Skip to content

Commit

Permalink
[Filebeat] Create ActiveMQ module (elastic#14840)
Browse files Browse the repository at this point in the history
* Enable audit logs in ActiveMQ module

* Generate module stub

* Update configuration

* Add log files

* Add sample exception to ActiveMQ log

* Define ingest pipeline for ActiveMQ audit logs

* Define ingest pipeline for ActiveMQ logs

* Adjust ingest pipelines, bugfixing

* Do not check timestamp for audit logs

* Refactor fields

* Fix: mage fmt update

* Adjust fields after review

* Rename action to message to properly present logs in Kibana

* Refactor fields according to the review
  • Loading branch information
mtojek authored Dec 2, 2019
1 parent c115bb1 commit d4a6086
Show file tree
Hide file tree
Showing 25 changed files with 722 additions and 1 deletion.
64 changes: 64 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ This file is generated! See _meta/fields.yml and scripts/generate_fields_docs.py
This document describes the fields that are exported by Filebeat. They are
grouped in the following categories:
* <<exported-fields-activemq>>
* <<exported-fields-apache>>
* <<exported-fields-auditd>>
* <<exported-fields-aws>>
Expand Down Expand Up @@ -61,6 +62,69 @@ grouped in the following categories:
* <<exported-fields-zeek>>
--
[[exported-fields-activemq]]
== activemq fields
Module for parsing ActiveMQ log files.
[float]
=== activemq
*`activemq.caller`*::
+
--
Name of the caller issuing the logging request (class or resource).
type: keyword
--
*`activemq.thread`*::
+
--
Thread that generated the logging event.
type: keyword
--
*`activemq.user`*::
+
--
User that generated the logging event.
type: keyword
--
[float]
=== audit
Fields from ActiveMQ audit logs.
[float]
=== log
Fields from ActiveMQ application logs.
*`activemq.log.stack_trace`*::
+
--
type: keyword
--
[[exported-fields-apache]]
== Apache fields
Expand Down
69 changes: 69 additions & 0 deletions filebeat/docs/modules/activemq.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
////
This file is generated! See scripts/docs_collector.py
////

[[filebeat-module-activemq]]
:modulename: activemq
:has-dashboards: false

== ActiveMQ module

This module parses Apache ActiveMQ logs. It supports application and audit logs.

include::../include/what-happens.asciidoc[]

[float]
=== Compatibility

The module has been tested with ActiveMQ 5.13.0 and 5.15.9. Other versions are expected to work.

include::../include/running-modules.asciidoc[]

include::../include/configuring-intro.asciidoc[]

:fileset_ex: log

include::../include/config-option-intro.asciidoc[]

The following example shows how to set paths in the +modules.d/{modulename}.yml+
file to override the default paths for ActiveMQ logs:

["source","yaml",subs="attributes"]
-----
- module: activemq
audit:
enabled: true
var.paths: ["/path/to/log/activemq/data/audit.log*"]
log:
enabled: true
var.paths: ["/path/to/log/activemq/data/activemq.log*"]
-----

To specify the same settings at the command line, you use:

["source","sh",subs="attributes"]
-----
-M "activemq.audit.var.paths=[/path/to/log/activemq/data/audit.log*]"
-M "activemq.log.var.paths=[/path/to/log/activemq/data/activemq.log*]"
-----

[float]
==== `log` log fileset settings

include::../include/var-paths.asciidoc[]

include::../include/timezone-support.asciidoc[]

:has-dashboards!:

:fileset_ex!:

:modulename!:


[float]
=== Fields

For a description of each field in the module, see the
<<exported-fields-activemq,exported fields>> section.

2 changes: 2 additions & 0 deletions filebeat/docs/modules_list.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ This file is generated! See scripts/docs_collector.py
////

* <<filebeat-modules-overview>>
* <<filebeat-module-activemq>>
* <<filebeat-module-apache>>
* <<filebeat-module-auditd>>
* <<filebeat-module-aws>>
Expand Down Expand Up @@ -43,6 +44,7 @@ This file is generated! See scripts/docs_collector.py
--

include::modules-overview.asciidoc[]
include::modules/activemq.asciidoc[]
include::modules/apache.asciidoc[]
include::modules/auditd.asciidoc[]
include::modules/aws.asciidoc[]
Expand Down
3 changes: 2 additions & 1 deletion filebeat/tests/system/test_modules.py
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,8 @@ def clean_keys(obj):
# ECS versions change for any ECS release, large or small
ecs_key = ["ecs.version"]
# datasets for which @timestamp is removed due to date missing
remove_timestamp = {"icinga.startup", "redis.log", "haproxy.log", "system.auth", "system.syslog", "cef.log"}
remove_timestamp = {"icinga.startup", "redis.log", "haproxy.log",
"system.auth", "system.syslog", "cef.log", "activemq.audit"}
# dataset + log file pairs for which @timestamp is kept as an exception from above
remove_timestamp_exception = {
('system.syslog', 'tz-offset.log'),
Expand Down
18 changes: 18 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,24 @@ filebeat.modules:
# can be added under this section.
#input:

