elastic · robbavey · Oct 10, 2023 · Oct 3, 2023 · Oct 3, 2023 · Oct 3, 2023
@@ -6,6 +6,15 @@ The `logstash` package collects metrics and logs of Logstash.
 
 The `logstash` package works with Logstash 8.5.0 and later
 
+## Technical Preview note
+
+This Logstash package also includes a technical preview of Logstash data collection and dashboards
+native to elastic agent. The technical preview includes enhanced data collection, and a number of dashboards, which include additional insight into running pipelines.
+
+Note that this feature is not intended for use with the Stack Monitoring UI inside Kibana,
+and is included as a technical preview. Existing implementations wishing to continue using the Stack Monitoring UI should uncheck the technical preview option, and continue to use `Metrics (Stack Monitoring)`. Those users who wish to use the technical preview should uncheck `Metrics (Stack Monitoring)` and check `Metrics (Technical Preview)`
+
+
 ## Logs
 
 Logstash package supports the plain text format and the JSON format. Also, two types of 
@@ -79,3 +88,45 @@ Logstash metric related data streams works with Logstash 7.3.0 and later.
 ### Node
 
 {{event "node"}}
+
+
+## Metrics (Technical Preview)
+
+This Logstash package also includes a technical preview of Logstash data collection and dashboards
+native to elastic agent. The technical preview includes enhanced data collection, and a number of dashboards, which include additional insight into running pipelines.
+
+Note that this feature is not intended for use with the Stack Monitoring UI inside Kibana,
+and is included as a technical preview. Existing implementations wishing to continue using the Stack Monitoring UI should uncheck the technical preview option, and continue to use `Metrics (Stack Monitoring)`. Those users who wish to use the technical preview should uncheck `Metrics (Stack Monitoring)` and check `Metrics (Technical Preview)`
+
+### Fields and Sample Event
+
+#### Node
+
+This is the `node` dataset, which drives the Node dashboard pages.
+
+#### Example
+
+{{fields "node_cel"}}
+
+{{event "node_cel"}}
+
+#### Pipeline
+
+This is the `pipeline` dataset, which drives the Pipeline dashboard pages.
+
+#### Example
+
+{{fields "pipeline"}}
+
+{{event "pipeline"}}
+
+#### Plugin
+
+This is the `plugin` dataset, which drives the Pipeline detail dashboard pages. Note that this dataset may produce many documents for logstash instances using a large number of pipelines and/or plugins within those pipelines. For those instances, we recommend reviewing the
+pipeline collection period, and setting it to an appropriate value.
+
+#### Example
+
+{{fields "plugins"}}
+
+{{event "plugins"}}
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.3.4"
+  changes:
+    - description: Introduce Logstash pipelines plugin retrieval and dashboards
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/7704
 - version: "2.3.3"
   changes:
     - description: Introduce Logstash node dashboards into integration package

