Allow users to convert timezone in elasticsearch module filesets (#9761)

This PR updates the following filesets in the `elasticsearch` Filebeat module to accept a `var.convert_timezone` configuration setting:

* [x] server
* [x] audit
* [x] slowlog
* [x] deprecation

The `gc` fileset was not modified because Elasticsearch GC logs already emit timestamps with timezone information in them.

Fixes partially #9756. Related: #9797.

CHANGELOG.next.asciidoc

@@ -51,6 +51,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Filebeat*
 
+- Add `convert_timezone` option to Elasticsearch module to convert dates to UTC. {issue}9756[9756] {pull}9761[9761]
+
 *Heartbeat*
 
 - Made monitors.d configuration part of the default config. {pull}9004[9004]

filebeat/filebeat.reference.yml

@@ -92,6 +92,9 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   gc:
     enabled: true
     # Set custom paths for the log files. If left empty,
@@ -104,18 +107,28 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   slowlog:
     enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   deprecation:
     enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
+
 #------------------------------- Haproxy Module -------------------------------
 - module: haproxy
   # All logs

filebeat/module/elasticsearch/_meta/config.yml

@@ -7,6 +7,9 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   gc:
     enabled: true
     # Set custom paths for the log files. If left empty,
@@ -19,14 +22,24 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   slowlog:
     enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   deprecation:
     enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
+
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+

filebeat/module/elasticsearch/audit/config/audit.yml

@@ -5,6 +5,11 @@ paths:
 {{ end }}
 exclude_files: [".gz$"]
 
+{{ if .convert_timezone }}
+processors:
+- add_locale: ~
+{{ end }}
+
 fields:
   service.name: "elasticsearch"
 fields_under_root: true

filebeat/module/elasticsearch/audit/ingest/pipeline.json

@@ -16,9 +16,19 @@
           }
       },
       {
-          "rename": {
+          "date": {
               "field": "elasticsearch.audit.timestamp",
-              "target_field": "@timestamp"
+              "target_field": "@timestamp",
+              "formats": [
+                "ISO8601"
+            ],
+            {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
+            "ignore_failure": true
+          }
+      },
+      {
+        "remove": {
+            "field": "elasticsearch.audit.timestamp"
           }
       }
     ],

filebeat/module/elasticsearch/audit/manifest.yml

@@ -8,6 +8,13 @@ var:
       - /usr/local/var/lib/elasticsearch/*_access.log
     os.windows:
       - c:/ProgramData/Elastic/Elasticsearch/logs/*_access.log
+  - name: convert_timezone
+    default: false
+    # if ES < 6.1.0, this flag switches to false automatically when evaluating the
+    # pipeline
+    min_elasticsearch_version:
+      version: 6.1.0
+      value: false
 
 ingest_pipeline: ingest/pipeline.json
 input: config/audit.yml

filebeat/module/elasticsearch/audit/test/test.log-expected.json

@@ -1,6 +1,6 @@
 [
     {
-        "@timestamp": "2018-06-19T05:16:15,549", 
+        "@timestamp": "2018-06-19T05:16:15.549Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.audit.event_type": "authentication_failed", 
         "elasticsearch.audit.layer": "rest", 
@@ -15,7 +15,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:07:52,304", 
+        "@timestamp": "2018-06-19T05:07:52.304Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.audit.event_type": "authentication_failed", 
         "elasticsearch.audit.layer": "rest", 
@@ -31,7 +31,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:00:15,778", 
+        "@timestamp": "2018-06-19T05:00:15.778Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.audit.action": "indices:data/read/scroll/clear", 
         "elasticsearch.audit.event_type": "access_granted", 
@@ -48,7 +48,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:07:45,544", 
+        "@timestamp": "2018-06-19T05:07:45.544Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.audit.event_type": "anonymous_access_denied", 
         "elasticsearch.audit.layer": "rest", 
@@ -63,7 +63,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:26:27,268", 
+        "@timestamp": "2018-06-19T05:26:27.268Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.audit.event_type": "authentication_failed", 
         "elasticsearch.audit.layer": "rest", 
@@ -78,7 +78,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:55:26,898", 
+        "@timestamp": "2018-06-19T05:55:26.898Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.audit.action": "cluster:monitor/main", 
         "elasticsearch.audit.event_type": "access_denied", 
@@ -95,7 +95,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-06-19T05:24:15,190", 
+        "@timestamp": "2018-06-19T05:24:15.190Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.audit.event_type": "authentication_failed", 
         "elasticsearch.audit.layer": "rest", 

filebeat/module/elasticsearch/deprecation/config/log.yml

@@ -9,6 +9,11 @@ multiline:
   negate: true
   match: after
 
+{{ if .convert_timezone }}
+processors:
+- add_locale: ~
+{{ end }}
+
 fields:
   service.name: "elasticsearch"
 

filebeat/module/elasticsearch/deprecation/ingest/pipeline.json

@@ -27,9 +27,19 @@
             }
         },
         {
-            "rename": {
+            "date": {
                 "field": "timestamp",
-                "target_field": "@timestamp"
+                "target_field": "@timestamp",
+                "formats": [
+                    "ISO8601"
+                ],
+                {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
+                "ignore_failure": true
+            }
+        },
+        {
+            "remove": {
+                "field": "timestamp"
             }
         }
     ]

filebeat/module/elasticsearch/deprecation/manifest.yml

@@ -8,6 +8,13 @@ var:
       - /usr/local/var/lib/elasticsearch/*_deprecation.log
     os.windows:
       - c:/ProgramData/Elastic/Elasticsearch/logs/*_deprecation.log
+  - name: convert_timezone
+    default: false
+    # if ES < 6.1.0, this flag switches to false automatically when evaluating the
+    # pipeline
+    min_elasticsearch_version:
+      version: 6.1.0
+      value: false
 
 ingest_pipeline: ingest/pipeline.json
 input: config/log.yml

filebeat/module/elasticsearch/deprecation/test/elasticsearch_deprecation.log-expected.json

@@ -1,6 +1,6 @@
 [
     {
-        "@timestamp": "2018-04-23T16:40:13,737", 
+        "@timestamp": "2018-04-23T16:40:13.737Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", 
         "event.dataset": "deprecation", 
@@ -12,7 +12,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-04-23T16:40:13,862", 
+        "@timestamp": "2018-04-23T16:40:13.862Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", 
         "event.dataset": "deprecation", 
@@ -24,7 +24,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-04-23T16:40:14,792", 
+        "@timestamp": "2018-04-23T16:40:14.792Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", 
         "event.dataset": "deprecation", 
@@ -36,7 +36,7 @@
         "service.name": "elasticsearch"
     }, 
     {
-        "@timestamp": "2018-04-23T16:40:15,127", 
+        "@timestamp": "2018-04-23T16:40:15.127Z", 
         "ecs.version": "1.0.0-beta2", 
         "elasticsearch.server.component": "o.e.d.a.a.i.t.p.PutIndexTemplateRequest", 
         "event.dataset": "deprecation",