#------------------------------- Activemq Module -------------------------------
- module: activemq
# Audit logs
audit:
enabled: true

# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

# Application logs
log:
enabled: true

# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

#-------------------------------- Apache Module --------------------------------
#- module: apache
# Access logs
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/include/list.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 16 additions & 0 deletions x-pack/filebeat/module/activemq/_meta/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
- module: activemq
# Audit logs
audit:
enabled: true

# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:

# Application logs
log:
enabled: true

# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
56 changes: 56 additions & 0 deletions x-pack/filebeat/module/activemq/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
:modulename: activemq
:has-dashboards: false

== ActiveMQ module

This module parses Apache ActiveMQ logs. It supports application and audit logs.

include::../include/what-happens.asciidoc[]

[float]
=== Compatibility

The module has been tested with ActiveMQ 5.13.0 and 5.15.9. Other versions are expected to work.

include::../include/running-modules.asciidoc[]

include::../include/configuring-intro.asciidoc[]

:fileset_ex: log

include::../include/config-option-intro.asciidoc[]

The following example shows how to set paths in the +modules.d/{modulename}.yml+
file to override the default paths for ActiveMQ logs:

["source","yaml",subs="attributes"]
-----
- module: activemq
audit:
enabled: true
var.paths: ["/path/to/log/activemq/data/audit.log*"]
log:
enabled: true
var.paths: ["/path/to/log/activemq/data/activemq.log*"]
-----

To specify the same settings at the command line, you use:

["source","sh",subs="attributes"]
-----
-M "activemq.audit.var.paths=[/path/to/log/activemq/data/audit.log*]"
-M "activemq.log.var.paths=[/path/to/log/activemq/data/activemq.log*]"
-----

[float]
==== `log` log fileset settings

include::../include/var-paths.asciidoc[]

include::../include/timezone-support.asciidoc[]

:has-dashboards!:

:fileset_ex!:

:modulename!:
21 changes: 21 additions & 0 deletions x-pack/filebeat/module/activemq/_meta/fields.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
- key: activemq
title: "activemq"
description: >
Module for parsing ActiveMQ log files.
fields:
- name: activemq
type: group
description: >
fields:
- name: caller
type: keyword
description: >
Name of the caller issuing the logging request (class or resource).
- name: thread
type: keyword
description: >
Thread that generated the logging event.
- name: user
type: keyword
description: >
User that generated the logging event.
5 changes: 5 additions & 0 deletions x-pack/filebeat/module/activemq/audit/_meta/fields.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
- name: audit
type: group
description: >
Fields from ActiveMQ audit logs.
fields:
6 changes: 6 additions & 0 deletions x-pack/filebeat/module/activemq/audit/config/audit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
15 changes: 15 additions & 0 deletions x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
description: Pipeline for parsing ActiveMQ audit logs.
processors:
- grok:
field: message
pattern_definitions:
NOPIPEGREEDYDATA: "((?! \\|).)*"
THREAD_NAME: "((?! \n).)*"
patterns:
- "%{LOGLEVEL:log.level}%{SPACE}\\|%{SPACE}%{WORD:activemq.user}%{SPACE}%{NOPIPEGREEDYDATA:message}%{SPACE}\\|%{SPACE}%{THREAD_NAME:activemq.thread}"
ignore_missing: true
on_failure:
- set:
field: error.message
value: "{{ _ingest.on_failure_message }}"
13 changes: 13 additions & 0 deletions x-pack/filebeat/module/activemq/audit/manifest.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
module_version: 1.0

var:
- name: paths
default:
- /opt/apache-activemq-*/data/audit.log*
os.darwin:
- /usr/local/apache-activemq-*/data/audit.log*
os.windows:
- c:/apache-activemq-*/data/audit.log*

ingest_pipeline: ingest/pipeline.yml
input: config/audit.yml
4 changes: 4 additions & 0 deletions x-pack/filebeat/module/activemq/audit/test/audit.log
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
INFO | anonymous called org.apache.activemq.broker.jmx.QueueView.retryMessages[] at 27-11-2019 08:45:57,213 | qtp443290224-47
INFO | admin called org.apache.activemq.broker.jmx.QueueView.retryMessages[] at 27-11-2019 08:45:57,229 | qtp443290224-45
WARN | admin requested /admin/createDestination.action [JMSDestination='test' JMSDestinationType='queue' secret='4eb0bc3e-9d7a-4256-844c-24f40fda98f1' ] from 127.0.0.1 | qtp12205619-39
INFO | guest requested /admin/purgeDestination.action [JMSDestination='test' JMSDestinationType='queue' secret='eff6a932-1b58-45da-a64a-1b30b246cfc9' ] from 127.0.0.1 | qtp12205619-36
Loading

0 comments on commit d4a6086

Please sign in to comment.