diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index df70909ba92..f997f507de3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -20,6 +20,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Socket dataset: Exclude localhost by default {pull}11993[11993] *Filebeat* + - Modify apache/error dataset to follow ECS. {pull}8963[8963] - Rename many `traefik.access.*` fields to map to ECS. {pull}9005[9005] - Fix parsing of GC entries in elasticsearch server log. {issue}9513[9513] {pull}9810[9810] @@ -176,6 +177,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add apache2(httpd) log path (`/var/log/httpd`) to make apache2 module work out of the box on Redhat-family OSes. {issue}11887[11887] {pull}11888[11888] - Add support to new MongoDB additional diagnostic information {pull}11952[11952] - New module `palo_alto` for Palo Alto Networks PAN-OS logs. {pull}11999[11999] +- Add RabbitMQ module. {pull}12032[12032] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 24454b2f0f3..472d9817b34 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -43,6 +43,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -12195,6 +12196,37 @@ alias to: process.executable -- +[[exported-fields-rabbitmq]] +== RabbitMQ fields + +RabbitMQ Module + + + +[float] +== rabbitmq fields + + + + +[float] +== log fields + +RabbitMQ log files + + + +*`rabbitmq.log.pid`*:: ++ +-- +type: keyword + +example: <0.222.0> + +The Erlang process id + +-- + [[exported-fields-redis]] == Redis fields diff --git a/filebeat/docs/include/var-convert-timezone.asciidoc b/filebeat/docs/include/var-convert-timezone.asciidoc index 52c71d84406..dcec579e260 100644 --- a/filebeat/docs/include/var-convert-timezone.asciidoc +++ b/filebeat/docs/include/var-convert-timezone.asciidoc @@ -5,4 +5,6 @@ parsing time to convert the timestamp to UTC. The local timezone is also added in each event in a dedicated field (`beat.timezone`). The conversion is only possible in Elasticsearch >= 6.1. If the Elasticsearch version is less than 6.1, the `beat.timezone` field is added, but the conversion to UTC is not made. The -default is `false`. +default is +ifdef::default_convert_timezone[`true`] +ifndef::default_convert_timezone[`false`] diff --git a/filebeat/docs/modules/rabbitmq.asciidoc b/filebeat/docs/modules/rabbitmq.asciidoc new file mode 100644 index 00000000000..89a54775c23 --- /dev/null +++ b/filebeat/docs/modules/rabbitmq.asciidoc @@ -0,0 +1,72 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-rabbitmq]] +:modulename: rabbitmq +:has-dashboards: false + +== RabbitMQ module + +This is the module for parsing https://www.rabbitmq.com/logging.html[RabbitMQ log files] + +include::../include/what-happens.asciidoc[] + +[float] +=== Compatibility + +Parses https://www.rabbitmq.com/logging.html[single file format] introduced in 3.7.0. + +Tested with version 3.7.14. + +include::../include/running-modules.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +The following example shows how to set paths in the +modules.d/{modulename}.yml+ +file to override the default paths for RabbitMQ logs: + + +["source","yaml",subs="attributes"] +----- +- module: rabbitmq + log: + enabled: true + var.paths: ["/path/to/log/rabbitmq/*.log*"] +----- + + +To specify the same settings at the command line, you use: + +["source","sh",subs="attributes"] +----- +-M "rabbitmq.log.var.paths=[/path/to/log/rabbitmq/*.log*]" +----- + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +include::../include/var-paths.asciidoc[] + +:default_convert_timezone: true + +include::../include/var-convert-timezone.asciidoc[] + +:has-dashboards!: + +:fileset_ex!: +:default_convert_timezone!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 470f06d5a2b..461df2631f9 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -24,6 +24,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -56,6 +57,7 @@ include::modules/nginx.asciidoc[] include::modules/osquery.asciidoc[] include::modules/palo_alto.asciidoc[] include::modules/postgresql.asciidoc[] +include::modules/rabbitmq.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] include::modules/suricata.