Add Journalbeat (elastic#8703)

* Initialize Journalbeat (elastic#8277)

This is the first PR to initialize Journalbeat with minimal functionality.

The architecture is mimicing Filebeat so it can be merged into FB in the future. It means it has multiple inputs which can share configuration (`backoff`, `backoff_factor`, etc.). Inputs can have multiple readers, each reader reads from a journal specified in the list of `paths`. The readers are not going to implement the interface `Harverster` until it's merged into Filebeat, because it would overcomplicate event publishing unnecessarily and would need to duplicate too much Filebeat code.

Checkpointing is copied from Winlogbeat. Once the new registry file is merged, it will be migrated.

Example configuration to read from the beginning of the local journal

```yml
journalbeat.inputs:
- paths: []
  seek: head
```

Features
* read from local journal, journal file and directory
* position tracking by using check-pointing as it's done in Winlogbeat
* seek to "tail", "head", "cursor"
* minimal E2E tests
* fields.yml and documentation

Vendored:
* github.com/coreos/go-systemd/sdjournal

* Journalbeat matches support && minor additions (elastic#8324)

From now on it's possible to match for journal entry fields in Journalbeat using the new option `matches`. This requires a list of key value pairs separated by "=". The key has to be a journalbeat event key (e.g systemd.unit) and the value is the exact value journal reader needs to find in the entries.

Example configuration which returns NGINX and dhclient entries from the journal:
```yml
include_matches:
  - "systemd.unit=nginx"
  - "process.name=dhclient"
```
Added docker fields from: https://docs.docker.com/config/containers/logging/journald/
- `container.id`
- `container.id_truncated`
- `container.name`
- `container.image.tag`
- `container.partial`

Journalbeat parses the timestamp of the entry and adds it to the event as `@timestamp`. The time of reading by Journalbeat is saved in `read_timestamp`.

Custom fields by various sources are stored under `custom`. Field names are normalized, meaning `"_"` prefix is removed and every letter is lowercase.

From now on it is possible to configure `processors` and `fields`, etc on `input` level.

The size of each open reader is reporting in bytes:
```
{
  "journalbeat": {
    "journals": {
      "journal_1": {
         "path": "system.journal",
         "size_in_bytes": 123124214,
       }
    }
}
```

* Minor improvements to Journalbeat (elastic#8618)

* Packaging of journalbeat (elastic#8702)

Journalbeat is going to be built using the new Debian 8 container, because systemd version in Debian 7 is too old (v44 instead of the required v187).

Minor changes:
* add missing X-Pack folder to journalbeat
* do not crosscompile journalbeat due to missing dependencies locally

* Add journalbeat docs (elastic#8735)

* Add journalbeat docs

(cherry picked from commit 24d0e08)

.travis.yml

@@ -99,6 +99,22 @@ jobs:
       go: $GO_VERSION
       stage: test
 
+    # Functionbeat
+    - os: linux
+      env: TARGETS="-C x-pack/functionbeat testsuite"
+      go: $GO_VERSION
+      stage: test
+    - os: osx
+      env: TARGETS="TEST_ENVIRONMENT=0 -C x-pack/functionbeat testsuite"
+      go: $GO_VERSION
+      stage: test
+
+    # Journalbeat
+    - os: linux
+      env: TARGETS="-C journalbeat testsuite"
+      go: $GO_VERSION
+      stage: test
+
     # Generators
     - os: linux
       env: TARGETS="-C generator/metricbeat test"
@@ -150,6 +166,7 @@ addons:
       - libpcap-dev
       - xsltproc
       - libxml2-utils
+      - libsystemd-journal-dev
 
 before_install:
   - python --version

CHANGELOG.asciidoc

@@ -19,6 +19,8 @@ https://github.com/elastic/beats/compare/v6.4.0...6.x[Check the HEAD diff]
 
 *Heartbeat*
 
+*Journalbeat*
+
 *Metricbeat*
 
 *Packetbeat*
@@ -67,6 +69,8 @@ https://github.com/elastic/beats/compare/v6.4.0...6.x[Check the HEAD diff]
 
