Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix filebeat elasticsearch module ingest timezone #13367

Merged
merged 6 commits into from
Sep 4, 2019
Merged

Fix filebeat elasticsearch module ingest timezone #13367

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
78c844f
Fix elasticsearch ingest timezone
pragkent Aug 28, 2019
f41c6ac
Move time parsing to specific format pipeline
pragkent Sep 3, 2019
01fe3b9
Fix changelog
jsoriano Sep 3, 2019
bae477f
Merge branch 'master' into fix-es-ingest-timezone
jsoriano Sep 3, 2019
61ea389
Remove unrelated changelog entry
jsoriano Sep 4, 2019
f991380
Merge branch 'master' into fix-es-ingest-timezone
jsoriano Sep 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,8 +139,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix filebeat autodiscover fileset hint for container input. {pull}13296[13296]
- Fix incorrect references to index patterns in AWS and CoreDNS dashboards. {pull}13303[13303]
- Fix timezone parsing of system module ingest pipelines. {pull}13308[13308]
- Fix timezone parsing of elasticsearch module ingest pipelines. {pull}13367[13367]
- Change iis url path grok pattern from URIPATH to NOTSPACE. {issue}12710[12710] {pull}13225[13225] {issue}7951[7951] {pull}13378[13378]
- Add timezone information to apache error fileset. {issue}12772[12772] {pull}13304[13304]
- Fix timezone parsing of nginx module ingest pipelines. {pull}13369[13369]
- Fix incorrect field references in envoyproxy dashboard {issue}13420[13420] {pull}13421[13421]

Expand Down Expand Up @@ -296,6 +296,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Update PAN-OS fileset to use the ECS NAT fields. {issue}13320[13320] {pull}13330[13330]
- Add fields to the Zeek DNS fileset for ECS DNS. {issue}13320[13320] {pull}13324[13324]
- Add container image in Kubernetes metadata {pull}13356[13356] {issue}12688[12688]
- Add timezone information to apache error fileset. {issue}12772[12772] {pull}13304[13304]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this line be removed from this PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, my fault, I did the merge, let me fix it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I see, I wanted to move the changelog entry 🙂

- Add module for ingesting Cisco FTD logs over syslog. {pull}13286[13286]

*Heartbeat*
Expand Down
10 changes: 10 additions & 0 deletions filebeat/module/elasticsearch/audit/ingest/pipeline-json.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,16 @@
"target_field": "log.level",
"ignore_missing": true
}
},
{
"date": {
"field": "elasticsearch.audit.@timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": true
}
}
],
"on_failure": [
Expand Down
22 changes: 22 additions & 0 deletions filebeat/module/elasticsearch/audit/ingest/pipeline-plaintext.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,28 @@
"field": "elasticsearch.audit.sub_action",
"ignore_missing": true
}
},
{
"date": {
"field": "elasticsearch.audit.@timestamp",
"target_field": "@timestamp",
"formats": [
"yyyy-MM-dd'T'HH:mm:ss,SSS"
],
"ignore_failure": true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that this processor and the next one are both acting on the same field, perhaps we could add a "if": "ctx.event.timezone == null" property to this processor for a bit of extra clarity?

Copy link
Contributor Author

@pragkent pragkent Sep 4, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's better to not add "if": "ctx.event.timezone == null", because:

  1. other modules don't have "if": "ctx.event.timezone == null" added, we'd better keep this convention
  2. in most cases, event.timezone was not set. without "if": "ctx.event.timezone == null" would make the second processor looks like a optional path instead of a alternative path

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @ycombinator is right, we could add this if, as only one of the processors is needed.

  • other modules don't have "if": "ctx.event.timezone == null" added, we'd better keep this convention

In previous versions both processors were meant to be executed, one to parse the date, and the next one to apply the timezone. We (well, you @pragkent 🙂 ) found this approach is not correct in many cases, so now we are duplicating the date processor, first option only parses the date, and second option parses the date with a timezone if available.

  • in most cases, event.timezone was not set. without "if": "ctx.event.timezone == null" would make the second processor looks like a optional path instead of a alternative path

Actually we are setting event.timezone by default since ~7.2 in all filebeat events, so in most cases both date processors are executed even if only the last one is needed.

Said that, as we had it quite tested by both @pragkent and me, and it solves an existing issue, I'd go on with merging this change as is, and have a follow up PR to review the conditions in the pipelines we have recently changed to fix this same issue. This way we keep a common convention for this.

