Add ingress nginx controller fileset #16197

ChrsMark · 2020-02-07T15:20:29Z

Resolves: #8451

This PR adds fileset for ingress-nginx controller logs. Log patterns could be found on the controllers' docs.

~~In order to add the new pipeline a new setting called "version" is being introduced also in this PR. See the sum-up of the discussion on this comment.~~

How to test this

Filebeat

in /tmp/testnginx one can use the sample logs(see test.log file) used for automated testing.
Enable nginx Filebeat module
Configure the fileset.

- module: nginx
  # Access logs
  ingress_controller:
    enabled: true
    var.paths: ["/tmp/testnginx"]

Setup the pipelines in ES: ./filebeat setup
Start Filebeat and verify that events are properly shown in Kibana. NOTE: set the time window properly in Kibana so as to display the events in the timeline since the events have timestamps which will be in the past.

k8s environment

Deploy an ingress managed sample app on Minikube following the official k8s docs
check that ingress controller logs are being populated when doing curls (like described in k8s docs). Ingress controller pod lies under kube-system namespace and you will be able to check its logs with sth like nginx-ingress-controller-6fc5bcc8c9-zm8zv.
Redirect pods' logs to a temporary file: kubectl -n kube-system logs -f nginx-ingress-controller-6fc5bcc8c9-zm8zv >> /tmp/ingresspod
Inside minikube configure nginx module like:

- module: nginx
  # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
  ingress_controller:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/tmp/ingresspod"]

Run filebeat and check that logs are parsed correctly and shown in Kibana properly.
Visit http://hello-world.info/v2 so as to create new log entries.

Signed-off-by: chrismark <chrismarkou92@gmail.com>

ChrsMark · 2020-02-10T17:04:47Z

Even if the status is still "in-progress", reviews are more than welcome since the missing part has only to do with autodiscover feature (hence standalone part).

Signed-off-by: chrismark <chrismarkou92@gmail.com>

ChrsMark · 2020-02-11T11:04:56Z

Hey @exekias and @kvch! A first review on this would be helpful so as to confirm the approach before moving on to adding tests and docs 🙂 .

exekias · 2020-02-11T11:31:44Z

This is looking good, I have some concerns about how this would be treated in the future by the agent. @ruflin how do you feel about this concept of version?

ruflin · 2020-02-11T11:44:15Z

Thinking of how this will work within a package and the new indexing strategy I also have some concerns. Let me share some background on why.

With packages and the new indexing strategy, ingest pipelines are never defined by the beat / agent but are already assigned to the index the data ends up in. Sending data to two different ingest pipelines based on some Beats logic will not be possible anymore.

But we have examples where there are JSON and non json logs that we send and the ingest pipeline makes the decision how to do the processing. An example can be found here: https://github.com/elastic/beats/blob/master/filebeat/module/elasticsearch/slowlog/ingest/pipeline.json#L21 This also works with our future model.

What this means for the above is that we need something in the event to detect which ingest pipeline it should route the events to. Few ideas:

There is a special field in the event that allows us to already detect it
A field contains a special string we can detect
We add a config option which adds a field so we can detect it

Comment on naming: Coming from ECS if I see a config or field named "version" I expect it to have a format like 1.4.3. So I would rather use a different term for it.

exekias · 2020-02-11T11:59:12Z

I'm leaning towards making this just another fileset for now (ie ingress-controller), have it disabled by default and make it clear that this is specific for kubernetes deployments. What do you folks think?

ChrsMark · 2020-02-11T16:02:36Z

Changes applied.
Added testing notes.
Manually tested in k8s env and worked as expected.

Signed-off-by: chrismark <chrismarkou92@gmail.com>

exekias

Can you please add a changelog?

Signed-off-by: chrismark <chrismarkou92@gmail.com>

(cherry picked from commit 543a435)

