Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filebeat HAproxy Default log format added #8428

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3233,6 +3233,22 @@ haproxy Module



*`haproxy.destination_port`*::
+
--
type: long

Port of the destination host

--

*`haproxy.destination_ip`*::
+
--
IP of the destination host

--

*`haproxy.process_name`*::
+
--
Expand Down Expand Up @@ -3571,6 +3587,48 @@ raw_request_line is the complete HTTP request line, including the method, reques

--

[float]
== default fields

Default HAProxy log format


*`haproxy.default.facility`*::
+
--
type: text

One of the 24 standard syslog facilities. Refer to https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.1 for more information

--

*`haproxy.default.priority`*::
+
--
type: long

Self descriptive

--

*`haproxy.default.mode`*::
+
--
type: text

The mode the frontend is operating (TCP or HTTP)

--

*`haproxy.default.logsource`*::
+
--
type: text

The HAProxy source of the log

--

[[exported-fields-host-processor]]
== Host fields

Expand Down
2 changes: 1 addition & 1 deletion filebeat/include/fields.go

Large diffs are not rendered by default.

11 changes: 9 additions & 2 deletions filebeat/module/haproxy/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,14 @@
type: group
description: >
fields:

- name: destination_port
description: Port of the destination host
type: long

- name: destination_ip
description: IP of the destination host

- name: process_name
description: Name of the process

Expand Down Expand Up @@ -123,5 +131,4 @@
- name: retries
description: retries is the number of connection retries experienced by this session when trying to connect to the server.
type: long



17 changes: 16 additions & 1 deletion filebeat/module/haproxy/log/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,5 +40,20 @@
description: raw_request_line is the complete HTTP request line, including the method, request and HTTP version string.
type: text


- name: default
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't namespace fields depending on the matching pattern, some fields can be common between them, like probably frontend_name.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TCP format PR is also open and waiting and I think I did a better naming there. Let's move on to finish and close this two and then I'll quickly open a new one to write proper naming?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After opening a new PR with both PRs, what prevents us on using a proper naming? I'd do it before merging.

description: Default HAProxy log format
type: group
fields:
- name: facility
type: text
description: One of the 24 standard syslog facilities. Refer to https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.1 for more information
- name: priority
type: long
description: Self descriptive
- name: mode
type: text
description: The mode the frontend is operating (TCP or HTTP)
- name: logsource
type: text
description: The HAProxy source of the log

119 changes: 68 additions & 51 deletions filebeat/module/haproxy/log/ingest/pipeline.json
Original file line number Diff line number Diff line change
@@ -1,52 +1,69 @@
{
"description": "Pipeline for parsing HAProxy http logs in their default format. Requires the geoip plugin.",
"processors": [{
"grok": {
"field": "message",
"patterns": [
"(%{NOTSPACE:haproxy.process_name}\\[%{NUMBER:haproxy.pid:int}\\]: )?%{IP:haproxy.client_ip}:%{NUMBER:haproxy.client_port:int} \\[%{NOTSPACE:haproxy.http.request_date}\\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} %{NUMBER:haproxy.time_client_req:int}/%{NUMBER:haproxy.time_queue:int}/%{NUMBER:haproxy.time_backend_connect:int}/%{NUMBER:haproxy.time_server_response:int}/%{NUMBER:haproxy.time_duration:int} %{NUMBER:haproxy.http.response.status_code:int} %{NUMBER:haproxy.http.response.bytes_read:int} %{NOTSPACE:haproxy.http.request.captured_cookie} %{NOTSPACE:haproxy.http.response.captured_cookie} %{NOTSPACE:haproxy.termination_state} %{NUMBER:haproxy.connections.active:int}/%{NUMBER:haproxy.connections.frontend:int}/%{NUMBER:haproxy.connections.backend:int}/%{NUMBER:haproxy.connections.server:int}/%{NUMBER:haproxy.connections.retries:int} %{NUMBER:haproxy.server_queue:int}/%{NUMBER:haproxy.backend_queue:int} \\{%{DATA:haproxy.http.request.captured_headers}\\} \\{%{DATA:haproxy.http.response.captured_headers}\\} \"%{GREEDYDATA:haproxy.http.request.raw_request_line}\"",
"(%{NOTSPACE:haproxy.process_name}\\[%{NUMBER:haproxy.pid:int}\\]: )?%{IP:haproxy.client_ip}:%{NUMBER:haproxy.client_port:int} \\[%{NOTSPACE:haproxy.http.request_date}\\] %{NOTSPACE:haproxy.frontend_name}/%{NOTSPACE:haproxy.bind_name} %{GREEDYDATA:haproxy.error_message}"
],
"ignore_missing": false
}
},
{
"date": {
"field": "haproxy.http.request_date",
"target_field": "@timestamp",
"formats": ["dd/MMM/yyyy:HH:mm:ss.SSS"]
}
},
{
"remove": {
"field": "haproxy.http.request_date"
}
},
{
"geoip": {
"field": "haproxy.client_ip",
"target_field": "haproxy.geoip"
}
},
{
"split": {
"field": "haproxy.http.request.captured_headers",
"separator": "\\|",
"ignore_failure": true
}
},
{
"split": {
"field": "haproxy.http.response.captured_headers",
"separator": "\\|",
"ignore_failure": true
}
}
],
"on_failure" : [{
"set" : {
"field" : "error.message",
"value" : "{{ _ingest.on_failure_message }}"
}
}]
}
"description": "Pipeline for parsing HAProxy http logs in their default format. Requires the geoip plugin.",
"processors": [
{
"grok": {
"field": "message",
"patterns": [
"%{HAPROXY_DATE:haproxy.request_date} (?:%{\\<%{NONNEGINT:haproxy.default.facility}.%{NONNEGINT:haproxy.default.priority}\\>} )?%{IPORHOST:haproxy.default.logsource} %{PROG:haproxy.process_name}(?:\\[%{POSINT:haproxy.pid}\\])?: %{GREEDYDATA} %{IPORHOST:haproxy.client_ip}:%{POSINT:haproxy.client_port} %{WORD} %{IPORHOST:haproxy.destination_ip}:%{POSINT:haproxy.destination_port} \\(%{WORD:haproxy.frontend_name}/%{WORD:haproxy.default.mode}\\)",