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 05b7cee914e..8b33b9351ec 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -429,6 +429,19 @@ filebeat.modules: # can be added under this section. #input: +#------------------------------- RabbitMQ Module ------------------------------- +#- module: rabbitmq + # All logs + #log: + #enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] + + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false + #-------------------------------- Redis Module -------------------------------- #- module: redis # Main logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 3eac6f89214..3265bfe6f8f 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -15,6 +15,7 @@ import ( _ "github.com/elastic/beats/x-pack/filebeat/module/iptables" _ "github.com/elastic/beats/x-pack/filebeat/module/netflow" _ "github.com/elastic/beats/x-pack/filebeat/module/palo_alto" + _ "github.com/elastic/beats/x-pack/filebeat/module/rabbitmq" _ "github.com/elastic/beats/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/x-pack/filebeat/module/zeek" ) diff --git a/x-pack/filebeat/module/rabbitmq/_meta/config.yml b/x-pack/filebeat/module/rabbitmq/_meta/config.yml new file mode 100644 index 00000000000..a11ac6ad620 --- /dev/null +++ b/x-pack/filebeat/module/rabbitmq/_meta/config.yml @@ -0,0 +1,11 @@ +#- module: rabbitmq + # All logs + #log: + #enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] + + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false diff --git a/x-pack/filebeat/module/rabbitmq/_meta/docs.asciidoc b/x-pack/filebeat/module/rabbitmq/_meta/docs.asciidoc new file mode 100644 index 00000000000..21497b1c28d --- /dev/null +++ b/x-pack/filebeat/module/rabbitmq/_meta/docs.asciidoc @@ -0,0 +1,59 @@ +:modulename: rabbitmq +:has-dashboards: false + +== RabbitMQ module + +This is the module for parsing https://www.rabbitmq.com/logging.html[RabbitMQ log files] + +include::../include/what-happens.asciidoc[] + +[float] +=== Compatibility + +Parses https://www.rabbitmq.com/logging.html[single file format] introduced in 3.7.0. + +Tested with version 3.7.14. + +include::../include/running-modules.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +The following example shows how to set paths in the +modules.d/{modulename}.yml+ +file to override the default paths for RabbitMQ logs: + + +["source","yaml",subs="attributes"] +----- +- module: rabbitmq + log: + enabled: true + var.paths: ["/path/to/log/rabbitmq/*.log*"] +----- + + +To specify the same settings at the command line, you use: + +["source","sh",subs="attributes"] +----- +-M "rabbitmq.log.var.paths=[/path/to/log/rabbitmq/*.log*]" +----- + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +include::../include/var-paths.asciidoc[] + +:default_convert_timezone: true + +include::../include/var-convert-timezone.asciidoc[] + +:has-dashboards!: + +:fileset_ex!: +:default_convert_timezone!: + +:modulename!: diff --git a/x-pack/filebeat/module/rabbitmq/_meta/fields.yml b/x-pack/filebeat/module/rabbitmq/_meta/fields.yml new file mode 100644 index 00000000000..af823334ce0 --- /dev/null +++ b/x-pack/filebeat/module/rabbitmq/_meta/fields.yml @@ -0,0 +1,9 @@ +- key: rabbitmq + title: "RabbitMQ" + description: > + RabbitMQ Module + fields: + - name: rabbitmq + type: group + description: > + fields: diff --git a/x-pack/filebeat/module/rabbitmq/fields.go b/x-pack/filebeat/module/rabbitmq/fields.go new file mode 100644 index 00000000000..d1f37b31ba7 --- /dev/null +++ b/x-pack/filebeat/module/rabbitmq/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package rabbitmq + +import ( + "github.com/elastic/beats/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "rabbitmq", asset.ModuleFieldsPri, AssetRabbitmq); err != nil { + panic(err) + } +} + +// AssetRabbitmq returns asset data. +// This is the base64 encoded gzipped contents of module/rabbitmq. +func AssetRabbitmq() string { + return "eJx0kMFuhSAURPd8xcS9xrgkjbsuXbTpD6BcKRGFAqb17xttNeLz3eWc5Mzk5hho4fCibXUcvxgQdTTEkb1vUfOWMUBS6Lx2UduJo2YAsGM0Vs6GGNBrMjLwjeaYxEiJd724OOJQ3s7uP7kxp6azzVh1ZHeyp8K/OyYbq9BrQ+GEr53nXqdlku/dAy3f1l9ZsuDjk/DqjZgUnLcdhYAHGf2I0a0/fymLqqqKsma/AQAA///y5GyB" +} diff --git a/x-pack/filebeat/module/rabbitmq/log/_meta/fields.yml b/x-pack/filebeat/module/rabbitmq/log/_meta/fields.yml new file mode 100644 index 00000000000..ba6eb546629 --- /dev/null +++ b/x-pack/filebeat/module/rabbitmq/log/_meta/fields.yml @@ -0,0 +1,9 @@ +- name: log + type: group + description: > + RabbitMQ log files + fields: + - name: pid + type: keyword + description: The Erlang process id + example: <0.222.0> diff --git a/x-pack/filebeat/module/rabbitmq/log/config/log.yml b/x-pack/filebeat/module/rabbitmq/log/config/log.yml new file mode 100644 index 00000000000..c25012ab315 --- /dev/null +++ b/x-pack/filebeat/module/rabbitmq/log/config/log.yml @@ -0,0 +1,19 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +# If the line doesn't start with a timestamp, consider it a continuation of the previous line +# From https://www.elastic.co/guide/en/beats/filebeat/current/_examples_of_multiline_configuration.html#_timestamps +# ideally, this would be the same pattern (`DATESTAMP`) used in `processors.grok.patterns` +multiline: + pattern: '[0-9]{4}-[0-9]{2}-[0-9]{2}' + negate: true + match: after + +processors: +{{ if .convert_timezone }} + - add_locale: ~ +{{ end }} \ No newline at end of file diff --git a/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml b/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml new file mode 100644 index 00000000000..a69e4bd831d --- /dev/null +++ b/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml @@ -0,0 +1,28 @@ +--- +description: Pipeline for parsing RabbitMQ logs +processors: +- grok: + field: message + pattern_definitions: + GREEDYMULTILINE: "(.