Rebase #1

Fix an issue with a partial enroll, when a user refused to overrides a local configuration actually the enroll command did already used the token on the ES cluster, this commit move the confirm in the CM instead of having it in the Enroll's function and is executed by sending the token or creating any files on disk. Fixes: #10150

Moved the definition of `agent.hostname` to fields.common.yml

Missing changelog for #11067

…2 interface (#10962) This is the first Kubernetes modules which uses the new testing interface too

Fixes a number of issues in the `user` dataset discovered while testing on Fedora 29: * When calling C functions via cgo, don't rely on errno as an indicator of success - check the return value first. * Set errno to 0 before calling getpwent(3) or getspent(3). * Make C function calls thread-safe. * Address a systemd bug where it can return ENOENT even when there is no error. * Don't fail on every error. * Fail system test on WARN/ERROR messages in the log.

These dashboards are now maintained in the new elastic/uptime-contrib repo, so the docs should point there.

TCP checks are not adding URL fields on NXDOMAIN endpoints. This fixes that issue. It does so by ensuring that URL metadata is added before executing the check, and not during, as done previously. A side effect of this is that we now perform DNS lookups once per `{hostname,port}` instead of once per `{hostname}`. This is worth the increased simplicity however, as the code would be quite convoluted otherwise, which would put us at risk for more bugs. Related (but different) 6.x issue: #10777 Fix import formatting

This PR is part of #10071. Co-Authored-By: Stamatis Katsaounis <katsaouniss@gmail.com> Co-Authored-By: Michael Katsoulis <michaelkatsoulis88@gmail.com>

* Import updated ECS 1.0.0 go library. * Adjust Packetbeat to use int64 for URL ports. * Re-generate golden files for filebeat and x-pack/filebeat

* Fix fields.yml for sqs from message.* to messages.* and field type * Change type back to long * Add format: bytes

After repeatedly running the Elasticsearch module integration test in Metricbeat, I found that sometimes Elasticsearch doesn't get enough time to perform CCR and generate CCR stats. This causes the following error, but only some times: ``` --- FAIL: TestFetch (2.44s) --- FAIL: TestFetch/ccr (0.08s) elasticsearch_integration_test.go:92: Error Trace: elasticsearch_integration_test.go:92 Error: Should NOT be empty, but was [] Test: TestFetch/ccr ``` So this PR adds a 300ms sleep to give Elasticsearch enough time to perform CCR and generate CCR stats. After testing various sleep durations, I found that 300ms seemed to be the lowest (round) value I could use that consistently passed this test. Possibly related: #10866

…1051) Refer to #10774 for more info

The Monitoring Bulk API (`POST _xpack/monitoring/_bulk`) does not interpret `_type` in the bulk metadata the same was as the regular Bulk API (`POST _bulk`). In the case of the Monitoring Bulk API, `_type` has a special meaning. It does not correspond to the Elasticsearch document `_type` but rather a `type` field within monitoring documents. The `_type` of those monitoring documents gets automatically set to `_doc` by the Monitoring Bulk API. Therefore, the Beats monitoring code should always send `_type` to the Monitoring Bulk API.

* Add instance.state.name into fields.yml * Rebase and regenerate fields.yml * Update changelog

* Fix sqs queue name * Add function to get queueUrls * Fix field names from message to messages * Move looping through each queueURL into a separate function

* Update aws documentation * Add checks for instance fields in TestFetch * Add tests for CheckTimestampInArray and FindTimestamp * Update comment for CheckTimestampInArray * Change test to table driven * Adopt CheckTimestampInArray and FindTimestamp in S3 and SQS

This updates the ingest pipeline loading to look at the pipeline definition file extension and use a JSON or YAML decoder depending on the type.

The structures `Field` and `Fields` are moved from `common` to the package `mapping`. This is a step towards moving things from the abused package `common`. I would like to move fields and other asset related functionality to this package in the future.

At the moment, docker containers are shared between tests. Password test changes the password as part of its checks, what can affect the connection of other tests using the same instance, skip this test by now to avoid flakiness in the rest of tests.

SIGHUP is sent to a process if the user's terminal is disconnected. It is one of the five termination signals. Currently, Beats is going to terminate suddenly, i.e. the log will cut off, no shutdown actions are going to be run, etc. This change catches SIGHUP as it already does SIGINT/SIGTERM and runs the usual shutdown actions. This can include waiting for a period of time specified using the shutdown_timeout option Filebeat and Packetbeat support.