 - Fixed bug where HTTP responses with larger bodies would incorrectly report connection errors. {pull}8660[8660]
 
+*Journalbeat*
+
 *Metricbeat*
 
 - Fix golang.heap.gc.cpu_fraction type from long to float in Golang module. {pull}7789[7789]
@@ -129,6 +133,10 @@ https://github.com/elastic/beats/compare/v6.4.0...6.x[Check the HEAD diff]
 - Added support for extra TLS/x509 metadata. {pull}7944[7944]
 - Added stats and state metrics for number of monitors and endpoints started. {pull}8621[8621]
 
+*Journalbeat*
+
+- Add journalbeat. {pull}8703[8703]
+
 *Metricbeat*
 
 - Add `replstatus` metricset to MongoDB module {pull}7604[7604]
@@ -167,6 +175,8 @@ https://github.com/elastic/beats/compare/v6.4.0...6.x[Check the HEAD diff]
 *Heartbeat*
 - watch.poll_file is now deprecated and superceded by automatic config file reloading.
 
+*Journalbeat*
+
 *Metricbeat*
 - Redis `info` `replication.master_offset` has been deprecated in favor of `replication.master.offset`.{pull}7695[7695]
 - Redis `info` clients fields `longest_output_list` and `biggest_input_buf` have been renamed to `max_output_buffer` and `max_input_buffer` based on the names they will have in Redis 5.0, both fields will coexist during a time with the same value {pull}8167[8167].

Makefile

@@ -1,6 +1,6 @@
 BUILD_DIR=$(CURDIR)/build
 COVERAGE_DIR=$(BUILD_DIR)/coverage
-BEATS?=auditbeat filebeat heartbeat metricbeat packetbeat winlogbeat
+BEATS?=auditbeat filebeat heartbeat journalbeat metricbeat packetbeat winlogbeat
 PROJECTS=libbeat $(BEATS)
 PROJECTS_ENV=libbeat filebeat metricbeat
 PYTHON_ENV?=$(BUILD_DIR)/python-env

NOTICE.txt

@@ -171,6 +171,37 @@ COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
+--------------------------------------------------------------------
+Dependency: github.com/coreos/go-systemd
+Version: v17
+Revision: 39ca1b05acc7ad1220e09f133283b8859a8b71ab
+License type (autodetected): Apache-2.0
+./vendor/github.com/coreos/go-systemd/LICENSE:
+--------------------------------------------------------------------
+Apache License 2.0
+
+-------NOTICE-----
+CoreOS Project
+Copyright 2018 CoreOS, Inc
+
+This product includes software developed at CoreOS, Inc.
+(http://www.coreos.com/).
+
+--------------------------------------------------------------------
+Dependency: github.com/coreos/pkg
+Revision: 97fdf19511ea361ae1c100dd393cc47f8dcfa1e1
+License type (autodetected): Apache-2.0
+./vendor/github.com/coreos/pkg/LICENSE:
+--------------------------------------------------------------------
+Apache License 2.0
+
+-------NOTICE-----
+CoreOS Project
+Copyright 2014 CoreOS, Inc
+
+This product includes software developed at CoreOS, Inc.
+(http://www.coreos.com/).
+
 --------------------------------------------------------------------
 Dependency: github.com/davecgh/go-spew
 Version: v1.1.0

dev-tools/mage/crossbuild.go

@@ -48,6 +48,9 @@ func init() {
 // CrossBuildOption defines a option to the CrossBuild target.
 type CrossBuildOption func(params *crossBuildParams)
 
+// ImageSelectorFunc returns the name of the builder image.
+type ImageSelectorFunc func(platform string) (string, error)
+
 // ForPlatforms filters the platforms based on the given expression.
 func ForPlatforms(expr string) func(params *crossBuildParams) {
 	return func(params *crossBuildParams) {
@@ -78,16 +81,24 @@ func Serially() func(params *crossBuildParams) {
 	}
 }
 