* [Filebeat] move create-[module,fileset,fields] to mage (#15836) - move create-[module,fileset,fields] to mage - make mage create commands available in x-pack/filebeat - change Makefile to use mage for create commands * Elasticsearch index must be lowercase (#16081) * Index names must be lowercase When indexing into Elasticsearch index names must always be lowercase. If the index or indices setting are configured to produce non-lowercase strings (e.g. by extracting part of the index name from the event contents), we need to normalize them to be lowercase. This change ensure that index names are always converted to lowercase. Static strings are converted to lowercase upfront, while dynamic strings will be post-processed. * update kafka/redis/LS output to guarantee lowercase index * add godoc * Regenerate expected files after changes in date parsing (#16139) Elasticsearch has modified the behaviour on date parsing when the date doesn't include timezone data. Regenerate a couple of golden files that are affected by this change. * Add autodiscover for aws_ec2 (#14823) * Add autodiscover for aws_ec2 * Add aws.ec2.* to autodiscover template * Fix a connection error in httpjson input (#16123) * Fix a connection error in httpjson input * Include document_id in decode_json_fields allowed fields (#16156) * ci: run test on Windows (#15570) * feat: run test on Windows * chore: parameter to enable/disable windows test * deleteDir before of the checkout * Update Jenkinsfile * Update Jenkinsfile * Update Jenkinsfile * Update Jenkinsfile * Update Jenkinsfile * Apply suggestions from code review * feat: apply dependency hierarchies * fit: use isChanged for all matches, and add the libbeat match where it is needed * feat: add x-pack/winlogbeat windows unit tests * fix: duplicate when condition * Update Jenkinsfile Co-Authored-By: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> * improve kubernetes.pod.cpu.usage.limit.pct field description (#16128) * upgrade github.com/gogo/protobuf/... to v1.3.1 (#16138) * [Filebeat] Add ECS tls & categorization fields to apache module (#16121) * Add ECS tls & categorization fields to apache module - tls.cipher (access) - tls.protocol (access) - tls.protocol_version (access) - event.kind (access) - event.category (access) - event.outcome (access) - lowercase http.request.method for ECS compliance (access) - event.kind (error) - event.category (error) - event.type (error) Closes #16032 * [Metricbeat] Add Overview dashboard to Tomcat module * [Metricbeat] Fix PostgreSQL Dashboard (#16132) * [Metricbeat] Fix PostgreSQL Dashboard * Update version * Fix: imports order (#16207) * [Metricbeat]kube-state-metrics: add storage class support (#16145) * add ksm storage class support * [Journalbeat] Improve parsing of syslog.pid in journalbeat to strip the username when present (#16116) * Improve parsing of syslog.pid in journalbeat to strip the username in pid when present. * Add entry to changelog with pull ID. * Improve the comment on the username strip. * [Agent] Allow CA cert pinning on the Elasticsearch output or any code that user tlscommon.TLSConfig builder. (#16019) * Add a sha256 pin for the CA Certificate When multiples CA are presents on the system we cannot ensure that a specific one was used to validates the chains exposer by the server. This PRs adds a `ca_sha256` option to the `tlscommon.TLSConfig` that is used by all the code that has to create a TCP client with TLS support. When the option is set, it will hook a new callback in the validation chains that will inspect the verified and validated chains by Go to ensure that a lets a certificate in the chains match the provided sha256. Usage example for the Elasticsearch output. ``` output.elasticsearch: hosts: [127.0.0.1:9200] ssl.ca_sha256: <base64_encoded_sha1> ``` You can generate the pin using the **openssl** binary with the following command: ``` openssl x509 -in ca.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 ``` OpenSSL's [documentation](https://www.openssl.org/docs/manmaster/man1/dgst.html) You will need to start Elasticsearch with the following options ```yaml xpack.security.enabled: true indices.id_field_data.enabled: true xpack.license.self_generated.type: trial xpack.security.http.ssl.enabled: true xpack.security.http.ssl.key: /etc/pki/localhost/localhost.key" xpack.security.http.ssl.certificate: /etc/pki/localhost/localhost.crt" xpack.security.http.ssl.certificate_authorities: /etc/pki/ca/ca.crt" ``` This pull request also include a new service in the docker-compose.yml that will start a new Elasticsearch server with TLS and security configured. * [docs] Add 7.6 breaking changes and release highlights (#16202) * [docs] Add early draft of Elastic Log Driver docs (#15799) * Index template will only be loaded if the configured output is Elasticsearch or Elastic Cloud (#16124) (#16225) Minor update to be more explicit on the index template loading requirement. Co-authored-by: romain-chanu <51113389+romain-chanu@users.noreply.github.com> * Remove spaces in prometheus commented out option (#16233) * Fix: don't miss address scheme (#16205) * Fix: don't miss address scheme * Add unit test * Adjust source after code review * Add comment to method * Freeze virtualenv version until issue with CI is resolved (#16235) * [docs] Fix install command to match instructions on docker hub (#16249) * [docs] Add link to observability release blog (#16246) * ci(jenkins): enable fix-permissions to be executed without running make too (#16130) * ci(jenkins): enable fix-permissions to be executed without running make too * ci(jenkins): go modules are stored in the HOME path * ci(jenkins): fix permissions should run only if docker is enabled * Upgrade go-ucfg to version 0.8.2 (#16199) * Upgrade go-ucfg to master, for testing before 0.8.2 release. * Update notice. * Fix tests. * Update to the v0.8.2 release tag and remake NOTICE.txt. * Improve test name. * Add ingress nginx controller fileset (#16197) * update notice Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com> Co-authored-by: Steffen Siering <steffen.siering@elastic.co> Co-authored-by: Jaime Soriano Pastor <jaime.soriano@elastic.co> Co-authored-by: kaiyan-sheng <kaiyan.sheng@elastic.co> Co-authored-by: Lei Qiu <lei.qiu@elastic.co> Co-authored-by: Fae Charlton <fae.charlton@elastic.co> Co-authored-by: Ivan Fernandez Calvo <kuisathaverat@users.noreply.github.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: Chris Mark <chrismarkou92@gmail.com> Co-authored-by: Gil Raphaelli <g@raphaelli.com> Co-authored-by: Mario Castro <mariocaster@gmail.com> Co-authored-by: Dimitri Mazmanov <sorantis@gmail.com> Co-authored-by: Marcin Tojek <mtojek@users.noreply.github.com> Co-authored-by: Pablo Mercado <pablo.mercado@elastic.co> Co-authored-by: Blake Rouse <blake.rouse@elastic.co> Co-authored-by: Pier-Hugues Pellerin <phpellerin@gmail.com> Co-authored-by: DeDe Morton <dede.morton@elastic.co> Co-authored-by: romain-chanu <51113389+romain-chanu@users.noreply.github.com> Co-authored-by: Michal Pristas <michal.pristas@gmail.com> Co-authored-by: Victor Martinez <victormartinezrubio@gmail.com>

