Change CRI-O parsing to use RFC3339Nano

[vjsamuel]

CRI-O uses RFC3339Nano to generate timestamps which was causing the CRI-O based parsing to parse incorrectly. This PR attempts to fix that.

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[jsoriano]

@vjsamuel thanks for this! Will this continue working with docker logs?

[jsoriano]

jenkins, test this

[vjsamuel]

Yes. This only affects Cri-o processing logic which kicks in after detecting if the log is a docker log or not. Hence docker logs are unaffected.

[jsoriano]

We should probably backport this fix.

[exekias]

any chance to add tests for this?

[jsoriano]

@vjsamuel did you find a log entry that didn't work before this change and works with it? It'd be good to have a test case for this.
As we couldn't reproduce this issue I am going to close this PR by now. Please feel free to reopen if you have a test case, or some other confirmation of this fixing the issue you were having.
Thanks!

[vjsamuel]

never was able to reproduce this as it might have been misconfiguration. apologies.

[shishirkh]

Facing the same issue with elastic stack version 7.5.1

2020-12-21T07:13:00.894Z ERROR readjson/docker_json.go:201 Parse line error: parsing CRI timestamp: parsing time "{"log":"reading" as "2006-01-02T15:04:05.999999999Z07:00": cannot parse "{"log":"reading" as "2006"

My approach is - filebeats collects log and sends to logstash and from there to elasticsearch. It was working fine a day ago,in fact, 3/5 filebeat pods are still in running state, however some filebeat pods keep crashing. Can someone tell me any changes I need to do. I am on Kubernetes. And also have a nginx-controller running for the cluster

[shishirkh]

@jsoriano @vjsamuel

[jsoriano]

Perhaps this was also related to #22685.