From 4228d657dfb012b879b5c7cac199c1fb9d17c816 Mon Sep 17 00:00:00 2001 From: sayden Date: Tue, 25 Sep 2018 11:14:58 +0200 Subject: [PATCH 1/5] Default format added --- filebeat/docs/fields.asciidoc | 67 ++++++++ filebeat/include/fields.go | 2 +- filebeat/module/haproxy/_meta/fields.yml | 11 +- filebeat/module/haproxy/log/_meta/fields.yml | 20 ++- .../module/haproxy/log/ingest/pipeline.json | 114 ++++++++------ filebeat/module/haproxy/log/test/default.log | 1 + .../log/test/default.log-expected.json | 20 +++ metricbeat/my_metricbeat.yml | 148 ++++++++++++++++++ 8 files changed, 328 insertions(+), 55 deletions(-) create mode 100644 filebeat/module/haproxy/log/test/default.log create mode 100644 filebeat/module/haproxy/log/test/default.log-expected.json create mode 100644 metricbeat/my_metricbeat.yml diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 9b4eaf628a6..add1fe44af5 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -3233,6 +3233,22 @@ haproxy Module +*`haproxy.destination_port`*:: ++ +-- +type: long + +Port of the destination host + +-- + +*`haproxy.destination_ip`*:: ++ +-- +IP of the destination host + +-- + *`haproxy.process_name`*:: + -- @@ -3571,6 +3587,57 @@ raw_request_line is the complete HTTP request line, including the method, reques -- +[float] +== default fields + +Default HAProxy log format + + +*`haproxy.default.facility`*:: ++ +-- +type: text + +One of the 24 standard syslog facilities. Refer to https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.1 for more information + +-- + +*`haproxy.default.priority`*:: ++ +-- +type: long + +Self descriptive + +-- + +*`haproxy.default.frontend_name`*:: ++ +-- +type: text + +Name of the frontend (or listener) which received and processed the connection + +-- + +*`haproxy.default.mode`*:: ++ +-- +type: text + +The mode the frontend is operating (TCP or HTTP) + +-- + +*`haproxy.default.logsource`*:: ++ +-- +type: text + +The HAProxy source of the log + +-- + [[exported-fields-host-processor]] == Host fields diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index bedd2cfc9a7..7189b7246f0 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -31,5 +31,5 @@ func init() { // Asset returns asset data func Asset() string { - return "" + return "" } diff --git a/filebeat/module/haproxy/_meta/fields.yml b/filebeat/module/haproxy/_meta/fields.yml index 29c9eeb03f0..985f313c51e 100644 --- a/filebeat/module/haproxy/_meta/fields.yml +++ b/filebeat/module/haproxy/_meta/fields.yml @@ -7,6 +7,14 @@ type: group description: > fields: + + - name: destination_port + description: Port of the destination host + type: long + + - name: destination_ip + description: IP of the destination host + - name: process_name description: Name of the process @@ -123,5 +131,4 @@ - name: retries description: retries is the number of connection retries experienced by this session when trying to connect to the server. type: long - - + \ No newline at end of file diff --git a/filebeat/module/haproxy/log/_meta/fields.yml b/filebeat/module/haproxy/log/_meta/fields.yml index 630075299b4..6da7ada0ffc 100644 --- a/filebeat/module/haproxy/log/_meta/fields.yml +++ b/filebeat/module/haproxy/log/_meta/fields.yml @@ -40,5 +40,23 @@ description: raw_request_line is the complete HTTP request line, including the method, request and HTTP version string. type: text - +- name: default + description: Default HAProxy log format + type: group + fields: + - name: facility + type: text + description: One of the 24 standard syslog facilities. Refer to https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.1 for more information + - name: priority + type: long + description: Self descriptive + - name: frontend_name + type: text + description: Name of the frontend (or listener) which received and processed the connection + - name: mode + type: text + description: The mode the frontend is operating (TCP or HTTP) + - name: logsource + type: text + description: The HAProxy source of the log diff --git a/filebeat/module/haproxy/log/ingest/pipeline.json b/filebeat/module/haproxy/log/ingest/pipeline.json index 8b1807edded..5411d300245 100644 --- a/filebeat/module/haproxy/log/ingest/pipeline.json +++ b/filebeat/module/haproxy/log/ingest/pipeline.json @@ -1,52 +1,64 @@ { - "description": "Pipeline for parsing HAProxy http logs in their default format. Requires the geoip plugin.", - "processors": [{ - "grok": { - "field": "message", - "patterns": [ - "(%{NOTSPACE:haproxy.process_name}\\[%{NUMBER:haproxy.pid:int}\\]: )?%{IP:haproxy.client_ip}:%{NUMBER:haproxy.client_port:int} \\[%{NOTSPACE:haproxy.http.request_date}\\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} %{NUMBER:haproxy.time_client_req:int}/%{NUMBER:haproxy.time_queue:int}/%{NUMBER:haproxy.time_backend_connect:int}/%{NUMBER:haproxy.time_server_response:int}/%{NUMBER:haproxy.time_duration:int} %{NUMBER:haproxy.http.response.status_code:int} %{NUMBER:haproxy.http.response.bytes_read:int} %{NOTSPACE:haproxy.http.request.captured_cookie} %{NOTSPACE:haproxy.http.response.captured_cookie} %{NOTSPACE:haproxy.termination_state} %{NUMBER:haproxy.connections.active:int}/%{NUMBER:haproxy.connections.frontend:int}/%{NUMBER:haproxy.connections.backend:int}/%{NUMBER:haproxy.connections.server:int}/%{NUMBER:haproxy.connections.retries:int} %{NUMBER:haproxy.server_queue:int}/%{NUMBER:haproxy.backend_queue:int} \\{%{DATA:haproxy.http.request.captured_headers}\\} \\{%{DATA:haproxy.http.response.captured_headers}\\} \"%{GREEDYDATA:haproxy.http.request.raw_request_line}\"", - "(%{NOTSPACE:haproxy.process_name}\\[%{NUMBER:haproxy.pid:int}\\]: )?%{IP:haproxy.client_ip}:%{NUMBER:haproxy.client_port:int} \\[%{NOTSPACE:haproxy.http.request_date}\\] %{NOTSPACE:haproxy.frontend_name}/%{NOTSPACE:haproxy.bind_name} %{GREEDYDATA:haproxy.error_message}" - ], - "ignore_missing": false - } - }, - { - "date": { - "field": "haproxy.http.request_date", - "target_field": "@timestamp", - "formats": ["dd/MMM/yyyy:HH:mm:ss.SSS"] - } - }, - { - "remove": { - "field": "haproxy.http.request_date" - } - }, - { - "geoip": { - "field": "haproxy.client_ip", - "target_field": "haproxy.geoip" - } - }, - { - "split": { - "field": "haproxy.http.request.captured_headers", - "separator": "\\|", - "ignore_failure": true - } - }, - { - "split": { - "field": "haproxy.http.response.captured_headers", - "separator": "\\|", - "ignore_failure": true - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} + "description": "Pipeline for parsing HAProxy http logs in their default format. Requires the geoip plugin.", + "processors": [ + { + "grok": { + "field": "message", + "patterns": [ + "%{HAPROXY_DATE:haproxy.request_date} (?:%{\\<%{NONNEGINT:haproxy.default.facility}.%{NONNEGINT:haproxy.default.priority}\\>} )?%{IPORHOST:haproxy.default.logsource} %{PROG:haproxy.process_name}(?:\\[%{POSINT:haproxy.pid}\\])?: %{GREEDYDATA} %{IPORHOST:haproxy.client_ip}:%{POSINT:haproxy.client_port} %{WORD} %{IPORHOST:haproxy.destination_ip}:%{POSINT:haproxy.destination_port} \\(%{WORD:haproxy.frontend_name}/%{WORD:haproxy.default.mode}\\)", + + "(%{NOTSPACE:haproxy.process_name}\\[%{NUMBER:haproxy.pid:int}\\]: )?%{IP:haproxy.client_ip}:%{NUMBER:haproxy.client_port:int} \\[%{NOTSPACE:haproxy.request_date}\\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} %{NUMBER:haproxy.time_client_req:int}/%{NUMBER:haproxy.time_queue:int}/%{NUMBER:haproxy.time_backend_connect:int}/%{NUMBER:haproxy.time_server_response:int}/%{NUMBER:haproxy.time_duration:int} %{NUMBER:haproxy.http.response.status_code:int} %{NUMBER:haproxy.http.response.bytes_read:int} %{NOTSPACE:haproxy.http.request.captured_cookie} %{NOTSPACE:haproxy.http.response.captured_cookie} %{NOTSPACE:haproxy.termination_state} %{NUMBER:haproxy.connections.active:int}/%{NUMBER:haproxy.connections.frontend:int}/%{NUMBER:haproxy.connections.backend:int}/%{NUMBER:haproxy.connections.server:int}/%{NUMBER:haproxy.connections.retries:int} %{NUMBER:haproxy.server_queue:int}/%{NUMBER:haproxy.backend_queue:int} \\{%{DATA:haproxy.http.request.captured_headers}\\} \\{%{DATA:haproxy.http.response.captured_headers}\\} \"%{GREEDYDATA:haproxy.http.request.raw_request_line}\"", + + "(%{NOTSPACE:haproxy.process_name}\\[%{NUMBER:haproxy.pid:int}\\]: )?