elasticsearch.cluster.uuid",
+                "ignore_missing": true
+            }
+        },
+        {
+            "dot_expander": {
+                "field": "node.id",
+                "path": "elasticsearch.slowlog"
+            }
+        },
+        {
+            "rename": {
+                "field": "elasticsearch.slowlog.node.id",
+                "target_field": "elasticsearch.node.id",
+                "ignore_missing": true
+            }
+        },
+        {
+            "grok": {
+                "field": "elasticsearch.slowlog.message",
+                "pattern_definitions" : {
+                    "GREEDYMULTILINE" : "(.|\n)*",
+                    "INDEXNAME": "[a-zA-Z0-9_.-]*"
+                },
+                "patterns": [
+                    "(\\[%{INDEXNAME:elasticsearch.index.name}\\]\\[%{NUMBER:elasticsearch.shard.id}\\])?(%{SPACE})?(\\[%{INDEXNAME:elasticsearch.index.name}\\/%{DATA:elasticsearch.index.id}\\])?(%{SPACE})?%{SPACE}(took\\[%{DATA:elasticsearch.slowlog.took}\\],)?%{SPACE}(took_millis\\[%{NUMBER:elasticsearch.slowlog.duration:long}\\],)?%{SPACE}(type\\[%{DATA:elasticsearch.slowlog.type}\\],)?%{SPACE}(id\\[%{DATA:elasticsearch.slowlog.id}\\],)?%{SPACE}(routing\\[%{DATA:elasticsearch.slowlog.routing}\\],)?%{SPACE}(total_hits\\[%{NUMBER:elasticsearch.slowlog.total_hits:int}\\],)?%{SPACE}(types\\[%{DATA:elasticsearch.slowlog.types}\\],)?%{SPACE}(stats\\[%{DATA:elasticsearch.slowlog.stats}\\],)?%{SPACE}(search_type\\[%{DATA:elasticsearch.slowlog.search_type}\\],)?%{SPACE}(total_shards\\[%{NUMBER:elasticsearch.slowlog.total_shards:int}\\],)?%{SPACE}(source\\[%{GREEDYMULTILINE:elasticsearch.slowlog.source_query}\\])?,?%{SPACE}(extra_source\\[%{DATA:elasticsearch.slowlog.extra_source}\\])?,?"
+                ]
+            }
+        },
+        {
+            "remove": {
+                "field": "elasticsearch.slowlog.message"
+            }
+        }
+    ]
+}

filebeat/module/elasticsearch/slowlog/ingest/pipeline-plaintext.json

@@ -0,0 +1,33 @@
+{
+    "description": "Pipeline for parsing elasticsearch slow logs in plaintext format.",
+    "processors": [
+        {
+            "grok": {
+                "field": "message",
+                "pattern_definitions": {
+                    "GREEDYMULTILINE": "(.|\n)*",
+                    "INDEXNAME": "[a-zA-Z0-9_.-]*"
+                },
+                "patterns": [
+                    "\\[%{TIMESTAMP_ISO8601:elasticsearch.slowlog.timestamp}\\]\\[%{WORD:log.level}(%{SPACE})?\\]\\[%{DATA:elasticsearch.slowlog.logger}\\]%{SPACE}\\[%{WORD:elasticsearch.node.name}\\](%{SPACE})?(\\[%{INDEXNAME:elasticsearch.index.name}\\]\\[%{NUMBER:elasticsearch.shard.id}\\])?(%{SPACE})?(\\[%{INDEXNAME:elasticsearch.index.name}\\/%{DATA:elasticsearch.index.id}\\])?(%{SPACE})?%{SPACE}(took\\[%{DATA:elasticsearch.slowlog.took}\\],)?%{SPACE}(took_millis\\[%{NUMBER:elasticsearch.slowlog.duration:long}\\],)?%{SPACE}(type\\[%{DATA:elasticsearch.slowlog.type}\\],)?%{SPACE}(id\\[%{DATA:elasticsearch.slowlog.id}\\],)?%{SPACE}(routing\\[%{DATA:elasticsearch.slowlog.routing}\\],)?%{SPACE}(total_hits\\[%{NUMBER:elasticsearch.slowlog.total_hits:int}\\],)?%{SPACE}(types\\[%{DATA:elasticsearch.slowlog.types}\\],)?%{SPACE}(stats\\[%{DATA:elasticsearch.slowlog.stats}\\],)?%{SPACE}(search_type\\[%{DATA:elasticsearch.slowlog.search_type}\\],)?%{SPACE}(total_shards\\[%{NUMBER:elasticsearch.slowlog.total_shards:int}\\],)?%{SPACE}(source\\[%{GREEDYMULTILINE:elasticsearch.slowlog.source_query}\\])?,?%{SPACE}(extra_source\\[%{DATA:elasticsearch.slowlog.extra_source}\\])?,?"
+                ]
+            }
+        },
+        {
+            "split": {
+                "if": "ctx.elasticsearch.slowlog?.stats != ''",
+                "field": "elasticsearch.slowlog.stats",
+                "separator": ",",
+                "ignore_missing": true
+            }
+        }
+    ],
+    "on_failure": [
+        {
+            "set": {
+                "field": "error.message",
+                "value": "{{ _ingest.on_failure_message }}"
+            }
+        }
+    ]
+}

