Cherry-pick #9761 to 6.6: Allow users to convert timezone in elastics…

…earch module filesets (#10403) * Allow users to convert timezone in elasticsearch module filesets (#9761) This PR updates the following filesets in the `elasticsearch` Filebeat module to accept a `var.convert_timezone` configuration setting: * [x] server * [x] audit * [x] slowlog * [x] deprecation The `gc` fileset was not modified because Elasticsearch GC logs already emit timestamps with timezone information in them. Fixes partially #9756. Related: #9797. (cherry picked from commit 3559e58) * Regenerating generated files * Fixing duplicated header in CHANGELOG * Updating generated file
elastic · Jan 30, 2019 · fc17d76 · fc17d76
1 parent c047bee
commit fc17d76
Show file tree

Hide file tree

Showing 22 changed files with 432 additions and 291 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -40,6 +40,7 @@ https://github.com/elastic/beats/compare/1035569addc4a3b29ffa14f8a08c27c1ace16ef
 
 - Fix bad bytes count in `docker` input when filtering by stream. {pull}10211[10211]
 - Add `convert_timezone` option to Logstash module to convert dates to UTC. {issue}9756[9756] {pull}9797[9797]
+- Add `convert_timezone` option to Elasticsearch module to convert dates to UTC. {issue}9756[9756] {pull}9761[9761]
 
 *Heartbeat*
 

diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml
@@ -92,6 +92,9 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   gc:
     enabled: true
     # Set custom paths for the log files. If left empty,
@@ -104,18 +107,28 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   slowlog:
     enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   deprecation:
     enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
+
 #------------------------------- haproxy Module ------------------------------
 - module: haproxy
   # All logs

diff --git a/filebeat/module/elasticsearch/_meta/config.yml b/filebeat/module/elasticsearch/_meta/config.yml
@@ -7,6 +7,9 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   gc:
     enabled: true
     # Set custom paths for the log files. If left empty,
@@ -19,14 +22,24 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   slowlog:
     enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   deprecation:
     enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
+
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
diff --git a/filebeat/module/elasticsearch/audit/config/audit.yml b/filebeat/module/elasticsearch/audit/config/audit.yml
@@ -5,6 +5,11 @@ paths:
 {{ end }}
 exclude_files: [".gz$"]
 
+{{ if .convert_timezone }}
+processors:
+- add_locale: ~
+{{ end }}
+
 fields:
   service.name: "elasticsearch"
 fields_under_root: true
diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline.json b/filebeat/module/elasticsearch/audit/ingest/pipeline.json
@@ -16,9 +16,19 @@
           }
       },
       {
-          "rename": {
+          "date": {
               "field": "elasticsearch.audit.timestamp",
-              "target_field": "@timestamp"
+              "target_field": "@timestamp",
+              "formats": [
+                "ISO8601"
+            ],
+            {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
+            "ignore_failure": true
+          }
+      },
+      {
+        "remove": {
+            "field": "elasticsearch.audit.timestamp"
           }
       }
     ],

diff --git a/filebeat/module/elasticsearch/audit/manifest.yml b/filebeat/module/elasticsearch/audit/manifest.yml
@@ -8,6 +8,13 @@ var:
       - /usr/local/var/lib/elasticsearch/*_access.log
     os.windows:
       - c:/ProgramData/Elastic/Elasticsearch/logs/*_access.log
+  - name: convert_timezone
+    default: false
+    # if ES < 6.1.0, this flag switches to false automatically when evaluating the
+    # pipeline
+    min_elasticsearch_version:
+      version: 6.1.0
+      value: false
 
 ingest_pipeline: ingest/pipeline.json
 input: config/audit.yml
diff --git a/filebeat/module/elasticsearch/audit/test/test.log-expected.json b/filebeat/module/elasticsearch/audit/test/test.log-expected.json
@@ -1,6 +1,6 @@
 [
     {
-        "@timestamp": "2018-06-19T05:16:15,549", 
+        "@timestamp": "2018-06-19T05:16:15.549Z", 
         "elasticsearch.audit.event_type": "authentication_failed", 
         "elasticsearch.audit.layer": "rest", 
         "elasticsearch.audit.origin_address": "147.107.128.77", 
@@ -16,7 +16,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:07:52,304", 
+        "@timestamp": "2018-06-19T05:07:52.304Z", 
         "elasticsearch.audit.event_type": "authentication_failed", 
         "elasticsearch.audit.layer": "rest", 
         "elasticsearch.audit.origin_address": "172.22.0.3", 
@@ -33,7 +33,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:00:15,778", 
+        "@timestamp": "2018-06-19T05:00:15.778Z", 
         "elasticsearch.audit.action": "indices:data/read/scroll/clear", 
         "elasticsearch.audit.event_type": "access_granted", 
         "elasticsearch.audit.layer": "transport", 
@@ -51,7 +51,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:07:45,544", 
+        "@timestamp": "2018-06-19T05:07:45.544Z", 
         "elasticsearch.audit.event_type": "anonymous_access_denied", 
         "elasticsearch.audit.layer": "rest", 
         "elasticsearch.audit.origin_address": "172.22.0.3", 
@@ -67,7 +67,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:26:27,268", 
+        "@timestamp": "2018-06-19T05:26:27.268Z", 
         "elasticsearch.audit.event_type": "authentication_failed", 
         "elasticsearch.audit.layer": "rest", 
         "elasticsearch.audit.origin_address": "147.107.128.77", 
@@ -83,7 +83,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:55:26,898", 
+        "@timestamp": "2018-06-19T05:55:26.898Z", 
         "elasticsearch.audit.action": "cluster:monitor/main", 
         "elasticsearch.audit.event_type": "access_denied", 
         "elasticsearch.audit.layer": "transport", 
@@ -101,7 +101,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:24:15,190", 
+        "@timestamp": "2018-06-19T05:24:15.190Z", 
         "elasticsearch.audit.event_type": "authentication_failed", 
         "elasticsearch.audit.layer": "rest", 
         "elasticsearch.audit.origin_address": "172.18.0.3", 

diff --git a/filebeat/module/elasticsearch/deprecation/config/log.yml b/filebeat/module/elasticsearch/deprecation/config/log.yml
@@ -9,6 +9,11 @@ multiline:
   negate: true
   match: after
 
