Skip to content

Commit

Permalink
Add ingress nginx controller fileset (elastic#16197)
Browse files Browse the repository at this point in the history
(cherry picked from commit 543a435)
  • Loading branch information
ChrsMark committed Feb 12, 2020
1 parent 6a2e173 commit 82e5f02
Show file tree
Hide file tree
Showing 15 changed files with 1,489 additions and 2 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d


*Filebeat*

- Set event.outcome field based on googlecloud audit log output. {pull}15731[15731]
- Add dashboard for AWS ELB fileset. {pull}15804[15804]

- `container` and `docker` inputs now support reading of labels and env vars written by docker JSON file logging driver. {issue}8358[8358]
Expand All @@ -188,6 +190,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Set event.outcome field based on googlecloud audit log output. {pull}15731[15731]
- Add dashboard for AWS vpcflow fileset. {pull}16007[16007]
- Add ECS tls fields to zeek:smtp,rdp,ssl and aws:s3access,elb {issue}15757[15757] {pull}15935[15936]
- Add custom string mapping to CEF module to support Forcepoint NGFW {issue}14663[14663] {pull}15910[15910]
- Add ingress nginx controller fileset {pull}16197[16197]
- move create-[module,fileset,fields] to mage and enable in x-pack/filebeat {pull}15836[15836]
- Add ECS tls and categorization fields to apache module. {issue}16032[16032] {pull}16121[16121]

Expand Down
298 changes: 298 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -20122,6 +20122,304 @@ alias to: message
--
[float]
=== ingress_controller
Contains fields for the Ingress Nginx controller access logs.
*`nginx.ingress_controller.remote_ip_list`*::
+
--
An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.
type: array
--
*`nginx.ingress_controller.http.request.length`*::
+
--
The request length (including request line, header, and request body)
type: long
format: bytes
--
*`nginx.ingress_controller.http.request.time`*::
+
--
Time elapsed since the first bytes were read from the client
type: double
format: duration
--
*`nginx.ingress_controller.upstream.name`*::
+
--
The name of the upstream.
type: text
--
*`nginx.ingress_controller.upstream.alternative_name`*::
+
--
The name of the alternative upstream.
type: text
--
*`nginx.ingress_controller.upstream.response.length`*::
+
--
The length of the response obtained from the upstream server
type: long
format: bytes
--
*`nginx.ingress_controller.upstream.response.time`*::
+
--
The time spent on receiving the response from the upstream server as seconds with millisecond resolution
type: double
format: duration
--
*`nginx.ingress_controller.upstream.response.status_code`*::
+
--
The status code of the response obtained from the upstream server
type: long
--
*`nginx.ingress_controller.http.request.id`*::
+
--
The randomly generated ID of the request
type: text
--
*`nginx.ingress_controller.upstream.ip`*::
+
--
The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas.
type: ip
--
*`nginx.ingress_controller.upstream.port`*::
+
--
The port of the upstream server.
type: long
--
*`nginx.ingress_controller.body_sent.bytes`*::
+
--
type: alias
alias to: http.response.body.bytes
--
*`nginx.ingress_controller.user_name`*::
+
--
type: alias
alias to: user.name
--
*`nginx.ingress_controller.method`*::
+
--
type: alias
alias to: http.request.method
--
*`nginx.ingress_controller.url`*::
+
--
type: alias
alias to: url.original
--
*`nginx.ingress_controller.http_version`*::
+
--
type: alias
alias to: http.version
--
*`nginx.ingress_controller.response_code`*::
+
--
type: alias
alias to: http.response.status_code
--
*`nginx.ingress_controller.referrer`*::
+
--
type: alias
alias to: http.request.referrer
--
*`nginx.ingress_controller.agent`*::
+
--
type: alias
alias to: user_agent.original
--
*`nginx.ingress_controller.user_agent.device`*::
+
--
type: alias
alias to: user_agent.device.name
--
*`nginx.ingress_controller.user_agent.name`*::
+
--
type: alias
alias to: user_agent.name
--
*`nginx.ingress_controller.user_agent.os`*::
+
--
type: alias
alias to: user_agent.os.full_name
--
*`nginx.ingress_controller.user_agent.os_name`*::
+
--
type: alias
alias to: user_agent.os.name
--
*`nginx.ingress_controller.user_agent.original`*::
+
--
type: alias
alias to: user_agent.original
--
*`nginx.ingress_controller.geoip.continent_name`*::
+
--
type: alias
alias to: source.geo.continent_name
--
*`nginx.ingress_controller.geoip.country_iso_code`*::
+
--
type: alias
alias to: source.geo.country_iso_code
--
*`nginx.ingress_controller.geoip.location`*::
+
--
type: alias
alias to: source.geo.location
--
*`nginx.ingress_controller.geoip.region_name`*::
+
--
type: alias
alias to: source.geo.region_name
--
*`nginx.ingress_controller.geoip.city_name`*::
+
--
type: alias
alias to: source.geo.city_name
--
*`nginx.ingress_controller.geoip.region_iso_code`*::
+
--
type: alias
alias to: source.geo.region_iso_code
--
[[exported-fields-osquery]]
== Osquery fields
Expand Down
8 changes: 8 additions & 0 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,14 @@ filebeat.modules:
# can be added under this section.
#input:

# Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
#ingress_controller:
# enabled: false
#
# # Set custom paths for the log files. If left empty,
# # Filebeat will choose the paths depending on your OS.
# #var.paths:

#------------------------------- Osquery Module -------------------------------
- module: osquery
result:
Expand Down
2 changes: 1 addition & 1 deletion filebeat/fileset/modules_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ func TestNewModuleRegistry(t *testing.T) {

expectedModules := map[string][]string{
"auditd": {"log"},
"nginx": {"access", "error"},
"nginx": {"access", "error", "ingress_controller"},
"mysql": {"slowlog", "error"},
"system": {"syslog", "auth"},
}
Expand Down
8 changes: 8 additions & 0 deletions filebeat/module/nginx/_meta/config.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,11 @@
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:

# Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
#ingress_controller:
# enabled: false
#
# # Set custom paths for the log files. If left empty,
# # Filebeat will choose the paths depending on your OS.
# #var.paths:
8 changes: 8 additions & 0 deletions filebeat/module/nginx/_meta/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,11 @@
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

# Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
ingress_controller:
enabled: false

# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
2 changes: 1 addition & 1 deletion filebeat/module/nginx/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 82e5f02

Please sign in to comment.