MongoDB module

[kvch]

I added a new Filebeat module for MongoDB what I created during testing the FB module generator tooling.

This is the dashboard I created:

It does not look good, as I hasn't been able to get real error messages from my instance.

[ruflin]

Should we use @timestamp for this?

[kvch]

What do you mean?

[ruflin]

Defining timestamp here means it will be mongodb.log.timestamp in the event. But normally the processed timestamp from the log line when the event happened ends up in @timestamp. Is this a different timestamp here?

[kvch]

I think a separate timestamp field is required, because it stores the actual time the log was generated. @timestamp is the time it was processed. These two times are not necessarily the same.

[ruflin]

We have similar behaviour in other modules, for example Kafka. What we do there is that we have the timestamp of the actual log line in @timestamp and the one when the log line was actually read in read_timestamp. Name of read_timestamp is not great but we don't have a better one yet.

If you look at the ingest pipeline of the Kafka module you will see the the timestamps are moved around to make sure @timestamp is the one after processing.

[ruflin]

We should use the common message field here.

[kvch]

I dropped type: text.

[ruflin]

I was thinking this should go into the top level message field. But looking at other modules I see we don't do this yet.

The behaviour I would expect is that the extracted message part of the log line ends up in the top level message field and the raw log line for example under log.message or log.raw. I'm good with keeping it as is as it's not different in other modules yet.

If we have it here, it probably makes sense to keep it as text and not keyword.

[kvch]

I readded text.

[ruflin]

This is interesting as I so far assume serverity is a sortable integer in ECS. It seems what is used here as severity is more log.level. @MikePaquette FYI

[kvch]

I came up with field names based on MongoDB logging guide: https://docs.mongodb.com/manual/reference/log-messages/ It might provide more context on the subject.
However, I agree that it is a bit weird in MongoDB. If you look at the section "Severity", you can see the taxonomy of log levels. So I am not sure why it's named severity.
Does it cause problem in ECS?

[ruflin]

I think we can keep it as is as it's under the mongodb namespace. In case we map this to ECS later it would end up in log.level from my perspective. No need to solve this now.

[kvch]

@ruflin I think it's ready for a new round of review. Travis fails, because of XPack installation problems.

[ruflin]

PR looks good to me. I would suggest we release this first as beta, get some feedback and then push it to GA in the next minor?

[ruflin]

What does all logs mean here? Does mongodb only have 1 type of logs?

[kvch]

Yes, that's all I found in their docs: https://docs.mongodb.com/manual/reference/log-messages/

[ruflin]

I think we can keep it as is as it's under the mongodb namespace. In case we map this to ECS later it would end up in log.level from my perspective. No need to solve this now.

[ruflin]

Mongodb log logs -> I think I start to understand why you call the filset log. What exactly is in these logs?

[kvch]

Everything is green.