+{{ if .convert_timezone }}
+processors:
+- add_locale: ~
+{{ end }}
+
 fields:
   service.name: "elasticsearch"
 

diff --git a/filebeat/module/elasticsearch/deprecation/ingest/pipeline.json b/filebeat/module/elasticsearch/deprecation/ingest/pipeline.json
@@ -27,9 +27,19 @@
             }
         },
         {
-            "rename": {
+            "date": {
                 "field": "timestamp",
-                "target_field": "@timestamp"
+                "target_field": "@timestamp",
+                "formats": [
+                    "ISO8601"
+                ],
+                {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
+                "ignore_failure": true
+            }
+        },
+        {
+            "remove": {
+                "field": "timestamp"
             }
         }
     ]

diff --git a/filebeat/module/elasticsearch/deprecation/manifest.yml b/filebeat/module/elasticsearch/deprecation/manifest.yml
@@ -8,6 +8,13 @@ var:
       - /usr/local/var/lib/elasticsearch/*_deprecation.log
     os.windows:
       - c:/ProgramData/Elastic/Elasticsearch/logs/*_deprecation.log
+  - name: convert_timezone
+    default: false
+    # if ES < 6.1.0, this flag switches to false automatically when evaluating the
+    # pipeline
+    min_elasticsearch_version:
+      version: 6.1.0
+      value: false
 
 ingest_pipeline: ingest/pipeline.json
 prospector: config/log.yml
diff --git a/filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json b/filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json
@@ -1,54 +1,54 @@
 [
     {
-        "@timestamp": "2018-04-23T16:40:13,737",
-        "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
-        "event.dataset": "elasticsearch.deprecation",
-        "fileset.module": "elasticsearch",
-        "fileset.name": "deprecation",
-        "input.type": "log",
-        "log.level": "WARN",
-        "offset": 0,
-        "message": "Deprecated field [template] used, replaced by [index_patterns]",
-        "prospector.type": "log",
+        "@timestamp": "2018-04-23T16:40:13.737Z", 
+        "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", 
+        "event.dataset": "elasticsearch.deprecation", 
+        "fileset.module": "elasticsearch", 
+        "fileset.name": "deprecation", 
+        "input.type": "log", 
+        "log.level": "WARN", 
+        "message": "Deprecated field [template] used, replaced by [index_patterns]", 
+        "offset": 0, 
+        "prospector.type": "log", 
         "service.name": "elasticsearch"
-    },
+    }, 
     {
-        "@timestamp": "2018-04-23T16:40:13,862",
-        "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
-        "event.dataset": "elasticsearch.deprecation",
-        "fileset.module": "elasticsearch",
-        "fileset.name": "deprecation",
-        "input.type": "log",
-        "log.level": "WARN",
-        "offset": 137,
-        "message": "Deprecated field [template] used, replaced by [index_patterns]",
-        "prospector.type": "log",
+        "@timestamp": "2018-04-23T16:40:13.862Z", 
+        "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", 
+        "event.dataset": "elasticsearch.deprecation", 
+        "fileset.module": "elasticsearch", 
+        "fileset.name": "deprecation", 
+        "input.type": "log", 
+        "log.level": "WARN", 
+        "message": "Deprecated field [template] used, replaced by [index_patterns]", 
+        "offset": 137, 
+        "prospector.type": "log", 
         "service.name": "elasticsearch"
-    },
+    }, 
     {
-        "@timestamp": "2018-04-23T16:40:14,792",
-        "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
-        "event.dataset": "elasticsearch.deprecation",
-        "fileset.module": "elasticsearch",
-        "fileset.name": "deprecation",
-        "input.type": "log",
-        "log.level": "WARN",
-        "offset": 274,
-        "message": "Deprecated field [template] used, replaced by [index_patterns]",
-        "prospector.type": "log",
+        "@timestamp": "2018-04-23T16:40:14.792Z", 
+        "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", 
+        "event.dataset": "elasticsearch.deprecation", 
+        "fileset.module": "elasticsearch", 
+        "fileset.name": "deprecation", 
+        "input.type": "log", 
+        "log.level": "WARN", 
+        "message": "Deprecated field [template] used, replaced by [index_patterns]", 
+        "offset": 274, 
+        "prospector.type": "log", 
         "service.name": "elasticsearch"
-    },
+    }, 
     {
-        "@timestamp": "2018-04-23T16:40:15,127",
-        "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest",
-        "event.dataset": "elasticsearch.deprecation",
-        "fileset.module": "elasticsearch",
-        "fileset.name": "deprecation",
-        "input.type": "log",
-        "log.level": "WARN",
-        "offset": 411,
-        "message": "Deprecated field [template] used, replaced by [index_patterns]",
-        "prospector.type": "log",
+        "@timestamp": "2018-04-23T16:40:15.127Z", 
+        "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", 
+        "event.dataset": "elasticsearch.deprecation", 
+        "fileset.module": "elasticsearch", 
+        "fileset.name": "deprecation", 
+        "input.type": "log", 
+        "log.level": "WARN", 
+        "message": "Deprecated field [template] used, replaced by [index_patterns]", 
+        "offset": 411, 
+        "prospector.type": "log", 
         "service.name": "elasticsearch"
     }
-]
+]