|\n)*" + ERL_PID: "\\<%{INT}+\\.%{INT}+\\.%{INT}+\\>" + patterns: + - "%{DATESTAMP:timestamp} \\[%{WORD:log.level}\\] %{ERL_PID:rabbitmq.log.pid} + %{GREEDYMULTILINE:message}" + ignore_missing: true +- date: + field: timestamp + target_field: "@timestamp" + formats: + - yy-MM-dd HH:mm:ss.SSS + ignore_failure: true + #{< if .convert_timezone >} + timezone: "{{ event.timezone }}" + #{< end >} +- remove: + field: + - timestamp +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/x-pack/filebeat/module/rabbitmq/log/manifest.yml b/x-pack/filebeat/module/rabbitmq/log/manifest.yml new file mode 100644 index 00000000000..da9f7d150b9 --- /dev/null +++ b/x-pack/filebeat/module/rabbitmq/log/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: paths + default: + - ${RABBITMQ_LOGS:/var/log/rabbitmq/rabbit@localhost.log*} + os.darwin: + - ${RABBITMQ_LOGS:/usr/local/var/log/rabbitmq/rabbit@localhost.log*} + os.windows: + #- '%APPDATA%\RabbitMQ\log\rabbit@localhost.log*' + - name: convert_timezone + default: true + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false +ingest_pipeline: ingest/pipeline.yml +input: config/log.yml diff --git a/x-pack/filebeat/module/rabbitmq/log/test/test.log b/x-pack/filebeat/module/rabbitmq/log/test/test.log new file mode 100644 index 00000000000..91a0d3a63e4 --- /dev/null +++ b/x-pack/filebeat/module/rabbitmq/log/test/test.log @@ -0,0 +1,78 @@ +2019-04-03 11:13:15.076 [info] <0.8.0> Log file opened with Lager +2019-04-03 11:13:15.510 [info] <0.222.0> + Starting RabbitMQ 3.7.14 on Erlang 21.3.2 + Copyright (C) 2007-2019 Pivotal Software, Inc. + Licensed under the MPL. See https://www.rabbitmq.com/ +2019-04-03 11:13:15.512 [info] <0.222.0> + node : rabbit@localhost + home dir : /Users/jfsiii + config file(s) : (none) + cookie hash : 1FLKC2GJUcbFjO6klcgs8Q== + log(s) : /usr/local/var/log/rabbitmq/rabbit@localhost.log + : /usr/local/var/log/rabbitmq/rabbit@localhost_upgrade.log + database dir : /usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost +2019-04-12 10:00:53.458 [info] <0.1398.0> RabbitMQ is asked to stop... +2019-04-12 10:00:53.550 [info] <0.1398.0> Stopping RabbitMQ applications and their dependencies in the following order: + rabbitmq_management + rabbitmq_stomp + rabbitmq_amqp1_0 + rabbitmq_mqtt + amqp_client + rabbitmq_web_dispatch + cowboy + cowlib + rabbitmq_management_agent + rabbit + mnesia + rabbit_common + sysmon_handler + os_mon + amqp10_common +2019-04-12 10:00:53.550 [info] <0.1398.0> Stopping application 'rabbitmq_management' +2019-04-12 10:00:54.553 [warning] <0.490.0> RabbitMQ HTTP listener registry could not find context rabbitmq_management_tls +2019-04-12 10:00:54.555 [info] <0.43.0> Application rabbitmq_management exited with reason: stopped +2019-04-12 10:00:54.567 [info] <0.1398.0> Stopping application 'rabbit' +2019-04-12 10:00:54.567 [info] <0.286.0> Peer discovery backend rabbit_peer_discovery_classic_config does not support registration, skipping unregistration. +2019-04-12 10:00:54.568 [info] <0.419.0> stopped TCP listener on 127.0.0.1:5672 +2019-04-12 10:00:54.569 [info] <0.324.0> Closing all connections in vhost '/' on node 'rabbit@localhost' because the vhost is stopping +2019-04-12 10:00:54.579 [info] <0.374.0> Stopping message store for directory '/usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent' +2019-04-12 10:00:54.588 [info] <0.374.0> Message store for directory '/usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent' is stopped +2019-04-12 10:00:54.589 [info] <0.371.0> Stopping message store for directory '/usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L/msg_store_transient' +2019-04-12 10:00:54.598 [info] <0.371.0> Message store for directory '/usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L/msg_store_transient' is stopped +2019-04-12 10:00:54.606 [info] <0.43.0> Application rabbit exited with reason: stopped +2019-04-12 10:00:54.615 [info] <0.1398.0> Successfully stopped RabbitMQ and its dependencies +2019-04-12 10:00:54.615 [info] <0.1398.0> Halting Erlang VM with the following applications: + ranch + ssl + public_key + sasl + inets + asn1 + crypto + jsx + xmerl + recon + lager + goldrush + compiler + syntax_tools + stdlib + kernel +2019-04-12 10:01:01.031 [info] <0.8.0> Server startup complete; 6 plugins started. + * rabbitmq_stomp + * rabbitmq_management + * rabbitmq_web_dispatch + * rabbitmq_amqp1_0 + * rabbitmq_mqtt + * rabbitmq_management_agent +2019-04-12 10:11:15.094 [info] <0.1345.0> accepting AMQP connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672) +2019-04-12 10:11:15.101 [info] <0.1345.0> connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672): user 'guest' authenticated and granted access to vhost '/' +2019-04-12 10:19:14.450 [error] <0.1345.0> Error on AMQP connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672, vhost: '/', user: 'guest', state: running), channel 0: + operation none caused a connection exception connection_forced: [240,159,145, + 139,240,159, + 143,190,240, + 159,144,135, + 240,159,164, + 163] +2019-04-12 10:19:14.450 [info] <0.1902.0> Closing connection <0.1345.0> because <<240,159,145,139,240,159,143,190,240,159,144,135,240,159,164,163>> +2019-04-12 10:19:14.451 [info] <0.1345.0> closing AMQP connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672, vhost: '/', user: 'guest') diff --git a/x-pack/filebeat/module/rabbitmq/log/test/test.log-expected.json b/x-pack/filebeat/module/rabbitmq/log/test/test.log-expected.json new file mode 100644 index 00000000000..01bb39566ef --- /dev/null +++ b/x-pack/filebeat/module/rabbitmq/log/test/test.log-expected.json @@ -0,0 +1,370 @@ +[ + { + "@timestamp": "2019-04-03T11:13:15.076Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 0, + "message": "Log file opened with Lager", + "rabbitmq.log.pid": "<0.8.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-03T11:13:15.510Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.level": "info", + "log.offset": 66, + "message": "\n Starting RabbitMQ 3.7.14 on Erlang 21.3.2\n Copyright (C) 2007-2019 Pivotal Software, Inc.\n Licensed under the MPL. See https://www.rabbitmq.com/", + "rabbitmq.log.pid": "<0.222.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-03T11:13:15.512Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.level": "info", + "log.offset": 255, + "message": " \n node : rabbit@localhost\n home dir : /Users/jfsiii\n config file(s) : (none)\n cookie hash : 1FLKC2GJUcbFjO6klcgs8Q==\n log(s) : /usr/local/var/log/rabbitmq/rabbit@localhost.log\n : /usr/local/var/log/rabbitmq/rabbit@localhost_upgrade.log\n database dir : /usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost", + "rabbitmq.log.pid": "<0.222.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:53.458Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 645, + "message": "RabbitMQ is asked to stop...", + "rabbitmq.log.pid": "<0.1398.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:53.550Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.level": "info", + "log.offset": 716, + "message": "Stopping RabbitMQ applications and their dependencies in the following order:\n rabbitmq_management\n rabbitmq_stomp\n rabbitmq_amqp1_0\n rabbitmq_mqtt\n amqp_client\n rabbitmq_web_dispatch\n cowboy\n cowlib\n rabbitmq_management_agent\n rabbit\n mnesia\n rabbit_common\n sysmon_handler\n os_mon\n amqp10_common", + "rabbitmq.log.pid": "<0.1398.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:53.550Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 1100, + "message": "Stopping application 'rabbitmq_management'", + "rabbitmq.log.pid": "<0.1398.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.553Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "warning", + "log.offset": 1185, + "message": "RabbitMQ HTTP listener registry could not find context rabbitmq_management_tls", + "rabbitmq.log.pid": "<0.490.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.555Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 1308, + "message": "Application rabbitmq_management exited with reason: stopped", + "rabbitmq.log.pid": "<0.43.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.567Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 1408, + "message": "Stopping application 'rabbit'", + "rabbitmq.log.pid": "<0.1398.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.567Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 1480, + "message": "Peer discovery backend rabbit_peer_discovery_classic_config does not support registration, skipping unregistration.", + "rabbitmq.log.pid": "<0.286.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.568Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 1637, + "message": "stopped TCP listener on 127.0.0.1:5672", + "rabbitmq.log.pid": "<0.419.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.569Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 1717, + "message": "Closing all connections in vhost '/' on node 'rabbit@localhost' because the vhost is stopping", + "rabbitmq.log.pid": "<0.324.