Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat AWS ELB ingest fields differ from Kibana Observability #26435

Closed
stephank opened this issue Jun 23, 2021 · 6 comments · Fixed by #26441
Closed

Filebeat AWS ELB ingest fields differ from Kibana Observability #26435

stephank opened this issue Jun 23, 2021 · 6 comments · Fixed by #26441
Labels
Team:Integrations Label for the Integrations team

Comments

@stephank
Copy link

Previous discussion: https://discuss.elastic.co/t/aws-elb-ingest-pipeline-bug/276356
All Elastic Stack components are on version 7.13.2.

It looks like the AWS ALB support in the Filebeat AWS module produces http.request.referrer in its ingest pipeline, while Kibana Observability (such as the Logs section) expects url.* fields to be set (probably via uri_parts).

Currently, the Kibana Logs section displays access logs as follows, with a missing request path: (This display is apparently produced by generic_webserver.ts.)

[aws][access] 1.2.3.4  "GET  HTTP/2.0" 200 152966

I believe the fix should be something like:

--- a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml
@@ -77,7 +77,7 @@ processors:
           (?:-|%{NUMBER:aws.elb.backend.http.response.status_code:long})
           %{NUMBER:http.request.body.bytes:long}
           %{NUMBER:http.response.body.bytes:long}
-          \"(?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|HTTP/%{NOTSPACE:http.version})\"
+          \"(?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:_tmp.url_orig}) (?:-|HTTP/%{NOTSPACE:http.version})\"
           \"%{DATA:user_agent.original}\"
           %{ELBSSL}
         ELBTCPLOG: >-
@@ -110,6 +110,11 @@ processors:
       field: event.category
       value: web

+  - uri_parts:
+      if: 'ctx.http != null'
+      field: _tmp.url_orig
+      ignore_failure: true
+
   - set:
       if: 'ctx.http == null'
       field: 'aws.elb.protocol'

Which results in correct display in Kibana Logs:

[aws][access] 1.2.3.4  "GET /blogs? HTTP/2.0" 200 6815

(I'm not sure why it always displays a ? despite there not being a query string, but I believe that's a separate Kibana issue.)
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 23, 2021
@kaiyan-sheng
Copy link
Contributor

Hi @stephank , thanks for creating the issue here. Do you have a sample log from ELB (something like https://github.com/elastic/beats/blob/master/x-pack/filebeat/module/aws/elb/test/elb-http.log) that we can use to test the new grok pattern?

@kaiyan-sheng kaiyan-sheng added the Team:Integrations Label for the Integrations team label Jun 23, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations (Team:Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 23, 2021
@legoguy1000
Copy link
Contributor

legoguy1000 commented Jun 23, 2021
edited
Loading

Hi @stephank , thanks for creating the issue here. Do you have a sample log from ELB (something like https://github.com/elastic/beats/blob/master/x-pack/filebeat/module/aws/elb/test/elb-http.log) that we can use to test the new grok pattern?

@kaiyan-sheng My interpretation of this from the forum was that the current sample logs are the same that is what we already have, just that the URL that's being parsed shouldn't be the referrer but the actual request. I referenced, https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-log-entry-syntax, see the "request" row.

@legoguy1000 legoguy1000 mentioned this issue Jun 23, 2021
Merged
6 tasks
@legoguy1000
Copy link
Contributor

PR submitted

legoguy1000 added a commit to legoguy1000/beats that referenced this issue Jun 24, 2021
@legoguy1000
elastic#26435: Update AWS ELB ingest pipeline
1de6bb7
@kaiyan-sheng kaiyan-sheng mentioned this issue Jun 24, 2021
Merged
6 tasks
@ramgurufh
Copy link

I think these changes are not yet pushed to 7.13.4.

@legoguy1000
Copy link
Contributor

I think these changes are not yet pushed to 7.13.4.

Ya it looks like it was only backported to 7.14.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] Update AWS ELB ingest pipeline legoguy1000/beats
5 participants
@stephank @legoguy1000 @kaiyan-sheng @elasticmachine @ramgurufh