%{IP:haproxy.client_ip}:%{NUMBER:haproxy.client_port:int} \\[%{NOTSPACE:haproxy.request_date}\\] %{NOTSPACE:haproxy.frontend_name}/%{NOTSPACE:haproxy.bind_name} %{GREEDYDATA:haproxy.error_message}" + ], + "ignore_missing": false, + "pattern_definitions": { + "HAPROXY_DATE": "(%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND})|%{SYSLOGTIMESTAMP}" + } + } + }, + { + "date": { + "field": "haproxy.request_date", + "target_field": "@timestamp", + "formats": [ + "dd/MMM/yyyy:HH:mm:ss.SSS", + "MMM dd HH:mm:ss" + ] + } + }, + { + "remove": { + "field": "haproxy.request_date" + } + }, + { + "geoip": { + "field": "haproxy.client_ip", + "target_field": "haproxy.geoip" + } + }, + { + "split": { + "field": "haproxy.http.request.captured_headers", + "separator": "\\|", + "ignore_failure": true + } + }, + { + "split": { + "field": "haproxy.http.response.captured_headers", + "separator": "\\|", + "ignore_failure": true + } + } + ], + "on_failure": [ + { + "set": { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}" + } + } + ] +} \ No newline at end of file diff --git a/filebeat/module/haproxy/log/test/default.log b/filebeat/module/haproxy/log/test/default.log new file mode 100644 index 00000000000..0f55f4c31b9 --- /dev/null +++ b/filebeat/module/haproxy/log/test/default.log @@ -0,0 +1 @@ +Sep 20 15:42:59 127.0.0.1 haproxy[24551]: Connect from 127.0.0.1:40780 to 127.0.0.1:5000 (main/HTTP) diff --git a/filebeat/module/haproxy/log/test/default.log-expected.json b/filebeat/module/haproxy/log/test/default.log-expected.json new file mode 100644 index 00000000000..83db2952c50 --- /dev/null +++ b/filebeat/module/haproxy/log/test/default.log-expected.json @@ -0,0 +1,20 @@ +[ + { + "@timestamp": "2018-09-20T15:42:59.000Z", + "fileset.module": "haproxy", + "fileset.name": "log", + "haproxy.client_ip": "127.0.0.1", + "haproxy.client_port": "40780", + "haproxy.default.logsource": "127.0.0.1", + "haproxy.default.mode": "HTTP", + "haproxy.destination_ip": "127.0.0.1", + "haproxy.destination_port": "5000", + "haproxy.frontend_name": "main", + "haproxy.pid": "24551", + "haproxy.process_name": "haproxy", + "input.type": "log", + "message": "Sep 20 15:42:59 127.0.0.1 haproxy[24551]: Connect from 127.0.0.1:40780 to 127.0.0.1:5000 (main/HTTP)", + "offset": 0, + "prospector.type": "log" + } +] \ No newline at end of file diff --git a/metricbeat/my_metricbeat.yml b/metricbeat/my_metricbeat.yml new file mode 100644 index 00000000000..99e92142415 --- /dev/null +++ b/metricbeat/my_metricbeat.yml @@ -0,0 +1,148 @@ +###################### Metricbeat Configuration Example ####################### + +# This file is an example configuration file highlighting only the most common +# options. The metricbeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/metricbeat/index.html + +#========================== Modules configuration ============================ + +metricbeat.config.modules: + # Glob pattern for configuration loading + path: ${path.config}/modules.d/*.yml + + # Set to true to enable config reloading + reload.enabled: false + + # Period on which files under path should be checked for changes + #reload.period: 10s + +#==================== Elasticsearch template setting ========================== + +setup.template.settings: + index.number_of_shards: 1 + index.codec: best_compression + #_source.enabled: false + +#================================ General ===================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + + +#============================== Dashboards ===================================== +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here, or by using the `-setup` CLI flag or the `setup` command. +setup.dashboards.enabled: true +setup.dashboards.directory: ./_meta/kibana + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +#============================== Kibana ===================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +#============================= Elastic Cloud ================================== + +# These settings simplify using metricbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +#================================ Outputs ===================================== + +# Configure what output to use when sending the data collected by the beat. + +#-------------------------- Elasticsearch output ------------------------------ +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["localhost:9200"] + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + +#----------------------------- Logstash output -------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +#================================ Logging ===================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publish", "service". +#logging.selectors: ["*"] + +#============================== Xpack Monitoring =============================== +# metricbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +xpack.monitoring.enabled: true + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. Any setting that is not set is +# automatically inherited from the Elasticsearch output configuration, so if you +# have the Elasticsearch output configured, you can simply uncomment the +# following line. +#xpack.monitoring.elasticsearch: +# Module: system +# Docs: https://www.elastic.co/guide/en/beats/metricbeat/master/metricbeat-module-system.html + +metricbeat.modules: +- module: system + metricsets: [core] + core.metrics: [percentages, ticks] \ No newline at end of file From 93e18f8010d9c6b4c6ea3ef3b2197e19a6d7cc76 Mon Sep 17 00:00:00 2001 From: sayden Date: Wed, 17 Oct 2018 19:40:35 +0200 Subject: [PATCH 2/5] Use of a non local ip to trigger the geo_ip plugin --- filebeat/module/haproxy/log/test/default.log | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/module/haproxy/log/test/default.log b/filebeat/module/haproxy/log/test/default.log index 0f55f4c31b9..7931d2387e2 100644 --- a/filebeat/module/haproxy/log/test/default.log +++ b/filebeat/module/haproxy/log/test/default.log @@ -1 +1 @@ -Sep 20 15:42:59 127.0.0.1 haproxy[24551]: Connect from 127.0.0.1:40780 to 127.0.0.1:5000 (main/HTTP) +Sep 20 15:42:59 1.2.3.4 haproxy[24551]: Connect from 1.2.3.4:40780 to 1.2.3.4:5000 (main/HTTP) From 7375ff56984d06083fbfd7b349cd4419ab6ff305 Mon Sep 17 00:00:00 2001 From: sayden Date: Wed, 17 Oct 2018 19:41:09 +0200 Subject: [PATCH 3/5] Remove message field from expected JSON in default format --- filebeat/module/haproxy/log/ingest/pipeline.json | 5 +++++ filebeat/module/haproxy/log/test/haproxy.log-expected.json | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/filebeat/module/haproxy/log/ingest/pipeline.json b/filebeat/module/haproxy/log/ingest/pipeline.json index 5411d300245..fd1ffe5971e 100644 --- a/filebeat/module/haproxy/log/ingest/pipeline.json +++ b/filebeat/module/haproxy/log/ingest/pipeline.json @@ -32,6 +32,11 @@ "field": "haproxy.request_date" } }, + { + "remove": { + "field": "message" + } + }, { "geoip": { "field": "haproxy.client_ip", diff --git a/filebeat/module/haproxy/log/test/haproxy.log-expected.json b/filebeat/module/haproxy/log/test/haproxy.log-expected.json index 990ec9ae854..dbe75151ca2 100644 --- a/filebeat/module/haproxy/log/test/haproxy.log-expected.json +++ b/filebeat/module/haproxy/log/test/haproxy.log-expected.json @@ -37,7 +37,6 @@ "haproxy.time_queue": 0, "haproxy.time_server_response": 0, "input.type": "log", - "message": "Jul 30 09:03:52 localhost