@@ -0,0 +1,6 @@
+type: cel
+dataset: logstash.node
+vars:
+  url:
+    - "http://{{Hostname}}:9600"
+data_stream: ~
diff --git a/packages/logstash/data_stream/node_cel/agent/stream/stream.yml.hbs b/packages/logstash/data_stream/node_cel/agent/stream/stream.yml.hbs
@@ -0,0 +1,71 @@
+config_version: "2"
+interval: {{period}}
+resource.url: "{{url}}/_node/stats?graph=true"
+{{#if resource_ssl}}
+resource.ssl:
+  {{resource_ssl}}
+{{/if}}
+
+state:
+  username: {{username}}
+  password: {{password}}
+
+redact:
+  fields: ~
-  fields: ~
+  fields:
+    - password
-  fields: ~
+  fields:
+    - password
+
+program: |
+  (has(state.username) && state.username != null ?
+    get_request(state.url).with({
+        "Header":{
+            "Authorization": ["Basic "+string(base64(state.username+":"+state.password))],
+        }
+    })
+  : (has(state.cursor) && has(state.cursor.username) && state.cursor.username != null ?
+      get_request(state.url).with({
+        "Header":{
+          "Authorization": ["Basic "+string(base64(state.cursor.username+":"+state.cursor.password))],
+        }
+      }
+     )
+    :
+      get_request(state.url)
+    )
+   )
+  .do_request().as(resp, bytes(resp.Body)
+  .decode_json()
+  .as(body,
+    {"logstash":{"node":{"stats":{
+             "events":body['events'],
+             "jvm":{
+                "uptime_in_millis":body['jvm']['uptime_in_millis'],
-             "events":body['events'],
-             "jvm":{
-                "uptime_in_millis":body['jvm']['uptime_in_millis'],
+             "events":body.events,
+             "jvm":{
+                "uptime_in_millis":body.jvm.uptime_in_millis,
-             "events":body['events'],
-             "jvm":{
-                "uptime_in_millis":body['jvm']['uptime_in_millis'],
+             "events":body.events,
+             "jvm":{
+                "uptime_in_millis":body.jvm.uptime_in_millis,
+                "mem":body['jvm']['mem'].drop("pools"),
+                "threads":body['jvm']['threads']
+              },
+             "queue":body['queue'],
+             "reloads":body['reloads'],
+             "process":body['process'],
+             "os":{
+              "cpu":body['process']['cpu'],
+              "cgroup":has(body.os.group) ? body['os']['cgroup'] : {},
+             },
+             "logstash":{
+               "ephemeral_id":body['ephemeral_id'],
+               "host":body['host'],
+               "http_address":body['http_address'],
+               "name":body['name'],
+               "pipeline":body['pipeline'],
+               "pipelines":body['pipelines'].map(pipeline, [pipeline]).flatten(),
+               "snapshot":body['snapshot'],
+               "status":body['status'],
+               "uuid":body['id'],
+               "version":body['version'],
+              }
+          }}
+        }})
+  )
+  .as(eve, {
+    "events":eve.map(each, eve),
-    "events":eve.map(each, eve),
+    "events": [eve],
-    "events":eve.map(each, eve),
+    "events": [eve],
+    "cursor": {"username":(has(state.cursor) && has(state.cursor.username)) ? state.cursor.username : has(state.username) ? state.username : null,
+               "password":has(state.cursor) && has(state.cursor.password) ? state.cursor.password : has(state.password) ? state.password : null
+               },
+  })
@@ -0,0 +1,141 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on."
+  type: group
+  fields:
+    - name: account.id
+      type: keyword
+      ignore_above: 1024
+      description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier."
-    - name: account.id
-      type: keyword
-      ignore_above: 1024
-      description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier."
+    - name: account.id
+      external: ecs
-    - name: account.id
-      type: keyword
-      ignore_above: 1024
-      description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier."
+    - name: account.id
+      external: ecs
+    - name: availability_zone
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+    - name: instance.id
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+    - name: instance.name
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+    - name: provider
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+    - name: region
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime."
+  type: group
+  fields:
+    - name: id
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes."
+  type: group
+  fields:
+    - name: architecture
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+    - name: domain
+      type: keyword
+      ignore_above: 1024
+      description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider."
+      default_field: false
+    - name: hostname
+      type: keyword
+      ignore_above: 1024
+      description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine."
+    - name: id
+      type: keyword
+      ignore_above: 1024
+      description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`."
+    - name: ip
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      type: keyword
+      ignore_above: 1024
+      description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use."
+    - name: os.family
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+    - name: os.kernel
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+    - name: os.name
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+    - name: os.platform
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+    - name: os.version
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+    - name: type
+      type: keyword
+      ignore_above: 1024
+      description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment."
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      description: >
+        OS codename, if any.
+
@@ -0,0 +1,12 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: service.hostname
+  type: keyword
+  description: Hostname of the service
@@ -0,0 +1,27 @@
+- name: '@timestamp'
+  external: ecs
+- name: service.id
+  external: ecs
+- name: service.type
+  external: ecs
+- name: service.version
+  external: ecs
+- name: service.address
+  type: keyword
+  description: Address where data about this service was collected from.
+- name: service.name
+  external: ecs
+- name: process.pid
+  external: ecs
+- name: ecs.version
+  external: ecs
+- name: event.dataset
+  external: ecs
+- name: event.duration
+  external: ecs
+- name: event.module
+  external: ecs
+- name: host.name
+  external: ecs
+- name: error.message
+  external: ecs