They were accidentally removed by #11150.

* Update ingest pipelines to use event.timezone Previously, `beats.timezone` was used, in master it's not available anymore. However, some ingest pipelines were still using it.

…11232) Excludes kernel processes on Linux. They don't provide a lot of value, the names are not unique, and they will not be able to use potential future features like process executable hashes.

The script processor executes Javascript code to process an event. The processor uses a pure Go implementation of ECMAScript 5.1. This can be useful in situations where one of the other processors doesn’t provide the functionality you need to filter events. The processor can be configured by embedding Javascript in your configuration file or by pointing the processor at external file(s). See the included documentation for the full details. processors: - script: type: javascript code: > function process(event) { event.Tag("js"); } For observability it can add metrics with a histogram of the execution time and a counter for the number of exceptions that occur. There is an optional timeout configuration option to the processor that will timeout the execution by interrupting the JS code. Rather than have libbeat force the inclusion of the script processor in all Beats, make each Beat opt into the processor. It is imported by the log processing Beats (filebeat, journalbeat, and winlogbeat). Benchmark Results Here's a benchmark to get a rough idea of how long it takes to process an event in the processor's runtime I updated the benchmark to test each case with and without the timeout enabled. BenchmarkBeatEventV0/Put-12 2000000 707 ns/op BenchmarkBeatEventV0/timeout_Put-12 1000000 1510 ns/op BenchmarkBeatEventV0/Object_Put_Key-12 2000000 631 ns/op BenchmarkBeatEventV0/timeout_Object_Put_Key-12 1000000 1252 ns/op BenchmarkBeatEventV0/Get-12 2000000 750 ns/op BenchmarkBeatEventV0/timeout_Get-12 1000000 1495 ns/op BenchmarkBeatEventV0/Get_Undefined_Key-12 1000000 1039 ns/op BenchmarkBeatEventV0/timeout_Get_Undefined_Key-12 1000000 2108 ns/op BenchmarkBeatEventV0/fields_get_key-12 2000000 1044 ns/op BenchmarkBeatEventV0/timeout_fields_get_key-12 1000000 2051 ns/op BenchmarkBeatEventV0/Get_@metadata-12 2000000 750 ns/op BenchmarkBeatEventV0/timeout_Get_@metadata-12 1000000 1745 ns/op BenchmarkBeatEventV0/Put_@metadata-12 1000000 1048 ns/op BenchmarkBeatEventV0/timeout_Put_@metadata-12 500000 2623 ns/op BenchmarkBeatEventV0/Delete_@metadata-12 2000000 842 ns/op BenchmarkBeatEventV0/timeout_Delete_@metadata-12 1000000 1629 ns/op BenchmarkBeatEventV0/Cancel-12 2000000 759 ns/op BenchmarkBeatEventV0/timeout_Cancel-12 1000000 1329 ns/op BenchmarkBeatEventV0/Tag-12 1000000 1189 ns/op BenchmarkBeatEventV0/timeout_Tag-12 1000000 1973 ns/op BenchmarkBeatEventV0/AppendTo-12 2000000 644 ns/op BenchmarkBeatEventV0/timeout_AppendTo-12 1000000 1347 ns/op

Setting the PYTHON_EXE environment variable causes new Python virtual environments to be created using the specified interpreter. Both `make` and `mage` honor the variable. For example, `PYTHON_EXE=python2.7 make python-env`.

To help debug #11261.

* Change URLPATH grok pattern to support [] * Update URIPATHWITHBRACKET with the current URIPATH * Add changelog

…name, etc. in fields.yml (#11134) * Add Kubernetes missing fields: replica-set.name, statefulset.name and deployment.name, to libbeat add_kubernetes_metadata processor fields.yml and add a few test cases. * Remove duplicate fields in metricbeat fields.yml

* Add aws sqs overview dashboard * Add sqs overview dashboard into documentation

…ce address (#11256) * Add support for iis 7.5 log with different destination/source address * update changelog * Add test with IPv6 ip address

In #9648 the monitor generator script was removed, but its supporting files were not. This commit removes the remaining legacy files.

The repository the documentation was previously linking to (https://github.com/jlevesy/githubbeat) is now inactive, the owner suggests using the following fork instead: https://github.com/josephlewis42/githubbeat

* rabbitmq.node.name was duplicated and alias pointed to itself * rabbitmq.connection.name was falsely migrated to `rabbitmq.name` Also adding tests to Filebeat and Metricbeat to ensure this does not happen again in the future. Closes #11271

Currently we check in python tests that the fields are documented. As by now we have all the fields also available in the go code with the fields.go files it is possible to do this check in the new data tests. To prevent cyclic imports the data_test.go had to be moved to its own package. Now by default all modules are imported. Like this we don't have to add each module manually.