"(%{NOTSPACE:haproxy.process_name}\\[%{NUMBER:haproxy.pid:int}\\]: )?%{IP:haproxy.client_ip}:%{NUMBER:haproxy.client_port:int} \\[%{NOTSPACE:haproxy.request_date}\\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} %{NUMBER:haproxy.time_client_req:int}/%{NUMBER:haproxy.time_queue:int}/%{NUMBER:haproxy.time_backend_connect:int}/%{NUMBER:haproxy.time_server_response:int}/%{NUMBER:haproxy.time_duration:int} %{NUMBER:haproxy.http.response.status_code:int} %{NUMBER:haproxy.http.response.bytes_read:int} %{NOTSPACE:haproxy.http.request.captured_cookie} %{NOTSPACE:haproxy.http.response.captured_cookie} %{NOTSPACE:haproxy.termination_state} %{NUMBER:haproxy.connections.active:int}/%{NUMBER:haproxy.connections.frontend:int}/%{NUMBER:haproxy.connections.backend:int}/%{NUMBER:haproxy.connections.server:int}/%{NUMBER:haproxy.connections.retries:int} %{NUMBER:haproxy.server_queue:int}/%{NUMBER:haproxy.backend_queue:int} \\{%{DATA:haproxy.http.request.captured_headers}\\} \\{%{DATA:haproxy.http.response.captured_headers}\\} \"%{GREEDYDATA:haproxy.http.request.raw_request_line}\"",

"(%{NOTSPACE:haproxy.process_name}\\[%{NUMBER:haproxy.pid:int}\\]: )?%{IP:haproxy.client_ip}:%{NUMBER:haproxy.client_port:int} \\[%{NOTSPACE:haproxy.request_date}\\] %{NOTSPACE:haproxy.frontend_name}/%{NOTSPACE:haproxy.bind_name} %{GREEDYDATA:haproxy.error_message}"
],
"ignore_missing": false,
"pattern_definitions": {
"HAPROXY_DATE": "(%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND})|%{SYSLOGTIMESTAMP}"
}
}
},
{
"date": {
"field": "haproxy.request_date",
"target_field": "@timestamp",
"formats": [
"dd/MMM/yyyy:HH:mm:ss.SSS",
"MMM dd HH:mm:ss"
]
}
},
{
"remove": {
"field": "haproxy.request_date"
}
},
{
"remove": {
"field": "message"
}
},
{
"geoip": {
"field": "haproxy.client_ip",
"target_field": "haproxy.geoip"
}
},
{
"split": {
"field": "haproxy.http.request.captured_headers",
"separator": "\\|",
"ignore_failure": true
}
},
{
"split": {
"field": "haproxy.http.response.captured_headers",
"separator": "\\|",
"ignore_failure": true
}
}
],
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
]
}
1 change: 1 addition & 0 deletions filebeat/module/haproxy/log/test/default.log
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Sep 20 15:42:59 1.2.3.4 haproxy[24551]: Connect from 1.2.3.4:40780 to 1.2.3.4:5000 (main/HTTP)
25 changes: 25 additions & 0 deletions filebeat/module/haproxy/log/test/default.log-expected.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
[
{
"@timestamp": "2018-09-20T15:42:59.000Z",
"fileset.module": "haproxy",
"fileset.name": "log",
"haproxy.client_ip": "1.2.3.4",
"haproxy.client_port": "40780",
"haproxy.default.logsource": "1.2.3.4",
"haproxy.default.mode": "HTTP",
"haproxy.destination_ip": "1.2.3.4",
"haproxy.destination_port": "5000",
"haproxy.frontend_name": "main",
"haproxy.geoip.city_name": "Mukilteo",
"haproxy.geoip.continent_name": "North America",
"haproxy.geoip.country_iso_code": "US",
"haproxy.geoip.location.lat": 47.913,
"haproxy.geoip.location.lon": -122.3042,
"haproxy.geoip.region_name": "Washington",
"haproxy.pid": "24551",
"haproxy.process_name": "haproxy",
"input.type": "log",
"offset": 0,
"prospector.type": "log"
}
]
2 changes: 1 addition & 1 deletion filebeat/module/haproxy/log/test/haproxy.log-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
"haproxy.connections.retries": 0,
"haproxy.connections.server": 0,
"haproxy.frontend_name": "incoming~",
"haproxy.geoip.city_name": "Mukilteo",
"haproxy.geoip.continent_name": "North America",
"haproxy.geoip.country_iso_code": "US",
"haproxy.geoip.location.lat": 37.751,
Expand All @@ -37,7 +38,6 @@
"haproxy.time_queue": 0,
"haproxy.time_server_response": 0,
"input.type": "log",
"message": "Jul 30 09:03:52 localhost haproxy[32450]: 1.2.3.4:38862 [30/Jul/2018:09:03:52.726] incoming~ docs_microservice/docs 0/0/1/0/2 304 168 - - ---- 6/6/0/0/0 0/0 {docs.example.internal||} {|||} \"GET /component---src-pages-index-js-4b15624544f97cf0bb8f.js HTTP/1.1\"",
"offset": 0,
"prospector.type": "log"
}
Expand Down
Loading