* [Filebeat] move create-[module,fileset,fields] to mage (elastic#15836) - move create-[module,fileset,fields] to mage - make mage create commands available in x-pack/filebeat - change Makefile to use mage for create commands * Elasticsearch index must be lowercase (elastic#16081) * Index names must be lowercase When indexing into Elasticsearch index names must always be lowercase. If the index or indices setting are configured to produce non-lowercase strings (e.g. by extracting part of the index name from the event contents), we need to normalize them to be lowercase. This change ensure that index names are always converted to lowercase. Static strings are converted to lowercase upfront, while dynamic strings will be post-processed. * update kafka/redis/LS output to guarantee lowercase index * add godoc * Regenerate expected files after changes in date parsing (elastic#16139) Elasticsearch has modified the behaviour on date parsing when the date doesn't include timezone data. Regenerate a couple of golden files that are affected by this change. * Add autodiscover for aws_ec2 (elastic#14823) * Add autodiscover for aws_ec2 * Add aws.ec2.* to autodiscover template * Fix a connection error in httpjson input (elastic#16123) * Fix a connection error in httpjson input * Include document_id in decode_json_fields allowed fields (elastic#16156) * ci: run test on Windows (elastic#15570) * feat: run test on Windows * chore: parameter to enable/disable windows test * deleteDir before of the checkout * Update Jenkinsfile * Update Jenkinsfile * Update Jenkinsfile * Update Jenkinsfile * Update Jenkinsfile * Apply suggestions from code review * feat: apply dependency hierarchies * fit: use isChanged for all matches, and add the libbeat match where it is needed * feat: add x-pack/winlogbeat windows unit tests * fix: duplicate when condition * Update Jenkinsfile Co-Authored-By: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> * improve kubernetes.pod.cpu.usage.limit.pct field description (elastic#16128) * upgrade github.com/gogo/protobuf/... to v1.3.1 (elastic#16138) * [Filebeat] Add ECS tls & categorization fields to apache module (elastic#16121) * Add ECS tls & categorization fields to apache module - tls.cipher (access) - tls.protocol (access) - tls.protocol_version (access) - event.kind (access) - event.category (access) - event.outcome (access) - lowercase http.request.method for ECS compliance (access) - event.kind (error) - event.category (error) - event.type (error) Closes elastic#16032 * [Metricbeat] Add Overview dashboard to Tomcat module * [Metricbeat] Fix PostgreSQL Dashboard (elastic#16132) * [Metricbeat] Fix PostgreSQL Dashboard * Update version * Fix: imports order (elastic#16207) * [Metricbeat]kube-state-metrics: add storage class support (elastic#16145) * add ksm storage class support * [Journalbeat] Improve parsing of syslog.pid in journalbeat to strip the username when present (elastic#16116) * Improve parsing of syslog.pid in journalbeat to strip the username in pid when present. * Add entry to changelog with pull ID. * Improve the comment on the username strip. * [Agent] Allow CA cert pinning on the Elasticsearch output or any code that user tlscommon.TLSConfig builder. (elastic#16019) * Add a sha256 pin for the CA Certificate When multiples CA are presents on the system we cannot ensure that a specific one was used to validates the chains exposer by the server. This PRs adds a `ca_sha256` option to the `tlscommon.TLSConfig` that is used by all the code that has to create a TCP client with TLS support. When the option is set, it will hook a new callback in the validation chains that will inspect the verified and validated chains by Go to ensure that a lets a certificate in the chains match the provided sha256. Usage example for the Elasticsearch output. ``` output.elasticsearch: hosts: [127.0.0.1:9200] ssl.ca_sha256: <base64_encoded_sha1> ``` You can generate the pin using the **openssl** binary with the following command: ``` openssl x509 -in ca.