Convert Filebeat mysql.* to ECS (#10008)

- Convert many fields under `mysql.*` to ECS. Previous field names are field aliases towards the new corresponding ECS field: - mysql.error.message => message - mysql.error.level => log.level - mysql.error.thread_id => process.thread.id - mysql.slowlog.ip => source.ip - mysql.slowlog.host => source.domain - mysql.slowlog.user => user.name - Add expected test file to test changes to error logs - Coerce int fields: process.thread.id, mysql.slowlog.id, mysql.slowlog.rows_sent, mysql.slowlog.rows_examined and mysql.slowlog.timestamp - Coerce float fields: mysql.slowlog.query_time.sec, mysql.slowlog.lock_time.sec - Set event.created with the `@timestamp` from Filebeat - Change username in test file from 'apphost' to 'appuser', to make it easier to distinguish them in the expected file - Populate event.duration based on mysql.slowlog.query_time.sec - Get rid of a workaround for Ingest Node that was fixed in 5.0
elastic · Jan 11, 2019 · 383ccce · 383ccce
1 parent f384ba3
commit 383ccce
Show file tree

Hide file tree

Showing 12 changed files with 299 additions and 109 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -29,6 +29,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Rename many `traefik.access.*` fields to map to ECS. {pull}9005[9005]
 - Fix parsing of GC entries in elasticsearch server log. {issue}9513[9513] {pull}9810[9810]
 - Rename a few `logstash.*` fields to map to ECS, remove logstash.slowlog.message. {pull}9935[9935]
+- Rename a few `mysql.*` fields to map to ECS. {pull}10008[10008]
 - Rename a few `nginx.error.*` fields to map to ECS. {pull}10007[10007]
 
 *Heartbeat*

diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml
@@ -466,6 +466,32 @@
   to: message
   alias: true
 
+## MySQL module
+
+- from: mysql.error.message
+  to: message
+  alias: true
+
+- from: mysql.error.level
+  to: log.level
+  alias: true
+
+- from: mysql.error.thread_id
+  to: process.thread.id
+  alias: true
+
+- from: mysql.slowlog.ip
+  to: source.ip
+  alias: true
+
+- from: mysql.slowlog.host
+  to: source.domain
+  alias: true
+
+- from: mysql.slowlog.user
+  to: user.name
+  alias: true
+
 ## NGINX module
 
 - from: nginx.access.user_name

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -6339,29 +6339,27 @@ The timestamp from the log line.
 *`mysql.error.thread_id`*::
 +
 --
-type: long
-
-As of MySQL 5.7.2, this is the thread id. For MySQL versions prior to 5.7.2, this field contains the process id.
+type: alias
 
+alias to: process.thread.id
 
 --
 
 *`mysql.error.level`*::
 +
 --
-example: Warning
+type: alias
 
-The log level.
+alias to: log.level
 
 --
 
 *`mysql.error.message`*::
 +
 --
-type: text
-
-The logged message.
+type: alias
 
+alias to: message
 
 --
 
@@ -6372,30 +6370,6 @@ Contains fields from the MySQL slow logs.
 
 
 
-*`mysql.slowlog.user`*::
-+
---
-The MySQL user that created the query.
-
-
---
-
-*`mysql.slowlog.host`*::
-+
---
-The host from where the user that created the query logged in.
-
-
---
-
-*`mysql.slowlog.ip`*::
-+
---
-The IP address from where the user that created the query logged in.
-
-
---
-
 *`mysql.slowlog.query_time.sec`*::
 +
 --
@@ -6462,6 +6436,33 @@ type: long
 The connection ID for the query.
 