+// ImageSelector returns the name of the selected builder image.
+func ImageSelector(f ImageSelectorFunc) func(params *crossBuildParams) {
+	return func(params *crossBuildParams) {
+		params.ImageSelector = f
+	}
+}
+
 type crossBuildParams struct {
-	Platforms BuildPlatformList
-	Target    string
-	Serial    bool
-	InDir     string
+	Platforms     BuildPlatformList
+	Target        string
+	Serial        bool
+	InDir         string
+	ImageSelector ImageSelectorFunc
 }
 
 // CrossBuild executes a given build target once for each target platform.
 func CrossBuild(options ...CrossBuildOption) error {
-	params := crossBuildParams{Platforms: Platforms, Target: defaultCrossBuildTarget}
+	params := crossBuildParams{Platforms: Platforms, Target: defaultCrossBuildTarget, ImageSelector: crossBuildImage}
 	for _, opt := range options {
 		opt(&params)
 	}
@@ -111,10 +122,10 @@ func CrossBuild(options ...CrossBuildOption) error {
 		if !buildPlatform.Flags.CanCrossBuild() {
 			return fmt.Errorf("unsupported cross build platform %v", buildPlatform.Name)
 		}
-		builder := GolangCrossBuilder{buildPlatform.Name, params.Target, params.InDir}
+		builder := GolangCrossBuilder{buildPlatform.Name, params.Target, params.InDir, params.ImageSelector}
 		if params.Serial {
 			if err := builder.Build(); err != nil {
-				return errors.Wrapf(err, "failed cross-building target=%v for platform=%v",
+				return errors.Wrapf(err, "failed cross-building target=%v for platform=%v %v", params.ImageSelector,
 					params.Target, buildPlatform.Name)
 			}
 		} else {
@@ -174,15 +185,16 @@ func crossBuildImage(platform string) (string, error) {
 		return "", err
 	}
 
-	return beatsCrossBuildImage + ":" + goVersion + "-" + tagSuffix, nil
+	return BeatsCrossBuildImage + ":" + goVersion + "-" + tagSuffix, nil
 }
 
 // GolangCrossBuilder executes the specified mage target inside of the
 // associated golang-crossbuild container image for the platform.
 type GolangCrossBuilder struct {
-	Platform string
-	Target   string
-	InDir    string
+	Platform      string
+	Target        string
+	InDir         string
+	ImageSelector ImageSelectorFunc
 }
 
 // Build executes the build inside of Docker.
@@ -208,7 +220,7 @@ func (b GolangCrossBuilder) Build() error {
 	}
 
 	dockerRun := sh.RunCmd("docker", "run")
-	image, err := crossBuildImage(b.Platform)
+	image, err := b.ImageSelector(b.Platform)
 	if err != nil {
 		return errors.Wrap(err, "failed to determine golang-crossbuild image tag")
 	}

dev-tools/mage/godaemon.go

@@ -23,6 +23,13 @@ import (
 	"os"
 )
 
+var (
+	defaultCrossBuildGoDaemon = []CrossBuildOption{
+		ForPlatforms("linux"),
+		WithTarget("buildGoDaemon"),
+	}
+)
+
 // BuildGoDaemon builds the go-deamon binary.
 func BuildGoDaemon() error {
 	if GOOS != "linux" {
@@ -67,6 +74,7 @@ func BuildGoDaemon() error {
 
 // CrossBuildGoDaemon cross-build the go-daemon binary using the
 // golang-crossbuild environment.
-func CrossBuildGoDaemon() error {
-	return CrossBuild(ForPlatforms("linux"), WithTarget("buildGoDaemon"))
+func CrossBuildGoDaemon(options ...CrossBuildOption) error {
+	opts := append(defaultCrossBuildGoDaemon, options...)
+	return CrossBuild(opts...)
 }

dev-tools/mage/settings.go

@@ -39,8 +39,9 @@ const (
 	fpmVersion = "1.10.0"
 