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.579Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 1852, + "message": "Stopping message store for directory '/usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent'", + "rabbitmq.log.pid": "<0.374.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.588Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 2049, + "message": "Message store for directory '/usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent' is stopped", + "rabbitmq.log.pid": "<0.374.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.589Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 2248, + "message": "Stopping message store for directory '/usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L/msg_store_transient'", + "rabbitmq.log.pid": "<0.371.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.598Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 2444, + "message": "Message store for directory '/usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L/msg_store_transient' is stopped", + "rabbitmq.log.pid": "<0.371.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.606Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 2642, + "message": "Application rabbit exited with reason: stopped", + "rabbitmq.log.pid": "<0.43.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.615Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 2729, + "message": "Successfully stopped RabbitMQ and its dependencies", + "rabbitmq.log.pid": "<0.1398.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:00:54.615Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.level": "info", + "log.offset": 2822, + "message": "Halting Erlang VM with the following applications:\n ranch\n ssl\n public_key\n sasl\n inets\n asn1\n crypto\n jsx\n xmerl\n recon\n lager\n goldrush\n compiler\n syntax_tools\n stdlib\n kernel", + "rabbitmq.log.pid": "<0.1398.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:01:01.031Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.level": "info", + "log.offset": 3090, + "message": "Server startup complete; 6 plugins started.\n * rabbitmq_stomp\n * rabbitmq_management\n * rabbitmq_web_dispatch\n * rabbitmq_amqp1_0\n * rabbitmq_mqtt\n * rabbitmq_management_agent", + "rabbitmq.log.pid": "<0.8.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:11:15.094Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 3305, + "message": "accepting AMQP connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672)", + "rabbitmq.log.pid": "<0.1345.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:11:15.101Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 3420, + "message": "connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672): user 'guest' authenticated and granted access to vhost '/'", + "rabbitmq.log.pid": "<0.1345.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:19:14.450Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.level": "error", + "log.offset": 3580, + "message": "Error on AMQP connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672, vhost: '/', user: 'guest', state: running), channel 0:\n operation none caused a connection exception connection_forced: [240,159,145,\n 139,240,159,\n 143,190,240,\n 159,144,135,\n 240,159,164,\n 163]", + "rabbitmq.log.pid": "<0.1345.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:19:14.450Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 4211, + "message": "Closing connection <0.1345.0> because <<240,159,145,139,240,159,143,190,240,159,144,135,240,159,164,163>>", + "rabbitmq.log.pid": "<0.1902.0>", + "service.type": "rabbitmq" + }, + { + "@timestamp": "2019-04-12T10:19:14.451Z", + "ecs.version": "1.0.0", + "event.dataset": "rabbitmq.log", + "event.module": "rabbitmq", + "event.timezone": "+00:00", + "fileset.name": "log", + "input.type": "log", + "log.level": "info", + "log.offset": 4359, + "message": "closing AMQP connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672, vhost: '/', user: 'guest')", + "rabbitmq.log.pid": "<0.1345.0>", + "service.type": "rabbitmq" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/rabbitmq.yml.disabled b/x-pack/filebeat/modules.d/rabbitmq.yml.disabled new file mode 100644 index 00000000000..eac820cd390 --- /dev/null +++ b/x-pack/filebeat/modules.d/rabbitmq.yml.disabled @@ -0,0 +1,14 @@ +# Module: rabbitmq +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-rabbitmq.html + +#- module: rabbitmq + # All logs + #log: + #enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] + + # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. + #var.convert_timezone: false