 
+--
+
+*`mysql.slowlog.user`*::
++
+--
+type: alias
+
+alias to: user.name
+
+--
+
+*`mysql.slowlog.host`*::
++
+--
+type: alias
+
+alias to: source.domain
+
+--
+
+*`mysql.slowlog.ip`*::
++
+--
+type: alias
+
+alias to: source.ip
+
 --
 
 [[exported-fields-netflow]]

diff --git a/filebeat/module/mysql/error/_meta/fields.yml b/filebeat/module/mysql/error/_meta/fields.yml
@@ -6,16 +6,16 @@
     - name: timestamp
       description: >
         The timestamp from the log line.
+
     - name: thread_id
-      type: long
-      description: >
-        As of MySQL 5.7.2, this is the thread id. For MySQL versions prior to 5.7.2, this
-        field contains the process id.
+      type: alias
+      path: process.thread.id
+      migration: true
     - name: level
-      example: "Warning"
-      description:
-        The log level.
+      type: alias
+      path: log.level
+      migration: true
     - name: message
-      type: text
-      description: >
-        The logged message.
+      type: alias
+      path: message
+      migration: true
diff --git a/filebeat/module/mysql/error/ingest/pipeline.json b/filebeat/module/mysql/error/ingest/pipeline.json
@@ -1,35 +1,23 @@
 {
-  "description": "Pipeline for parsing MySQL error logs. It currently uses message1 and message2 to workaround bug https://github.com/elastic/elasticsearch/issues/22117",
+  "description": "Pipeline for parsing MySQL error logs",
   "processors": [{
     "grok": {
         "field": "message",
         "patterns": [
-          "%{LOCALDATETIME:mysql.error.timestamp} (\\[%{DATA:mysql.error.level}\\] )?%{GREEDYDATA:mysql.error.message}",
-          "%{DATA:mysql.error.timestamp} %{NUMBER:mysql.error.thread_id} \\[%{DATA:mysql.error.level}\\] %{GREEDYDATA:mysql.error.message1}",
-          "%{GREEDYDATA:mysql.error.message2}"
+          "%{LOCALDATETIME:mysql.error.timestamp} (\\[%{DATA:log.level}\\] )?%{GREEDYDATA:message}",
+          "%{DATA:mysql.error.timestamp} %{NUMBER:process.thread.id:long} \\[%{DATA:log.level}\\] %{GREEDYDATA:message}",
+          "%{GREEDYDATA:message}"
         ],
         "ignore_missing": true,
         "pattern_definitions": {
-          "LOCALDATETIME": "[0-9]+ %{TIME}",
-          "GREEDYDATA1": ".*"
+          "LOCALDATETIME": "[0-9]+ %{TIME}"
         }
       }
     }, {
-      "remove": {
-        "field": "message"
-      }
-    }, {
-      "rename": {
-        "field": "mysql.error.message1",
-        "target_field": "mysql.error.message",
-        "ignore_failure": true
-      }
-    }, {
-      "rename": {
-        "field": "mysql.error.message2",
-        "target_field": "mysql.error.message",
-        "ignore_failure": true
-      }
+        "rename": {
+            "field": "@timestamp",
+            "target_field": "event.created"
+        }
     }, {
       "date": {
         "field": "mysql.error.timestamp",

