Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fileset for AWS ELB logs #14020

Merged
merged 13 commits into from
Oct 15, 2019
Merged

Add fileset for AWS ELB logs #14020

merged 13 commits into from
Oct 15, 2019

Conversation

jsoriano
Copy link
Member

@jsoriano jsoriano commented Oct 11, 2019
edited
Loading

Add fileset for AWS ELB logs that uses the S3 input to
collect ELB access logs.

It supports the three kinds of Load Balancers offered by
AWS: ELB, Application LB and Network LB.

Includes Terraform configuration to deploy example
scenarios.

TCP logs are only tested with examples from the
documentation, I didn't manage to collect logs using
the Terraform scenario.

Fixes #12893

@jsoriano jsoriano added in progress Pull request is currently in progress. module Filebeat Filebeat [zube]: In Progress Team:Integrations Label for the Integrations team labels Oct 11, 2019
@jsoriano jsoriano self-assigned this Oct 11, 2019
@jsoriano jsoriano force-pushed the filebeat-aws-elb branch 3 times, most recently from 9e6439e to 8c4eac5 Compare October 11, 2019 16:29
@jsoriano
Copy link
Member Author

This fileset will need gzip support in the s3 input, in progress in #13980

@kaiyan-sheng kaiyan-sheng mentioned this pull request Oct 11, 2019
Merged
@jsoriano jsoriano added the test-plan Add this PR to be manual test plan label Oct 14, 2019
@jsoriano jsoriano marked this pull request as ready for review October 14, 2019 18:22
@jsoriano jsoriano requested a review from a team as a code owner October 14, 2019 18:22
@jsoriano jsoriano added [zube]: In Review review v7.5.0 and removed [zube]: In Progress in progress Pull request is currently in progress. labels Oct 14, 2019
@jsoriano jsoriano force-pushed the filebeat-aws-elb branch 2 times, most recently from cfa8bc1 to a2336f9 Compare October 15, 2019 08:43
@jsoriano
Copy link
Member Author

Failure in Jenkins is not related. @kaiyan-sheng would you like to take another look before merging?

@kaiyan-sheng
Copy link
Contributor

@jsoriano LGTM, one thing I found after finally getting some logs from alb:

{
  "_index": "filebeat-8.0.0-2019.10.15-000001",
  "_type": "_doc",
  "_id": "1ee1b4d775-000000000626",
  "_version": 1,
  "_score": null,
  "_source": {
    "container": {
      "id": "elasticloadbalancing"
    },
    "agent": {
      "hostname": "KaiyanMacBookPro",
      "id": "7578d49c-6588-4843-85cc-ad3859f99ed1",
      "type": "filebeat",
      "ephemeral_id": "2e0a020c-0362-4b23-a1ce-be6263a5186b",
      "version": "8.0.0"
    },
    "log": {
      "file.path": "https://test-alb-log-s3.s3-us-east-1.amazonaws.com/AWSLogs/627959692251/elasticloadbalancing/us-east-1/2019/10/15/627959692251_elasticloadbalancing_us-east-1_app.andrewvc-elbv2-test.8e858b04373118d3_20191015T1405Z_3.224.132.43_39xza92o.log.gz",
      "offset": 626
    },
    "fileset": {
      "name": "elb"
    },
    "message": "http 2019-10-15T14:01:24.711297Z app/andrewvc-elbv2-test/8e858b04373118d3 89.248.169.17:52370 - -1 -1 -1 400 - 0 0 \"- http://andrewvc-elbv2-test-1670032515.us-east-1.elb.amazonaws.com:80- -\" \"-\" - - - \"-\" \"-\" \"-\" - 2019-10-15T14:01:24.611000Z \"-\" \"-\" \"-\"\n",
    "error": {
      "message": "Provided Grok expressions do not match field value: [http 2019-10-15T14:01:24.711297Z app/andrewvc-elbv2-test/8e858b04373118d3 89.248.169.17:52370 - -1 -1 -1 400 - 0 0 \\\"- http://andrewvc-elbv2-test-1670032515.us-east-1.elb.amazonaws.com:80- -\\\" \\\"-\\\" - - - \\\"-\\\" \\\"-\\\" \\\"-\\\" - 2019-10-15T14:01:24.611000Z \\\"-\\\" \\\"-\\\" \\\"-\\\"\\n]"
    },
    "cloud": {
      "provider": "aws",
      "region": "us-east-1"
    },
    "input": {
      "type": "s3"
    },
    "@timestamp": "2019-10-15T14:05:50.756Z",
    "ecs": {
      "version": "1.1.0"
    },
    "service": {
      "type": "aws"
    },
    "host": {
      "hostname": "KaiyanMacBookPro",
      "os": {
        "build": "17G7024",
        "kernel": "17.7.0",
        "name": "Mac OS X",
        "family": "darwin",
        "version": "10.13.6",
        "platform": "darwin"
      },
      "name": "KaiyanMacBookPro",
      "id": "9C7FAB7B-29D1-5926-8E84-158A9CA3E25D",
      "architecture": "x86_64"
    },
    "aws": {
      "s3": {
        "bucket": {
          "name": "test-alb-log-s3",
          "arn": "arn:aws:s3:::test-alb-log-s3"
        },
        "object.key": "AWSLogs/627959692251/elasticloadbalancing/us-east-1/2019/10/15/627959692251_elasticloadbalancing_us-east-1_app.andrewvc-elbv2-test.8e858b04373118d3_20191015T1405Z_3.224.132.43_39xza92o.log.gz"
      }
    },
    "event": {
      "module": "aws",
      "dataset": "aws.elb"
    }
  },
  "fields": {
    "suricata.eve.timestamp": [
      "2019-10-15T14:05:50.756Z"
    ],
    "@timestamp": [
      "2019-10-15T14:05:50.756Z"
    ]
  },
  "sort": [
    1571148350756
  ]
}

This can be fixed in a separate PR. The rest of the logs got parsed just fine besides this one special case.

@jsoriano
Copy link
Member Author

Failing test is not related, merging.

@jsoriano jsoriano merged commit 1ba36b1 into elastic:master Oct 15, 2019
@jsoriano jsoriano deleted the filebeat-aws-elb branch October 15, 2019 17:01
@kaiyan-sheng
Copy link
Contributor

Do we have any plans to add a dashboard for elb logs?

@jsoriano
Copy link
Member Author

Do we have any plans to add a dashboard for elb logs?

Yes, and I also want to investigate why tcp load balancers don't log anything on the terraform scenario.

@tbragin
Copy link
Contributor

tbragin commented Nov 16, 2019

@jsoriano I'm writing the 7.5 release blog - have we added a dashboard for ELB logs in 7.5?

@jsoriano
Copy link
Member Author

@tbragin no, there is no dashboard yet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaiyan-sheng kaiyan-sheng kaiyan-sheng approved these changes

Assignees

@jsoriano jsoriano

Labels
Filebeat Filebeat module review Team:Integrations Label for the Integrations team test-plan Add this PR to be manual test plan v7.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ELB Filebeat Module
4 participants
@jsoriano @kaiyan-sheng @tbragin @andresrc