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 ``` OpenSSL's [documentation](https://www.openssl.org/docs/manmaster/man1/dgst.html) You will need to start Elasticsearch with the following options ```yaml xpack.security.enabled: true indices.id_field_data.enabled: true xpack.license.self_generated.type: trial xpack.security.http.ssl.enabled: true xpack.security.http.ssl.key: /etc/pki/localhost/localhost.key" xpack.security.http.ssl.certificate: /etc/pki/localhost/localhost.crt" xpack.security.http.ssl.certificate_authorities: /etc/pki/ca/ca.crt" ``` This pull request also include a new service in the docker-compose.yml that will start a new Elasticsearch server with TLS and security configured. * [docs] Add 7.6 breaking changes and release highlights (elastic#16202) * [docs] Add early draft of Elastic Log Driver docs (elastic#15799) * Index template will only be loaded if the configured output is Elasticsearch or Elastic Cloud (elastic#16124) (elastic#16225) Minor update to be more explicit on the index template loading requirement. Co-authored-by: romain-chanu <51113389+romain-chanu@users.noreply.github.com> * Remove spaces in prometheus commented out option (elastic#16233) * Fix: don't miss address scheme (elastic#16205) * Fix: don't miss address scheme * Add unit test * Adjust source after code review * Add comment to method * Freeze virtualenv version until issue with CI is resolved (elastic#16235) * [docs] Fix install command to match instructions on docker hub (elastic#16249) * [docs] Add link to observability release blog (elastic#16246) * ci(jenkins): enable fix-permissions to be executed without running make too (elastic#16130) * ci(jenkins): enable fix-permissions to be executed without running make too * ci(jenkins): go modules are stored in the HOME path * ci(jenkins): fix permissions should run only if docker is enabled * Upgrade go-ucfg to version 0.8.2 (elastic#16199) * Upgrade go-ucfg to master, for testing before 0.8.2 release. * Update notice. * Fix tests. * Update to the v0.8.2 release tag and remake NOTICE.txt. * Improve test name. * Add ingress nginx controller fileset (elastic#16197) * update notice Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com> Co-authored-by: Steffen Siering <steffen.siering@elastic.co> Co-authored-by: Jaime Soriano Pastor <jaime.soriano@elastic.co> Co-authored-by: kaiyan-sheng <kaiyan.sheng@elastic.co> Co-authored-by: Lei Qiu <lei.qiu@elastic.co> Co-authored-by: Fae Charlton <fae.charlton@elastic.co> Co-authored-by: Ivan Fernandez Calvo <kuisathaverat@users.noreply.github.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: Chris Mark <chrismarkou92@gmail.com> Co-authored-by: Gil Raphaelli <g@raphaelli.com> Co-authored-by: Mario Castro <mariocaster@gmail.com> Co-authored-by: Dimitri Mazmanov <sorantis@gmail.com> Co-authored-by: Marcin Tojek <mtojek@users.noreply.github.com> Co-authored-by: Pablo Mercado <pablo.mercado@elastic.co> Co-authored-by: Blake Rouse <blake.rouse@elastic.co> Co-authored-by: Pier-Hugues Pellerin <phpellerin@gmail.com> Co-authored-by: DeDe Morton <dede.morton@elastic.co> Co-authored-by: romain-chanu <51113389+romain-chanu@users.noreply.github.com> Co-authored-by: Michal Pristas <michal.pristas@gmail.com> Co-authored-by: Victor Martinez <victormartinezrubio@gmail.com>

