diff --git a/x-pack/plugins/infra/public/containers/logs/with_stream_items.ts b/x-pack/plugins/infra/public/containers/logs/with_stream_items.ts index 747e16d37f51f..3421f93956bc9 100644 --- a/x-pack/plugins/infra/public/containers/logs/with_stream_items.ts +++ b/x-pack/plugins/infra/public/containers/logs/with_stream_items.ts @@ -51,7 +51,7 @@ const createLogEntryStreamItem = (logEntry: LogEntry, searchResult?: SearchResul fields: { time: logEntry.key.time, tiebreaker: logEntry.key.tiebreaker, - message: logEntry.message.map(formatMessageSegment).join(' '), + message: logEntry.message.map(formatMessageSegment).join(''), }, }, searchResult, diff --git a/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_apache2.ts b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_apache2.ts new file mode 100644 index 0000000000000..cdb2ad32267ca --- /dev/null +++ b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_apache2.ts @@ -0,0 +1,60 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export const filebeatApache2Rules = [ + { + when: { + exists: ['apache2.access'], + }, + format: [ + { + constant: 'apache2', + }, + { + constant: ' ', + }, + { + field: 'apache2.access.remote_ip', + }, + { + constant: ' ', + }, + { + field: 'apache2.access.user_name', + }, + { + constant: ' "', + }, + { + field: 'apache2.access.method', + }, + { + constant: ' ', + }, + { + field: 'apache2.access.url', + }, + { + constant: ' HTTP/', + }, + { + field: 'apache2.access.http_version', + }, + { + constant: '" ', + }, + { + field: 'apache2.access.response_code', + }, + { + constant: ' ', + }, + { + field: 'apache2.access.body_sent.bytes', + }, + ], + }, +]; diff --git a/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_nginx.ts b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_nginx.ts new file mode 100644 index 0000000000000..d44fe4924490b --- /dev/null +++ b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_nginx.ts @@ -0,0 +1,60 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export const filebeatNginxRules = [ + { + when: { + exists: ['nginx.access'], + }, + format: [ + { + constant: 'nginx', + }, + { + constant: ' ', + }, + { + field: 'nginx.access.remote_ip', + }, + { + constant: ' ', + }, + { + field: 'nginx.access.user_name', + }, + { + constant: ' "', + }, + { + field: 'nginx.access.method', + }, + { + constant: ' ', + }, + { + field: 'nginx.access.url', + }, + { + constant: ' HTTP/', + }, + { + field: 'nginx.access.http_version', + }, + { + constant: '" ', + }, + { + field: 'nginx.access.response_code', + }, + { + constant: ' ', + }, + { + field: 'nginx.access.body_sent.bytes', + }, + ], + }, +]; diff --git a/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_redis.ts b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_redis.ts new file mode 100644 index 0000000000000..e842a54457769 --- /dev/null +++ b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_redis.ts @@ -0,0 +1,24 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export const filebeatRedisRules = [ + { + when: { + exists: ['redis.log.message'], + }, + format: [ + { + constant: 'redis', + }, + { + constant: ' ', + }, + { + field: 'redis.log.message', + }, + ], + }, +]; diff --git a/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_system.ts b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_system.ts new file mode 100644 index 0000000000000..0a84720fc8cfb --- /dev/null +++ b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_system.ts @@ -0,0 +1,72 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export const filebeatSystemRules = [ + { + when: { + exists: ['system.syslog.message'], + }, + format: [ + { + field: 'system.syslog.message', + }, + ], + }, + { + when: { + exists: ['system.auth.message'], + }, + format: [ + { + field: 'system.auth.message', + }, + ], + }, + { + when: { + exists: ['system.auth.ssh.event'], + }, + format: [ + { + constant: 'ssh', + }, + { + constant: ' ', + }, + { + field: 'system.auth.ssh.event', + }, + { + constant: ' user ', + }, + { + field: 'system.auth.user', + }, + { + constant: ' from ', + }, + { + field: 'system.auth.ssh.ip', + }, + ], + }, + { + when: { + exists: ['system.auth.ssh.dropped_ip'], + }, + format: [ + { + constant: 'ssh', + }, + { + constant: ' Dropped connection from ', + }, + { + field: 'system.auth.ssh.dropped_ip', + }, + ], + }, +]; diff --git a/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/generic.ts b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/generic.ts new file mode 100644 index 0000000000000..bd0e51d5c8d30 --- /dev/null +++ b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/generic.ts @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export const genericRules = [ + { + when: { + exists: ['message'], + }, + format: [ + { + field: 'message', + }, + ], + }, + { + when: { + exists: ['@message'], + }, + format: [ + { + field: '@message', + }, + ], + }, +]; diff --git a/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/index.ts b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/index.ts index d874cad12f6cf..2e0c5ac1a9ac6 100644 --- a/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/index.ts +++ b/x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/index.ts @@ -4,44 +4,28 @@ * you may not use this file except in compliance with the Elastic License. */ +import { filebeatApache2Rules } from './filebeat_apache2'; +import { filebeatNginxRules } from './filebeat_nginx'; +import { filebeatRedisRules } from './filebeat_redis'; +import { filebeatSystemRules } from './filebeat_system'; +import { genericRules } from './generic'; + export const builtinRules = [ + ...filebeatApache2Rules, + ...filebeatNginxRules, + ...filebeatRedisRules, + ...filebeatSystemRules, + ...genericRules, { when: { - exists: ['system.syslog.message'], - }, - format: [ - { - field: 'system.syslog.message', - }, - ], - }, - { - when: { - exists: ['system.auth.message'], + exists: ['source'], }, format: [ { - field: 'system.auth.message', + constant: 'failed to format message from ', }, - ], - }, - { - when: { - exists: ['message'], - }, - format: [ - { - field: 'message', - }, - ], - }, - { - when: { - exists: ['@message'], - }, - format: [ { - field: '@message', + field: 'source', }, ], },