Docker containers can have empty ip addresses if they are running in host network mode or if they are stopped. Collecting lists with empty addresses can make type mapping to fail when trying to store them as ip addresses. Fix #11225

…11288)

This is to make it more clear this is for the migration from 6.7 to 7.0.

for APM, where beatname_lc=apm-server but beat_default_index_prefix=apm

* Fix test failure of auditbeat for s390x * avoid filebeat test failure on big endian machines

Set a default request timeout of 10 seconds to metricbeat HTTP helpers so there are less chances of leaking established connections. Add a connection timeout that defaults to two seconds so connections fail fast in case of network connectivity problems.

Co-Authored-By: Ioannis Androulidakis <ioannis@arrikto.com>

* Update schema version in monitoring index name * Update tests

Resolves #9480. Starting Elasticsearch 7.0.0, Beats should ship their monitoring data to the `_monitoring/bulk` Elasticsearch API endpoint. Prior to 7.0.0, `_xpack/monitoring/_bulk` should be used. This PR implements this version-based conditional logic. I used Wireshark to look at the ES API endpoints being hit. Running this PR with ES 8.0.0 or ES 7.0.0, I confirmed that the `POST _monitoring/bulk` endpoint was being hit: <img width="1436" alt="Screen Shot 2019-03-14 at 10 55 52 AM" src="https://user-images.githubusercontent.com/51061/54380101-ed567780-4647-11e9-8ed1-9b9020bb85d4.png"> And running this PR with ES 6.7.0, I confirmed that the `POST _xpack/monitoring/_bulk` endpoint was being hit: <img width="1437" alt="Screen Shot 2019-03-14 at 10 56 42 AM" src="https://user-images.githubusercontent.com/51061/54380094-eaf41d80-4647-11e9-8658-d9a6ba14541b.png">

* implement Close() for docker metricsets

Outleters start a goroutine to handle the finalization of filebeat. If the outleter is closed by other means the goroutine will be kept running even if it has nothing to do, leaking goroutines. Stop this goroutine if the outleter is closed.

* treat empty meta as non existent * test made parallel friendly * changelog plus typos in beats.go * perform atomic write of meta.json

Some modules under x-pack had their dashboards images below the OSS beat directory. This PR moves those images under x-pack.

* Check License for basic or better

This reverts commit 9ff8392.

* Adding categorization fields for the system/auth module This PR adds the following fields for the SSH login events: * `event.category: authentication` * `event.action: ssh_login` * `event.type` either `authentication_success` or `authentication_failure` The `event.outcome` is currently not quite ECS compliant, but I didn't touch it to avoid a breaking change. The PR doesn't attempt to categorize other logs besides the SSH login attempts, so it's a subset of #9905, but it's what we need for the UI. * Normalized event.outcome and brought back `system.auth.ssh.event`. * changelog

After the refactor done in #11032, baseData was not being passed to the HTTP helper, so authentication was not working. Added a test to avoid regressions here. Fix #11351

Signed-off-by: Chris <chrismarkou92@gmail.com>

Block the response only during a time or till the conext is done. Close body if a request object is returned.

* Migrate mysql/galera_status to ReporterV2

Previous fix (#11006) made Winlogbeat escape CRLF control characters which are expected in Windows event logs. Fixes #11328

Closes #10969. In Kibana as of 7.0, the default query language is no longer Lucene, but KQL (Kibana Query Language). This PR updates all of the JSON objects to use the new language, and modifies any existing queries to the new syntax (if needed - most of them stayed the same).

* Add JS require with modules This adds a `require` function to the JS runtime that scripts can call to import "modules". Some standard modules that are added in this PR are - `processor` - You can construct beat processors in JS (e.g. `new processor.Dissect({...})`). - `console` - You can write to beat's logger. - `path` - You can parse win32 and posix paths. The `processor` module supports constructing: - `AddCloudMetadata` - `AddDockerMetadata` - `AddHostMetadata` - `AddKubernetesMetadata` - `AddLocale` - `AddProcessMetadata` - `CommunityID` - `DecodeJSONFields` - `Dissect` - `DNS` * Add github.com/dop251/goja_nodejs to vendor

Signed-off-by: Chris <chrismarkou92@gmail.com> Signed-off-by: Chris Mark <chrismarkou92@gmail.com>

Adds `event.category: authentication` and `event.type: authentication_success` (or `authentication_failure`).