ChrsMark added 5 commits February 7, 2020 17:19

Add version configuration option for fileset

117fda5

Signed-off-by: chrismark <chrismarkou92@gmail.com>

Add patterns

8cd4bb3

Signed-off-by: chrismark <chrismarkou92@gmail.com>

update configuration

006df2f

Signed-off-by: chrismark <chrismarkou92@gmail.com>

Fix patterns

bef859e

Signed-off-by: chrismark <chrismarkou92@gmail.com>

Update testing script to test with pipeline version

de7689d

Signed-off-by: chrismark <chrismarkou92@gmail.com>

ChrsMark self-assigned this Feb 10, 2020

ChrsMark requested a review from a team February 10, 2020 17:01

ChrsMark added autodiscovery containers Related to containers use case Team:Integrations Label for the Integrations team Team:Platforms Label for the Integrations - Platforms team enhancement Filebeat Filebeat [zube]: In Progress in progress Pull request is currently in progress. labels Feb 10, 2020

ChrsMark marked this pull request as ready for review February 10, 2020 17:02

ChrsMark added 5 commits February 11, 2020 11:02

fmt code

2df493b

Signed-off-by: chrismark <chrismarkou92@gmail.com>

Add fields description

7853de0

Signed-off-by: chrismark <chrismarkou92@gmail.com>

Add version handling in hints autodiscover

ea34b38

Signed-off-by: chrismark <chrismarkou92@gmail.com>

Add autodiscover unit-tests

fb96825

Signed-off-by: chrismark <chrismarkou92@gmail.com>

fmt code

7ddc546

Signed-off-by: chrismark <chrismarkou92@gmail.com>

ChrsMark added the review label Feb 11, 2020

andresrc added [zube]: Inbox and removed [zube]: In Progress [zube]: Inbox labels Feb 11, 2020

zube bot removed the test-plan Add this PR to be manual test plan label Feb 11, 2020

fix test

ee18fcb

Signed-off-by: chrismark <chrismarkou92@gmail.com>

exekias approved these changes Feb 11, 2020

View reviewed changes

ChrsMark added 4 commits February 12, 2020 10:10

Add changelog entry

f775dc5

Signed-off-by: chrismark <chrismarkou92@gmail.com>

Merge remote-tracking branch 'upstream/master' into ingress_nginx

d9d70b2

fix expected fields

bc4504d

Signed-off-by: chrismark <chrismarkou92@gmail.com>

Fix expcted files with proper ES SNAPSHOT

af021e8

Signed-off-by: chrismark <chrismarkou92@gmail.com>

ChrsMark merged commit 543a435 into elastic:master Feb 12, 2020

zube bot added [zube]: Done and removed [zube]: In Review labels Feb 12, 2020

ChrsMark added a commit to ChrsMark/beats that referenced this pull request Feb 12, 2020

Add ingress nginx controller fileset (elastic#16197)

82e5f02

(cherry picked from commit 543a435)

ChrsMark mentioned this pull request Feb 12, 2020

Cherry-pick #16197 to 7.x: Add ingress nginx controller fileset #16268

Merged

ChrsMark removed the needs_backport PR is waiting to be backported to other branches. label Feb 12, 2020

ChrsMark added a commit that referenced this pull request Feb 13, 2020

Cherry-pick #16197 to 7.x: Add ingress nginx controller fileset (#16268)

6464944

andresrc removed the [zube]: Done label Feb 19, 2020

This was referenced Apr 6, 2020

Add ingress_controller docs #17510

Merged

Cherry-pick #17510 to 7.x: Add ingress_controller docs #17584

Merged

Cherry-pick #17510 to 7.7: Add ingress_controller docs #17585

Merged

sejbot mentioned this pull request Apr 20, 2020

Change ingress_controller fields mapping from text to keyword #17834

Closed

This was referenced Sep 10, 2020

Add ingress controller dashboards #21052

Merged

Cherry-pick #21052 to 7.x: Add ingress controller dashboards #21054

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add ingress nginx controller fileset #16197

Add ingress nginx controller fileset #16197

ChrsMark commented Feb 7, 2020 •

edited

Loading

ChrsMark commented Feb 10, 2020

ChrsMark commented Feb 11, 2020

exekias commented Feb 11, 2020

ruflin commented Feb 11, 2020

exekias commented Feb 11, 2020 •

edited

Loading

ChrsMark commented Feb 11, 2020 •

edited

Loading

exekias left a comment

Add ingress nginx controller fileset #16197

Add ingress nginx controller fileset #16197

Conversation

ChrsMark commented Feb 7, 2020 • edited Loading

How to test this

Filebeat

k8s environment

ChrsMark commented Feb 10, 2020

ChrsMark commented Feb 11, 2020

exekias commented Feb 11, 2020

ruflin commented Feb 11, 2020

exekias commented Feb 11, 2020 • edited Loading

ChrsMark commented Feb 11, 2020 • edited Loading

exekias left a comment

Choose a reason for hiding this comment

ChrsMark commented Feb 7, 2020 •

edited

Loading

exekias commented Feb 11, 2020 •

edited

Loading

ChrsMark commented Feb 11, 2020 •

edited

Loading