diff --git a/filebeat/module/mysql/error/test/error.log b/filebeat/module/mysql/error/test/error.log
@@ -0,0 +1,12 @@
+161209 13:08:33 mysqld_safe Starting mysqld daemon with databases from /usr/local/var/mysql
+2016-12-09T12:08:33.335060Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
+2016-12-09T12:08:33.335892Z 0 [Warning] Insecure configuration for --secure-file-priv: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.
+2016-12-09T12:08:33.336610Z 0 [Note] /usr/local/Cellar/mysql/5.7.10/bin/mysqld (mysqld 5.7.10) starting as process 61571 ...
+2016-12-09T12:08:33.345527Z 0 [Warning] Setting lower_case_table_names=2 because file system for /usr/local/var/mysql/ is case insensitive
+2016-12-09T12:08:33.351596Z 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
+2016-12-09T12:08:33.784722Z 0 [Note] /usr/local/Cellar/mysql/5.7.10/bin/mysqld: ready for connections.
+Version: '5.7.10'  socket: '/tmp/mysql.sock'  port: 3306  Homebrew
+2016-12-09T22:21:02.443689Z 0 [Note] InnoDB: page_cleaner: 1000ms intended loop took 772568ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)
+161209 14:18:50 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.
+161209 14:18:50 [Note] Plugin 'FEDERATED' is disabled.
+161209 14:18:50 InnoDB: The InnoDB memory heap is disabled
diff --git a/filebeat/module/mysql/error/test/error.log-expected.json b/filebeat/module/mysql/error/test/error.log-expected.json
@@ -0,0 +1,148 @@
+[
+    {
+        "@timestamp": "2016-12-09T13:08:33.000Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.offset": 0,
+        "message": "mysqld_safe Starting mysqld daemon with databases from /usr/local/var/mysql",
+        "mysql.error.timestamp": "161209 13:08:33"
+    },
+    {
+        "@timestamp": "2016-12-09T12:08:33.335Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.level": "Warning",
+        "log.offset": 92,
+        "message": "TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).",
+        "mysql.error.timestamp": "2016-12-09T12:08:33.335060Z",
+        "process.thread.id": 0
+    },
+    {
+        "@timestamp": "2016-12-09T12:08:33.335Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.level": "Warning",
+        "log.offset": 282,
+        "message": "Insecure configuration for --secure-file-priv: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.",
+        "mysql.error.timestamp": "2016-12-09T12:08:33.335892Z",
+        "process.thread.id": 0
+    },
+    {
+        "@timestamp": "2016-12-09T12:08:33.336Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.level": "Note",
+        "log.offset": 478,
+        "message": "/usr/local/Cellar/mysql/5.7.10/bin/mysqld (mysqld 5.7.10) starting as process 61571 ...",
+        "mysql.error.timestamp": "2016-12-09T12:08:33.336610Z",
+        "process.thread.id": 0
+    },
+    {
+        "@timestamp": "2016-12-09T12:08:33.345Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.level": "Warning",
+        "log.offset": 603,
+        "message": "Setting lower_case_table_names=2 because file system for /usr/local/var/mysql/ is case insensitive",
+        "mysql.error.timestamp": "2016-12-09T12:08:33.345527Z",
+        "process.thread.id": 0
+    },
+    {
+        "@timestamp": "2016-12-09T12:08:33.351Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.level": "Note",
+        "log.offset": 742,
+        "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins",
+        "mysql.error.timestamp": "2016-12-09T12:08:33.351596Z",
+        "process.thread.id": 0
+    },
+    {
+        "@timestamp": "2016-12-09T12:08:33.784Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.level": "Note",
+        "log.offset": 832,
+        "message": "/usr/local/Cellar/mysql/5.7.10/bin/mysqld: ready for connections.",
+        "mysql.error.timestamp": "2016-12-09T12:08:33.784722Z",
+        "process.thread.id": 0
+    },
+    {
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.offset": 935,
+        "message": "Version: '5.7.10'  socket: '/tmp/mysql.sock'  port: 3306  Homebrew"
+    },
+    {
+        "@timestamp": "2016-12-09T22:21:02.443Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.level": "Note",
+        "log.offset": 1002,
+        "message": "InnoDB: page_cleaner: 1000ms intended loop took 772568ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)",
+        "mysql.error.timestamp": "2016-12-09T22:21:02.443689Z",
+        "process.thread.id": 0
+    },
+    {
+        "@timestamp": "2016-12-09T14:18:50.000Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.level": "Warning",
+        "log.offset": 1176,
+        "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.",
+        "mysql.error.timestamp": "161209 14:18:50"
+    },
+    {
+        "@timestamp": "2016-12-09T14:18:50.000Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.level": "Note",
+        "log.offset": 1367,
+        "message": "Plugin 'FEDERATED' is disabled.",
+        "mysql.error.timestamp": "161209 14:18:50"
+    },
+    {
+        "@timestamp": "2016-12-09T14:18:50.000Z",
+        "ecs.version": "1.0.0-beta2",
+        "event.dataset": "mysql.error",
+        "event.module": "mysql",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.offset": 1422,
+        "message": "InnoDB: The InnoDB memory heap is disabled",
+        "mysql.error.timestamp": "161209 14:18:50"
+    }
+]
diff --git a/filebeat/module/mysql/fields.go b/filebeat/module/mysql/fields.go