Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[receiver/journald]: add support for matches configuration #20852

Merged
merged 7 commits into from
Apr 24, 2023
Merged

[receiver/journald]: add support for matches configuration #20852

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e9d0953
[receiver/journald]: support `matches` configuration
Apr 11, 2023
87c4345
docs(receiver/journald): update operator doc
Apr 13, 2023
0e81f08
refactor(receiver/journald): update due to review
Apr 13, 2023
2fd4a2e
Update pkg/stanza/docs/operators/journald_input.md
sumo-drosiek Apr 13, 2023
3c89455
Update receiver/journaldreceiver/README.md
sumo-drosiek Apr 13, 2023
b788bce
feat(journalctl): allow to configure units and matches together
Apr 14, 2023
5d3a40b
docs: add additional statement to note
Apr 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .chloggen/drosiek-journald-matches.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: enhancement

# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
component: journaldreceiver

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: add support for `matches` configuration

# One or more tracking issues related to the change
issues: [20295]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext:
66 changes: 63 additions & 3 deletions pkg/stanza/docs/operators/journald_input.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,15 @@ The `journald_input` operator will use the `__REALTIME_TIMESTAMP` field of the j
| `output` | Next in pipeline | The connected operator(s) that will receive all outbound entries. |
| `directory` | | A directory containing journal files to read entries from. |
| `files` | | A list of journal files to read entries from. |
| `units` | | A list of units to read entries from. |
| `priority` | `info` | Filter output by message priorities or priority ranges. |
| `units` | | A list of units to read entries from. See [Multiple filtering options](#multiple-filtering-options) examples, if you want to use it together with `matches` and/or `priority`. |
| `matches` | | A list of matches to read entries from. See [Matches](#matches) and [Multiple filtering options](#multiple-filtering-options) examples. |
| `priority` | `info` | Filter output by message priorities or priority ranges. See [Multiple filtering options](#multiple-filtering-options) examples, if you want to use it together with `units` and/or `matches`. |
| `start_at` | `end` | At startup, where to start reading logs from the file. Options are `beginning` or `end`. |
| `attributes` | {} | A map of `key: value` pairs to add to the entry's attributes. |
| `resource` | {} | A map of `key: value` pairs to add to the entry's resource. |

### Example Configurations

```yaml
- type: journald_input
units:
Expand All @@ -33,7 +35,65 @@ The `journald_input` operator will use the `__REALTIME_TIMESTAMP` field of the j
- type: journald_input
priority: emerg..err
```
#### Simple journald input

#### Matches
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there be a mechanism to prevent specifying both units: and matches: configuration for a single input?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really sure about it, as you can do it in journalctl as well

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My testing with journalctl trying to use both units and matches syntax gave unexpected results - specifically NO LOG DATA. At a minimum, there should be a warning in the docs that mixing units and matches could lead to unexpected results.

  • One Unit:
    • journalctl --utc --output=short --follow --priority info --unit ssh.service
    • Only SSH unit logs ... as expected
  • One Match Rule (with 2 terms):
    • journalctl --utc --output=short --follow --priority info _TRANSPORT=kernel PRIORITY=5
    • Only kernel logs ... as expected
  • Two Match Rules:
    • journalctl --utc --output=short --follow --priority info _SYSTEMD_UNIT=ssh.service + _TRANSPORT=kernel PRIORITY=5
    • Both log streams present ... as expected
  • Unit and Match:
    • journalctl --utc --output=short --follow --priority info --unit ssh.service _TRANSPORT=kernel PRIORITY=5
    • NO LOGS
  • Unit plus Match:
    • journalctl --utc --output=short --follow --priority info --unit ssh.service + _TRANSPORT=kernel PRIORITY=5
    • Invalid syntax: "+" can only be used between terms
  • Match and Unit:
    • journalctl --utc --output=short --follow --priority info _TRANSPORT=kernel PRIORITY=5 --unit ssh.service
    • NO LOGS
  • Match plus Unit:
    • journalctl --utc --output=short --follow --priority info _TRANSPORT=kernel PRIORITY=5 + --unit ssh.service
    • Invalid syntax: "+" can only be used between terms

Tested on Ubuntu 20.04 host with a noisy iptables LOG rule (kernel log stream) and inbound SSH probes.