haproxy[32450]: 1.2.3.4:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} \"GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1\"", "offset": 0, "prospector.type": "log" } From a27caff8075d5d3f538507d2420715a7599d4629 Mon Sep 17 00:00:00 2001 From: sayden Date: Wed, 17 Oct 2018 19:41:45 +0200 Subject: [PATCH 4/5] Removed local IP and message from expected JSON of the default format --- .../haproxy/log/test/default.log-expected.json | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/filebeat/module/haproxy/log/test/default.log-expected.json b/filebeat/module/haproxy/log/test/default.log-expected.json index 83db2952c50..5d119bb0bf3 100644 --- a/filebeat/module/haproxy/log/test/default.log-expected.json +++ b/filebeat/module/haproxy/log/test/default.log-expected.json @@ -3,17 +3,22 @@ "@timestamp": "2018-09-20T15:42:59.000Z", "fileset.module": "haproxy", "fileset.name": "log", - "haproxy.client_ip": "127.0.0.1", + "haproxy.client_ip": "1.2.3.4", "haproxy.client_port": "40780", - "haproxy.default.logsource": "127.0.0.1", + "haproxy.default.logsource": "1.2.3.4", "haproxy.default.mode": "HTTP", - "haproxy.destination_ip": "127.0.0.1", + "haproxy.destination_ip": "1.2.3.4", "haproxy.destination_port": "5000", "haproxy.frontend_name": "main", + "haproxy.geoip.city_name": "Mukilteo", + "haproxy.geoip.continent_name": "North America", + "haproxy.geoip.country_iso_code": "US", + "haproxy.geoip.location.lat": 47.913, + "haproxy.geoip.location.lon": -122.3042, + "haproxy.geoip.region_name": "Washington", "haproxy.pid": "24551", "haproxy.process_name": "haproxy", "input.type": "log", - "message": "Sep 20 15:42:59 127.0.0.1 haproxy[24551]: Connect from 127.0.0.1:40780 to 127.0.0.1:5000 (main/HTTP)", "offset": 0, "prospector.type": "log" } From fd9e9d288f6025898d3f11e85f03d830918b73cf Mon Sep 17 00:00:00 2001 From: sayden Date: Wed, 17 Oct 2018 19:54:45 +0200 Subject: [PATCH 5/5] Fields and expected json updated --- filebeat/docs/fields.asciidoc | 9 --------- filebeat/include/fields.go | 2 +- filebeat/module/haproxy/log/_meta/fields.yml | 3 --- .../module/haproxy/log/test/haproxy.log-expected.json | 1 + 4 files changed, 2 insertions(+), 13 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index add1fe44af5..00084ec1ef6 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -3611,15 +3611,6 @@ Self descriptive -- -*`haproxy.default.frontend_name`*:: -+ --- -type: text - -Name of the frontend (or listener) which received and processed the connection - --- - *`haproxy.default.mode`*:: + -- diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index 7189b7246f0..c81a79d6d76 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -31,5 +31,5 @@ func init() { // Asset returns asset data func Asset() string { - return "" + return "" } diff --git a/filebeat/module/haproxy/log/_meta/fields.yml b/filebeat/module/haproxy/log/_meta/fields.yml index 6da7ada0ffc..4f44e91c0b5 100644 --- a/filebeat/module/haproxy/log/_meta/fields.yml +++ b/filebeat/module/haproxy/log/_meta/fields.yml @@ -50,9 +50,6 @@ - name: priority type: long description: Self descriptive - - name: frontend_name - type: text - description: Name of the frontend (or listener) which received and processed the connection - name: mode type: text description: The mode the frontend is operating (TCP or HTTP) diff --git a/filebeat/module/haproxy/log/test/haproxy.log-expected.json b/filebeat/module/haproxy/log/test/haproxy.log-expected.json index dbe75151ca2..d57089c9a27 100644 --- a/filebeat/module/haproxy/log/test/haproxy.log-expected.json +++ b/filebeat/module/haproxy/log/test/haproxy.log-expected.json @@ -13,6 +13,7 @@ "haproxy.connections.retries": 0, "haproxy.connections.server": 0, "haproxy.frontend_name": "incoming~", + "haproxy.geoip.city_name": "Mukilteo", "haproxy.geoip.continent_name": "North America", "haproxy.geoip.country_iso_code": "US", "haproxy.geoip.location.lat": 37.751,