filebeat/module/elasticsearch/slowlog/ingest/pipeline.json

@@ -1,70 +1,81 @@
 {
-  "description": "Pipeline for parsing elasticsearch slowlog logs",
-  "processors": [
-      {
-          "rename": {
-              "field": "@timestamp",
-              "target_field": "event.created"
-          }
-      },
-      {
-          "grok": {
-              "field": "message",
-              "pattern_definitions" : {
-                  "GREEDYMULTILINE" : "(.|\n)*",
-                  "INDEXNAME": "[a-zA-Z0-9_.-]*"
-              },
-              "patterns": [
-                  "\\[%{TIMESTAMP_ISO8601:elasticsearch.slowlog.timestamp}\\]\\[%{WORD:log.level}(%{SPACE})?\\]\\[%{DATA:elasticsearch.slowlog.logger}\\]%{SPACE}\\[%{WORD:elasticsearch.node.name}\\](%{SPACE})?(\\[%{INDEXNAME:elasticsearch.index.name}\\]\\[%{NUMBER:elasticsearch.shard.id}\\])?(%{SPACE})?(\\[%{INDEXNAME:elasticsearch.index.name}\\/%{DATA:elasticsearch.index.id}\\])?(%{SPACE})?%{SPACE}(took\\[%{DATA:elasticsearch.slowlog.took}\\],)?%{SPACE}(took_millis\\[%{NUMBER:temp.duration:long}\\],)?%{SPACE}(type\\[%{DATA:elasticsearch.slowlog.type}\\],)?%{SPACE}(id\\[%{DATA:elasticsearch.slowlog.id}\\],)?%{SPACE}(routing\\[%{DATA:elasticsearch.slowlog.routing}\\],)?%{SPACE}(total_hits\\[%{NUMBER:elasticsearch.slowlog.total_hits:int}\\],)?%{SPACE}(types\\[%{DATA:elasticsearch.slowlog.types}\\],)?%{SPACE}(stats\\[%{DATA:elasticsearch.slowlog.stats}\\],)?%{SPACE}(search_type\\[%{DATA:elasticsearch.slowlog.search_type}\\],)?%{SPACE}(total_shards\\[%{NUMBER:elasticsearch.slowlog.total_shards:int}\\],)?%{SPACE}(source\\[%{GREEDYMULTILINE:elasticsearch.slowlog.source_query}\\])?,?%{SPACE}(extra_source\\[%{DATA:elasticsearch.slowlog.extra_source}\\])?,?"
-              ]
-          }
-      },
-      {
-          "split": {
-              "if": "ctx.elasticsearch.slowlog?.stats != ''",
-              "field": "elasticsearch.slowlog.stats",
-              "separator": ",",
-              "ignore_missing": true
-          }
-      },
-      {
-          "date": {
-              "field": "elasticsearch.slowlog.timestamp",
-              "target_field": "@timestamp",
-              "formats": [
-                  "ISO8601"
-              ],
-              {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
-              "ignore_failure": true
-          }
-      },
-      {
-          "remove": {
-              "field": [
-                    "elasticsearch.slowlog.timestamp"
-              ]
-          }
-      },
-
-      {
-          "script": {
-              "lang": "painless",
-              "source": "ctx.event.duration = Math.round(ctx.temp.duration * params.scale)",
-              "params": { "scale": 1000000 },
-              "if": "ctx.temp?.duration != null"
-          }
-      },
-      {
-          "remove": {
-              "field": "temp.duration",
-              "ignore_missing": true
-          }
-      }
-  ],
-  "on_failure" : [{
-    "set" : {
-      "field" : "error.message",
-      "value" : "{{ _ingest.on_failure_message }}"
-    }
-  }]
+    "description": "Pipeline for parsing elasticsearch slow logs.",
+    "processors": [
+        {
+            "rename": {
+                "field": "@timestamp",
+                "target_field": "event.created"
+            }
+        },
+        {
+            "grok": {
+                "field": "message",
+                "patterns": [
+                    "^%{CHAR:first_char}"
+                ],
+                "pattern_definitions": {
+                    "CHAR": "."
+                }
+            }
+        },
+        {
+            "pipeline": {
+                "if": "ctx.first_char != '{'",
+                "name": "{< IngestPipeline "pipeline-plaintext" >}"
+            }
+        },
+        {
+            "pipeline": {
+                "if": "ctx.first_char == '{'",
+                "name": "{< IngestPipeline "pipeline-json" >}"
+            }
+        },
+        {
+            "date": {
+                "field": "elasticsearch.slowlog.timestamp",
+                "target_field": "@timestamp",
+                "formats": [
+                    "ISO8601"
+                ],
+                {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
+                "ignore_failure": true
+            }
+        },
+        {
+            "remove": {
+                "field": "elasticsearch.slowlog.timestamp"
+            }
+        },
+        {
+            "script": {
+                "lang": "painless",
+                "source": "ctx.event.duration = Math.round(ctx.elasticsearch.slowlog.duration * params.scale)",
+                "params": {
+                    "scale": 1000000
+                },
+                "if": "ctx.elasticsearch.slowlog?.duration != null"
+            }
+        },
+        {
+            "remove": {
+                "field": "elasticsearch.slowlog.duration",
+                "ignore_missing": true
+            }
+        },
+        {
+            "remove": {
+                "field": [
+                    "first_char"
+                ]
+            }
+        }
+    ],
+    "on_failure": [
+        {
+            "set": {
+                "field": "error.message",
+                "value": "{{ _ingest.on_failure_message }}"
+            }
+        }
+    ]
 }