A new processor is introduced as part of support for keeping orignal messages. Options and naming follows the convention of other processors. ### `copy_fields` This processor copies one field to another. Example configuration is below: ```yaml processors: - copy_fields: fields: - from: message to: event.original fail_on_error: false ignore_missing: true ```

* migrate golang module to ReporterV2 error

* Make geoip steps generic and move to libbeat * Add changes from review * Add topic to all the beats

* fixed error format to include faulting file,some go lint issues * changelog updated * review round 1 * not breaking

Register modules with the script processor.

* wong assumption? * indicate skip for arrays * changelog * make one liner * not marking as breaking change

* migrate vsphere/datastore to ReporterV2

Add Namespace to prometheus helper mappings

Add test files for MySQL 8, Percona 8 and MariaDB 10.3 to filebeat mysql module. Add support for MySQL 8 extra fields in slow log. Update compatibility notes. Closes #10257

* Link to infrastructure monitoring docs from Beats docs * Add links that point to the infrastructure monitoring guide * Add changes from review

* Add Filebeat coredns module

Fix coredns image in docs.asciidoc for docs build

* Fix docs build again

Update method of common.MapStr doesn't update nested maps so we were overwriting existing metrics. Fix fields definition to add wildcard so fields match. Add testdata.

As discussed in #11348, this shortens down entity IDs to base64-encoded 12 bytes. It makes quite the difference. I've also used the opportunity to finally standardize the `TestData` functions to (hopefully) always generate the same data (or at least to get closer to that), regardless of which system they are run on. Resolves #11348.

Add Etcd V3 metrics from the /metrics endpoint

* bugfix: fix a typo in libbeat/outputs/transport/client.go

* CM Breaking changes in 6.7 Add a note concerning the breaking change of 6.7 for Central Management and mention the migration tool.

* migrate vsphere/host to ReporterV2

* process objects and arrays only * changelog * table tests for depth * added array into testcase * moved to fixes * added structure check & decoder error check

…interface (#10984)

* migrate vsphere/virtualmachine to ReporterV2

Add autodiscover providers to the list of libbeat modules in fields generator. Move jolokia autodiscover fields added in #10925 to the provider.

Fixes: #10031

Format is defined in elastic/kibana#27408 Main objective is to easier bubbling or errors and messages. ``` export interface ReturnType { error?: { message: string; code?: number; }; success: boolean; } ```

Fixes #11490 Fixes #9134

This adds a cisco module to x-pack/filebeat. The only fileset currently, asa, will ingest Cisco ASA logs received over syslog. Closes #9200

The previous mirror does not seem to be available anymore.

- It was missing in the breaking changes doc (generated from ecs-migration.yml) - The actual field alias was incorrectly pointing to source.ip, this has been adjusted to source.address - Re-generating the documentation file also updated the breaking changes to include a change introduced in #11334 This should be backported to 7.0. Closes #11510

* updated kafka version * doc update * updated docs

* Fixed Filebeat ECS dashboards (#11520) (cherry picked from commit 32e6378)

* Undo the change about the Auditbeat field in field-name-changes.asciidoc. We're stopping the use of event.type for now, until we're ready to introduce it with curated values * Undo the migration of Filebeat Elasticserch module's es.audit.event_type to event.type

Add docs for add_fields, add_labels, and add_tags processors

The `filebeat.registry.migrate_file` has been introduced with 7.0. I just noticed that the doc is still missing.

* This adds all missing migrated fields for the system module to ecs-migration.yml * The breaking changes doc has been updated accordingly with script/renamed_fields.py * The corresponding dashboards for the system module have been updated manually (sorry for all the whitespace diff)

* Fix panic in add_kubernetes_metadata processor when key `log` does not exist. {issue}11543[11543]

This adds a new opcode OP_MSG to the MongoDB protocol parser.

`test_clean_inactive` (#8102) and `test_clean_removed` (#7690) have been flaky recently again on Windows. Skipping these test for Windows.