 	// Docker images. See https://github.com/elastic/golang-crossbuild.
-	beatsFPMImage        = "docker.elastic.co/beats-dev/fpm"
-	beatsCrossBuildImage = "docker.elastic.co/beats-dev/golang-crossbuild"
+	beatsFPMImage = "docker.elastic.co/beats-dev/fpm"
+	// BeatsCrossBuildImage is the image used for crossbuilding Beats.
+	BeatsCrossBuildImage = "docker.elastic.co/beats-dev/golang-crossbuild"
 
 	elasticBeatsImportPath = "github.com/elastic/beats"
 )

journalbeat/.gitignore

@@ -0,0 +1,9 @@
+/.idea
+/build
+.DS_Store
+.journalbeat_position
+/journalbeat
+/journalbeat.test
+*.pyc
+data/meta.json
+/*.journal

journalbeat/Dockerfile

@@ -0,0 +1,17 @@
+FROM golang:1.10.3
+MAINTAINER Noémi Ványi <noemi.vanyi@elastic.co>
+
+RUN set -x && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+      python-pip virtualenv libsystemd-dev libc6-dev-i386 gcc-arm-linux-gnueabi && \
+    apt-get clean
+
+RUN pip install --upgrade setuptools
+
+# Setup work environment
+ENV JOURNALBEAT_PATH /go/src/github.com/elastic/beats/journalbeat
+
+RUN mkdir -p $JOURNALBEAT_PATH/build/coverage
+WORKDIR $JOURNALBEAT_PATH
+HEALTHCHECK CMD exit 0

journalbeat/Makefile

@@ -0,0 +1,15 @@
+BEAT_NAME=journalbeat
+BEAT_TITLE=Journalbeat
+SYSTEM_TESTS=false
+TEST_ENVIRONMENT=false
+ES_BEATS?=..
+
+# Path to the libbeat Makefile
+-include $(ES_BEATS)/libbeat/scripts/Makefile
+
+.PHONY: before-build
+before-build:
+
+# Collects all dependencies and then calls update
+.PHONY: collect
+collect:

journalbeat/README.md

@@ -0,0 +1,5 @@
+# Journalbeat
+
+Journalbeat is an open source data collector to read and forward journal entries from Linuxes with systemd.
+
+## Getting started

journalbeat/_meta/beat.yml

@@ -0,0 +1,56 @@
+###################### Journalbeat Configuration Example #########################
+
+# This file is an example configuration file highlighting only the most common
+# options. The journalbeat.reference.yml file from the same directory contains all the
+# supported options with more comments. You can use it as a reference.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/journalbeat/index.html
+
+# For more available modules and options, please see the journalbeat.reference.yml sample
+# configuration file.
+
+#=========================== Journalbeat inputs =============================
+
+journalbeat.inputs:
+  # Paths that should be crawled and fetched. Possible values files and directories.
+  # When setting a directory, all journals under it are merged.
+  # When empty starts to read from local journal.
+- paths: []
+
+  # The number of seconds to wait before trying to read again from journals.
+  #backoff: 1s
+  # The maximum number of seconds to wait before attempting to read again from journals.
+  #max_backoff: 60s
+
+  # Position to start reading from journal. Valid values: head, tail, cursor
+  seek: tail
+
+  # Exact matching for field values of events.
+  # Matching for nginx entries: "systemd.unit=nginx"
+  #include_matches: []
+
+  # Optional fields that you can specify to add additional information to the
+  # output. Fields can be scalar values, arrays, dictionaries, or any nested
+  # combination of these.
+  #fields:
+  #  env: staging
+
+
+#========================= Journalbeat global options ============================
+#journalbeat:
+  # Name of the registry file. If a relative path is used, it is considered relative to the
+  # data path.
+  #registry_file: registry
+
+  # The number of seconds to wait before trying to read again from journals.
+  #backoff: 1s
+  # The maximum number of seconds to wait before attempting to read again from journals.
+  #max_backoff: 60s
+
+  # Position to start reading from all journal. Possible values: head, tail, cursor
+  #seek: head
+
+  # Exact matching for field values of events.
+  # Matching for nginx entries: "systemd.unit=nginx"
+  #matches: []