Skip to content

Commit

Permalink
Convert Filebeat postgresql.log to ECS (#9308)
Browse files Browse the repository at this point in the history
- Map Postgresql module fields to ECS:
  - postgresql.log.level => log.level
  - postgresql.log.user => user.name
  - postgresql.log.thread_id => process.pid
  - postgresql.log.timezone => event.timezone
  - postgresql.log.message => message
- Coerce to int: pid, core_id
- Coerce duration to float
- Populate `event.duration` (ns) based on `postgresql.log.duration` (ms)
  • Loading branch information
webmat authored Dec 20, 2018
1 parent cccf44c commit e2287ec
Show file tree
Hide file tree
Showing 8 changed files with 224 additions and 194 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha1...v7.0.0-alpha2[Check the
- Use `log.source.address` instead of `log.source.ip` for network input sources. {pull}9487[9487]
- Rename many `redis.log.*` fields to map to ECS. {pull}9315[9315]
- Rename many `icinga.*` fields to map to ECS. {pull}9294[9294]
- Rename many `postgresql.log.*` fields to map to ECS. {pull}9303[9303]
*Metricbeat*
Expand Down
22 changes: 22 additions & 0 deletions dev-tools/ecs-migration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -434,6 +434,28 @@
to: user_agent.original
alias: true

## PostgreSQL module

- from: postgresql.log.timezone
to: event.timezone
alias: true

- from: postgresql.log.thread_id
to: process.pid
alias: true

- from: postgresql.log.user
to: user.name
alias: true

- from: postgresql.log.level
to: log.level
alias: true

- from: postgresql.log.message
to: message
alias: true

## Redis module

- from: redis.log.pid
Expand Down
57 changes: 28 additions & 29 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -9892,88 +9892,87 @@ The timestamp from the log line.
--
*`postgresql.log.timezone`*::
*`postgresql.log.core_id`*::
+
--
The timezone of timestamp.
type: long
Core id
--
*`postgresql.log.thread_id`*::
*`postgresql.log.database`*::
+
--
type: long
Process id
example: mydb
Name of database
--
*`postgresql.log.core_id`*::
*`postgresql.log.duration`*::
+
--
type: long
type: float
Core id
example: 30.0
Duration of a query.
--
*`postgresql.log.user`*::
*`postgresql.log.query`*::
+
--
example: admin
example: SELECT * FROM users;
Name of user
Query statement.
--
*`postgresql.log.database`*::
*`postgresql.log.timezone`*::
+
--
example: mydb
type: alias
Name of database
alias to: event.timezone
--
*`postgresql.log.level`*::
*`postgresql.log.thread_id`*::
+
--
example: FATAL
type: alias
The log level.
alias to: process.pid
--
*`postgresql.log.duration`*::
*`postgresql.log.user`*::
+
--
type: float
example: 30.0
type: alias
Duration of a query.
alias to: user.name
--
*`postgresql.log.query`*::
*`postgresql.log.level`*::
+
--
example: SELECT * FROM users;
type: alias
Query statement.
alias to: log.level
--
*`postgresql.log.message`*::
+
--
type: text
The logged message.
type: alias
alias to: message
--
Expand Down
2 changes: 1 addition & 1 deletion filebeat/module/postgresql/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

38 changes: 20 additions & 18 deletions filebeat/module/postgresql/log/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,29 +6,14 @@
- name: timestamp
description: >
The timestamp from the log line.
- name: timezone
description: >
The timezone of timestamp.
- name: thread_id
type: long
description: >
Process id
- name: core_id
type: long
description: >
Core id
- name: user
example: "admin"
description:
Name of user
- name: database
example: "mydb"
description:
Name of database
- name: level
example: "FATAL"
description:
The log level.
- name: duration
type: float
example: "30.0"
Expand All @@ -38,7 +23,24 @@
example: "SELECT * FROM users;"
description:
Query statement.

- name: timezone
type: alias
path: event.timezone
migration: true
- name: thread_id
type: alias
path: process.pid
migration: true
- name: user
type: alias
path: user.name
migration: true
- name: level
type: alias
path: log.level
migration: true
- name: message
type: text
description: >
The logged message.
type: alias
path: message
migration: true
10 changes: 9 additions & 1 deletion filebeat/module/postgresql/log/ingest/pipeline.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"field": "message",
"ignore_missing": true,
"patterns": [
"^%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timezone} \\[%{NUMBER:postgresql.log.thread_id}(-%{BASE16FLOAT:postgresql.log.core_id})?\\] ((\\[%{USERNAME:postgresql.log.user}\\]@\\[%{POSTGRESQL_DB_NAME:postgresql.log.database}\\]|%{USERNAME:postgresql.log.user}@%{POSTGRESQL_DB_NAME:postgresql.log.database}) )?%{WORD:postgresql.log.level}: (duration: %{NUMBER:postgresql.log.duration} ms statement: %{GREEDYDATA:postgresql.log.query}|%{GREEDYDATA:postgresql.log.message})"
"^%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:event.timezone} \\[%{NUMBER:process.pid:long}(-%{BASE16FLOAT:postgresql.log.core_id:long})?\\] ((\\[%{USERNAME:user.name}\\]@\\[%{POSTGRESQL_DB_NAME:postgresql.log.database}\\]|%{USERNAME:user.name}@%{POSTGRESQL_DB_NAME:postgresql.log.database}) )?%{WORD:log.level}: (duration: %{NUMBER:postgresql.log.duration:float} ms statement: %{GREEDYDATA:postgresql.log.query}|%{GREEDYDATA:message})"
],
"pattern_definitions": {
"LOCALDATETIME": "[-0-9]+ %{TIME}",
Expand All @@ -24,6 +24,14 @@
],
"ignore_failure": true
}
},
{
"script": {
"lang": "painless",
"source": "ctx.event.duration = Math.round(ctx.postgresql.log.duration * params.scale)",
"params": { "scale": 1000000 },
"if": "ctx.postgresql.log.containsKey('duration')"
}
}
],
"on_failure": [
Expand Down
Loading

0 comments on commit e2287ec

Please sign in to comment.