…rterV2 interface (#10858)

Cisco ASA uses some custom fields for NetFlow V9. From "Cisco ASA NetFlow Implementation Guide": - 33000 NF_F_INGRESS_ACL_ID, renamed to ingress_acl_id - 33001 NF_F_EGRESS_ACL_ID, renamed to egress_acl_id - 33002 NF_F_FW_EXT_EVENT, renamed to fw_ext_event - 40000 NF_F_USERNAME, renamed to username Some devices also use the following fields, from "Information Elements for Stealthwatch v7.0": - 40001 ASAXlateSourceAddressIPV4, renamed to xlate_source_address_ipv4 - 40002 ASAXlateDestinationAddressIPV4, renamed to xlate_destination_address_ipv4 - 40003 ASAXlateSourcePort, renamed to xlate_source_port - 40004 ASAXlateDestinationPort, renamed to xlate_destination_port - 40005 ASAFirewallEvent, renamed to firewall_event Cisco ASA NetFlow implementation requires a new field datatype, ACL ID, with 12-byte length, that encodes the following information: - First four bytes are the ACL name ID. - Next four bytes are the ACL entry ID / Object-Group ID. - Final four bytes are the Extended ACL Entry ID. Following with Logstash tradition, these fields are converted to string featuring the 3 ID's in encoded in hex and separated by a hypen.

This file was missing from the new cisco module

* Update master changelogs * Add missing updates to release.asciidoc

Resolves #9178. This PR teaches the `elasticsearch.ccr` metricset (with `xpack.enabled: true`) to collect and index CCR auto-follow stats. The metricset was already collecting and indexing CCR follow stats per index.

* Indicate that ILM is on by default and add new settings * Add changes from the review

To access Librpm functions in the package dataset, we currently dlopen() `/usr/lib64/librpm.so` which is usually a symlink to the versioned shared object e.g. `/usr/lib64/librpm.so.1`. However, this symlink is only present when the package `rpm-devel` is installed and that's usually not the case by default. This PR changes to using the versioned shared object names as a fallback when the symlink is not available. Versions 1, 3, and 8 are library versions that are present on systems I've tested on, while other in-between versions are not explicitly tested, but it's reasonable to assume they work. In any case, if any of the functions we are looking for are not available the dataset will still abort. I've also changed from an absolute path (`/usr/lib64/librpm.so*`) to a generic one (`librpm.so*`) to be more flexible about the location. With this change, the package dataset works on CentOS 6, 7, and Fedora 29 without the `rpm-devel` package installed. The package is still required for compilation.

Someone could copy/paste this example without realizing the ellipse can be to be changed to a meaningful event ID filter.

To simplify for users to enable the migration aliases, the config option is set to true. Like this when commenting out the config, it is already enabled. This came out of a discussion where we discovered users assumed it's enabled when commenting out and falsely assumed the migration layer is enabled.

…11577) * docker metadata processor: replace source field with log.field.path

* Add _bucket to histogram metrics

The changelog entry got merged into the wrong spot during the cherry-pick. This was originally fixed in v6.2.4. Relates #6579

This PR introduces a new processor `truncate_fields`. To keep raw messages use this processor with `copy_fields`. ### `truncate_fields` This processor truncates configured fields. Example configuration is below: ```yaml processors: - truncate_fields: fields: - message max_bytes: 1024 fail_on_error: false ignore_missing: true ``` ### Keep raw events This preserves the orignal field and truncates it, if it's too long. ```yaml processors: - copy_fields: fields: - from: message to: event.original fail_on_error: false ignore_missing: true - truncate_fields: fields: - event.original max_bytes: 1024 fail_on_error: false ignore_missing: true ```

* Add upgrade docs * Apply suggestions from code review * Add more detail based on review feedback * A few clarifications * Remove old file * Rename file to original name * More changes from review * Add changes from review before moving stuff around * Move some content and clean it up * Add more fixes from the review * Add more changes based on review comments

…d fix a documentation error - issue #11590. (#11591) * Add missing Kubernetes metadata fields to Filebeat CoreDNS module, and fix a documentation error.

…orterV2 interface (#10961)

…11012)

* Add get creds script and sqs script into aws module test folder * Add readme

Related: #11629.

Related: #11627

This PR updates the `elasticsearch.index` metricset (x-pack code path) to collect a new field that's now being collected by internal/native `index_stats` collector.