}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "elasticsearch.audit.@timestamp",
"target_field": "@timestamp",
"formats": [
"yyyy-MM-dd'T'HH:mm:ss,SSS"
],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
}
],
"on_failure": [
Expand Down
19 changes: 0 additions & 19 deletions filebeat/module/elasticsearch/audit/ingest/pipeline.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,25 +30,6 @@
"name": "{< IngestPipeline "pipeline-json" >}"
}
},
{
"date": {
"field": "elasticsearch.audit.@timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "elasticsearch.audit.@timestamp"
Expand Down
10 changes: 10 additions & 0 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline-json.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,16 @@
"field": "elasticsearch.deprecation.message",
"target_field": "message"
}
},
{
"date": {
"field": "elasticsearch.deprecation.timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": true
}
}
]
}
22 changes: 22 additions & 0 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline-plaintext.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,28 @@
"\\[%{TIMESTAMP_ISO8601:elasticsearch.deprecation.timestamp}\\]\\[%{LOGLEVEL:log.level}%{SPACE}*\\]\\[%{DATA:elasticsearch.component}%{SPACE}*\\] %{GREEDYMULTILINE:message}"
]
}
},
{
"date": {
"field": "elasticsearch.deprecation.timestamp",
"target_field": "@timestamp",
"formats": [
"yyyy-MM-dd'T'HH:mm:ss,SSS"
],
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "elasticsearch.deprecation.timestamp",
"target_field": "@timestamp",
"formats": [
"yyyy-MM-dd'T'HH:mm:ss,SSS"
],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
}
]
}
19 changes: 0 additions & 19 deletions filebeat/module/elasticsearch/deprecation/ingest/pipeline.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,25 +30,6 @@
"name": "{< IngestPipeline "pipeline-json" >}"
}
},
{
"date": {
"field": "elasticsearch.deprecation.timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "elasticsearch.deprecation.timestamp"
Expand Down
10 changes: 10 additions & 0 deletions filebeat/module/elasticsearch/server/ingest/pipeline-json.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,16 @@
"remove": {
"field": "elasticsearch.server.message"
}
},
{
"date": {
"field": "elasticsearch.server.timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": true
}
}
]
}
22 changes: 22 additions & 0 deletions filebeat/module/elasticsearch/server/ingest/pipeline-plaintext.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,28 @@
"%{LOG_HEADER}%{SPACE}((\\[%{INDEXNAME:elasticsearch.index.name}\\]|\\[%{INDEXNAME:elasticsearch.index.name}\\/%{DATA:elasticsearch.index.id}\\]))?%{SPACE}%{GREEDYMULTILINE:message}"
]
}
},
{
"date": {
"field": "elasticsearch.server.timestamp",
"target_field": "@timestamp",
"formats": [
"yyyy-MM-dd'T'HH:mm:ss,SSS"
],
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "elasticsearch.server.timestamp",
"target_field": "@timestamp",
"formats": [
"yyyy-MM-dd'T'HH:mm:ss,SSS"
],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
}
]
}
19 changes: 0 additions & 19 deletions filebeat/module/elasticsearch/server/ingest/pipeline.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,25 +54,6 @@
"ignore_missing": true
}
},
{
"date": {
"field": "elasticsearch.server.timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "elasticsearch.server.timestamp"
Expand Down
10 changes: 10 additions & 0 deletions filebeat/module/elasticsearch/slowlog/ingest/pipeline-json.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,16 @@
"remove": {
"field": "elasticsearch.slowlog.message"
}
},
{
"date": {
"field": "elasticsearch.slowlog.timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": true
}
}
]
}
22 changes: 22 additions & 0 deletions filebeat/module/elasticsearch/slowlog/ingest/pipeline-plaintext.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,28 @@
"separator": ",",
"ignore_missing": true
}
},
{
"date": {
"field": "elasticsearch.slowlog.timestamp",
"target_field": "@timestamp",
"formats": [
"yyyy-MM-dd'T'HH:mm:ss,SSS"
],
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "elasticsearch.slowlog.timestamp",
"target_field": "@timestamp",
"formats": [
"yyyy-MM-dd'T'HH:mm:ss,SSS"
],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
}
],
"on_failure": [
Expand Down
19 changes: 0 additions & 19 deletions filebeat/module/elasticsearch/slowlog/ingest/pipeline.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,25 +30,6 @@
"name": "{< IngestPipeline "pipeline-json" >}"
}
},
{
"date": {
"field": "elasticsearch.slowlog.timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "elasticsearch.slowlog.timestamp"
Expand Down