* Fixing imports * Introducing monitoring.* config * Determine reporter format (production or monitoring) * WIP: Capture elasticsearch cluster_uuid on connect to ES output? * WIP: record cluster_uuid and then try to use it * Extracting bulk to production code into function * Add switch for sending to production or monitoring cluster * Better if check * Using switch instead of if-else * WIP: Debugging docker-compose failure * [WIP] Add docker compose logging for system tests as well * Removing logging statements used for debugging * Add "_type": "doc" if ES version < 7 * Rename format -> _format since it's for internal use only * Rename Monitoring -> XPackMonitoring and MonitoringNew -> Monitoring * Use consts instead of bare strings * Move format validation check to constructor * Collect cluster UUID when connection is made with ES output cluster * Fix format passing + cluster UUID retrieval from registry * Fixing error message * Pass down format correctly * Changing log level for recurring message * Fixing monitoring index name generation + doc fields * Removing line from vestigial implementation * Removing unnecessary else * Use iota for reporting format constants * Better passing of format + validation in constructor * Adding CHANGELOG entry * Adding system test for direct monitoring * Refactoring * Adding skeleton comparison test * Refactoring: renaming * Refactoring * Better cleanup * Fixing formatting * Fixing syntax error * Fixing variable name in template * Fleshing out TODOs * Make Hound happy (woof woof!) * Fixing rebase errors * Make monitoring type a string + better variable name * Change major version check * Extract meta from action * Use shorter method names * Remove duplication of logic * Refactoring: move selectMonitoringConfig to monitoring.SelectConfig * Update schema version * Move variable into callback fn's scope so memory is not shared across callback calls * Fixing scope of registry and var creations so they don't happen on every callback call * Remove naming stutter * Reduce hackiness with passing reporter format * Move error vars to package scope * Removing stutter * Adding extra godoc about format usage * Extend godoc to explain the rationale behind the format hack * Debugging docker container logs for system tests * Remove _type from bulk request URI * Removing debugging statement * Fixing logic

…orterV2 interface (#10974)

…porterV2 interface (#10976)

Add TLS/SSL support to the Metricbeat http/server metricset. This allows users to host an HTTPS server if they configure a certificate and key. Closes #11457

…its system. (#11649) - Relax validation of the X-Pack license UID value. - Fix a parsing error with the X-Pack license check on 32-bit system. Fixes: #11640 Fixes: #11650

… interface (#10973)

* Show colon-delimited names in module listing * Sort module listings so variants show up after defaults * Accept variant names * Update unit tests * Adding CHANGELOG entries * Adding docs for module configuration variants * Renaming method to be more conventional * Using - instead of : as variant delimiter * Adding xpack variant for elasticsearch module * Adding xpack variant for kibana module * Adding unit test for sorting order * Removing flavors for clarity * Fixing CHANGELOG * Fixing duplicate anchor

The auditd module is updated to set normalized values for event.category and event.type. It also sets event.outcome from auditd.result. Currently it sets the following values for audit messages of USER_LOGIN and USER_AUTH type: | event.category | event.outcome | event.type | |----------------|---------------|------------------------| | authentication | success | authentication_success | | authentication | failure | authentication_failure | Closes #11428

Overrides the `rpmsqEnable` function in Librpm that sets and unsets signal traps. Hopefully, this will eliminate the residual test failures.

Both openSUSE and SLES use RPM under the hood, so we can use the code we already have for CentOS/Fedora. Depends on #11628. Fixes elastic/beats-tester#115.

* build the beat by default * allow clean override of some make targets

* Updating monitoring docs with direct monitoring configuration * [DOCS] Fixes outdated terms and links

The force flag for policy and template overwrites have been set to true in the standard Elasticsearch callback. Due to this every reconnect will result in the policy and template being overwritten. This fix sets the flags to false and ensure that the template is only overwritten if a new policy is created in Elasticsearch.

…ig to http testing framework (#11660)

* migrate mongodb to reporterv2 with error handling

* do not hide error on failure * changelog

Human readable not working well for us.

* fixed enroll response parsing

* Add release highlights * Rework highlights * Add fixes from review * Use attribute

Windows XP isn't supported by Go 1.11 and it's not on our support matrix.

rename my.domain.org to non existent my.domain.elastic and update resolving file

Behavior changed in #11577

) Beats now have the ability to send their monitoring data directly to the **monitoring** Elasticsearch cluster (#9260). This PR updates the default and reference configuration files for all Beats with the new monitoring settings. It also updates the configuration template used by Central Management.

* Cast ints into floats * Use isinstance instead of type

…#11676) * check for a valid limit before we process a memory event

…10960)

…1659) * migrate zookeeper to reporter V2 with error handling

Changes in 1.12: https://golang.org/doc/go1.12 Changes in minor release: https://github.com/golang/go/issues?q=milestone%3AGo1.12.1 Updated vendored packages: - `github.com/tsg/gopacket/pcap` - `github.com/docker/docker/pkg/*` - `github.com/docker/go-connections` New vendored packages (as required by dependencies): - `github.com/konsorten/go-windows-terminal-sequences` Removed vendored package: - `github.com/Sirupsen/logrus`: `github.com/sirupsen/logrus` is used and it leads to a case insensitive collision, required by docker dependencies

* Fix typo found by Jason B * Add chnages recommended by testers * Add missing file * Fix more issues and add troubleshooting for default_field problem * Remove reviewer note * Another round of changes from review

* Remove Logstash Forwarder migration content * Remove migration file from index

* Change add_cloud_metadata to not overwrite cloud field * Add overwrite flag for add_cloud_metadata * Add test for cloud.provider: ec2 * Update processors-using.asciidoc

This gives Winlogbeat the ability to read from archived .evtx files. The `name` parameter recognizes that the value is absolute path and then uses the appropriate APIs to open the file and ingest its contents. In order to support the use case of reading from a file and then exiting when there are no more events (`ERROR_NO_MORE_ITEMS`) I added a config option to change the behavior of the reader from waiting for more events to stopping. I also had to add `shutdown_timeout` option to make Winlogbeat wait for events to finish publishing before exiting. To keep it simple, globs are not supported. This would have required the introduction of a "prospector" to continuously monitor the glob for new / moved / deleted files. winlogbeat.event_logs: - name: ${EVTX_FILE} no_more_events: stop winlogbeat.shutdown_timeout: 30s winlogbeat.registry_file: evtx-registry.yml output.elasticsearch.hosts: ['http://localhost:9200'] Closes #4450

…1680) Prior to this change it was possible to construct individual Beat processors. This adds the ability to chain them together in a list so that calling a single `Run(event)` function executes the list of processors. var localeProcessor = new processor.AddLocale(); var chain = new processor.Chain() .Add(localeProcessor) .Rename({ fields: [ {from: "event.timezone", to: "timezone"}, ], }) .Add(function(evt) { evt.Put("hello", "world"); }) .Build(); function process(evt) { return chain.Run(evt); }

Mage is used in the `make clean` but was not a dependency. So clean failed on CI without noticing.

Matching arrays of strings inside a contains condition doesn't work properly with the output of JSON decoding as it is expecting fields of type []string when they are in this case []interface{}. Fixes: #3138

Update the auditd module to set the correct user/uid for login attempts. Until now, the ECS user.name/id were set to the account that the login process used, not the account that was being logged-in to. Fixes #11430

…d_metadata (#11687) * Change cloud.provider from ec2 to aws in add_cloud_metadata * Change GCE to GCP to match ECS

…11688)

This updates the syscall list for Linux v5.0. And this fixes a bug that can occur if you configure more than 256 syscalls in a BPF filter.

…ace (#10986)

…Error interface (#11743)

Test was disabled here: #11627

With #11106, the base `Metricset` struct started defining a `Logger()` method which returned a `*logp.Logger` for metricsets to use. With this change, each metricset no longer needs to define its own logger. This PR updates Elastic Stack metricsets to use the base `Metricset`'s `Logger()` instead of defining their own.

…interface (#11745) * updated docs and metricset templates to the new reporterV2 w/ error interface

…ogs errors (#11763) Refactors code in the `kibana` Metricbeat module to use the new `Fetch` interface introduced in #10727. Note that x-pack code paths in this module were not refactored to use the new interface as we don't want errors from those code paths to be reported into `metricbeat-*` indices, only logged to Metricbeat logs. Related: #11767.

…ogs errors (#11767)

) * Fix: Correctly initialize the Logger for the TCP input instance. `With()` function was called without the key to identify the value passed as parameter.

…ath (#11759) - Fix Labels overwriting for Prometheus histograms + keylabels - Add tests for keylabeled prometheus metrics

The `elasticsearch/pending_tasks` metricset was emitting an error message referring to the "ML Job Stats" API, instead of the "Pending Tasks" API. This PR fixes the error message.

The X-Pack code path shouldn't report errors as they will get indexed into `metricbeat-*` indices, not `.monitoring-*` indices (which don't have a field for errors anyway).

…ogs errors (#11795) * Refactoring: Use new Fetch interface in elasticsearch/shard metricset * Refactoring: Use new Fetch interface in elasticsearch/pending_tasks metricset * Refactoring: Use new Fetch interface in elasticsearch/node_stats metricset * Refactoring: Use new Fetch interface in elasticsearch/node metricset * Refactoring: Use new Fetch interface in elasticsearch/ml_job metricset * Refactoring: Use new Fetch interface in elasticsearch/index_summary metricset * Refactoring: Use new Fetch interface in elasticsearch/index_recovery metricset * Refactoring: Use new Fetch interface in elasticsearch/index metricset * Refactoring: Use new Fetch interface in elasticsearch/cluster_stats metricset * Refactoring: Use new Fetch interface in elasticsearch/ccr metricset * Updating test

We're starting to see errors like this quite frequently (but not all the time) in our CI: ``` Creating metricbeat91226fb6ffe6d06676cfc1383d0a3ffb19f00db7_kibana_1 ... stats_integration_test.go:60: Error Trace: stats_integration_test.go:60 Error: Should be empty, but was [error making http request: Get http://kibana:5601/api/stats?extended=true: net/http: request canceled (Client.Timeout exceeded while awaiting headers)] Test: TestFetch stats_integration_test.go:61: Error Trace: stats_integration_test.go:61 Error: Should NOT be empty, but was [] Test: TestFetch ``` So this PR skips this test suite for now, while we try to debug and fix the root cause in #11380.

#11776)

* Fix flaky service_integration_windows_test Some services can change state before reader.Read() call is executed which will result in a test faillure. Fix test by introducing a confidence factor and enriching the error message with the state-changed service details. Fixes #8880 and #7977 * Update metricbeat/module/windows/service/service_integration_windows_test.go Co-Authored-By: narph <mariana@elastic.co>

* Add option to set rcv_buffer for UDP inputs * Missed err handling * Import style fix * Implement review feedback * add documentation * Add option to set rcv_buffer for UDP inputs * Missed err handling * Import style fix * Implement review feedback * add documentation * Correct changelog link * Apply gofmt suggestion * Apply indentation recommendation from gofmt * Newline for linter * Autogen reference file * x-pack fmt update * Restore import order that was modified by fmt update

* migrate redis to reporter V2 with error return

This PR add a new input configuration option named `line_terminator`: ``` # Characters which separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed, # carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator. #line_terminator: auto ``` The option `auto` tells Filebeat to use our current hybrid new line finder approach. Thus, we can avoid introducing a breaking change. It also contains a minor refactoring in `readfile` package. I have created a new type `Config` which stores the configuration of the readers of the package. This eliminates a long list of parameters in the constructors of `EncodeReader` and `LineReader`. Closes #5500

* migrate kvm to reporterv2 with error handling

* Fix TODO in Suricata doc Add config example to replace TODO in Suricata module documentation.

…#11822) * add line about ptrace blocks in the system metricset

* Un-skip flaky tests * Making healthcheck more robust

…ay can be freed (#11524) In `LimitReader` when truncating the line if the configured limit was reached, the message was sliced. Slicing does not touch the underlying array. To make sure the long line can be truncated and freed, the reader copies the contents to a new array. Thus, freeing the data.

Add CoreDNS metrics and adapt some existing names

* Add filebeat module envoyproxy for Envoy access logs

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rebase #1

Rebase #1

Commits on Mar 8, 2019

Commits on Mar 11, 2019

Commits on Mar 12, 2019

Commits on Mar 13, 2019

Commits on Mar 14, 2019

Commits on Mar 15, 2019

Commits on Mar 16, 2019

Commits on Mar 18, 2019

Commits on Mar 19, 2019

Commits on Mar 20, 2019

Commits on Mar 21, 2019

Commits on Mar 22, 2019

Commits on Mar 25, 2019

Commits on Mar 26, 2019

Commits on Mar 27, 2019

Commits on Mar 28, 2019

Commits on Mar 29, 2019

Commits on Mar 30, 2019

Commits on Apr 1, 2019

Commits on Apr 2, 2019

Commits on Apr 3, 2019

Commits on Apr 4, 2019

Commits on Apr 5, 2019

Commits on Apr 6, 2019

Commits on Apr 7, 2019

Commits on Apr 8, 2019

Commits on Apr 9, 2019

Commits on Apr 10, 2019

Commits on Apr 11, 2019

Commits on Apr 12, 2019

Commits on Apr 13, 2019

Commits on Apr 15, 2019

Commits on Apr 16, 2019

Commits on Apr 17, 2019