Copy link
Member Author

@sumo-drosiek sumo-drosiek Apr 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't say the the behavior fully unexpected. Look at the following example:

➜  ~ journalctl --utc --output=json --no-tail --priority info --unit=user@1000.service --unit=init.scope _COMM=wireplumber + _COMM=systemd | jq '{unit: ._SYSTEMD_UNIT, comm: ._COMM} | tostring' | sort | uniq
"{\"unit\":\"init.scope\",\"comm\":\"systemd\"}"
"{\"unit\":\"user@1000.service\",\"comm\":\"systemd\"}"
"{\"unit\":\"user@1000.service\",\"comm\":\"wireplumber\"}

How I understand the behavior is:

  1. take all entries which matches the units configuration
  2. apply matches configuration to the entries which has been selected in 1

Having both matches and units can be actually helpful, if you want to select multiple units with the same additional parameter, so you can do it in the following way:

units:
- a
- b
- c
- d
matches:
- _COMM=systemd

instead of:

matches:
- _SYSTEMD_UNIT: a
  _COMM: systemd
- _SYSTEMD_UNIT: b
  _COMM: systemd
- _SYSTEMD_UNIT: c
  _COMM: systemd
- _SYSTEMD_UNIT: d
  _COMM: systemd

Anyway, I would allow either matches or units to avoid confusion and non-well documented behavior. It will be also easier to deal with it if we decide to go with jorunald gateway path

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My testing with journalctl trying to use both units and matches syntax gave unexpected results - specifically NO LOG DATA.

I don't agree that the results are unexpected - in fact, they are exactly what I would expect. The units and matches conditions are AND-ed, same as priority and units are AND-ed in the current version of the receiver.

Anyway, I would allow either matches or units to avoid confusion and non-well documented behavior. It will be also easier to deal with it if we decide to go with jorunald gateway path

I don't agree with this. Both matches and units should be possible to set together, as this makes perfect sense - as you have described in your comment @sumo-drosiek, and as it is possible in journalctl. The argument about journald gateway doesn't make much sense, as the matches configuration as implemented is already incompatible with the journald gateway (which apparently only accepts a flat list of AND-ed conditions). We are already not compatible with the journald gateway with the matches and I think it makes most sense to allow the user to do the same thing as they can do with journalctl.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The argument about journald gateway doesn't make much sense, as the matches configuration as implemented is already incompatible with the journald gateway (which apparently only accepts a flat list of AND-ed conditions).

We are compatible with journald-gateway and will be anyway, as we are able to get all entries based on the configuration (there is no requirement to do it in one query). Only thing is that allowing to have both matches and units introduces some logic complexity which could be avoided.


The following configuration:

```yaml
- type: journald_input
matches:
- _SYSTEMD_UNIT: ssh
- _SYSTEMD_UNIT: kubelet
_UID: "1000"
sumo-drosiek marked this conversation as resolved.
Show resolved Hide resolved
```

will be passed to `journalctl` as the following arguments: `journalctl ... _SYSTEMD_UNIT=ssh + _SYSTEMD_UNIT=kubelet _UID=1000`,
which is going to retrieve all entries which match at least one of the following rules:

- `_SYSTEMD_UNIT` is `ssh`
- `_SYSTEMD_UNIT` is `kubelet` and `_UID` is `1000`

#### Multiple filtering options

In case of using multiple following options, conditions between them are logically `AND`ed and within them are logically `OR`ed:

```text
( priority )
AND
( units[0] OR units[1] OR units[2] OR ... units[U] )
AND
( matches[0] OR matches[1] OR matches[2] OR ... matches[M] )
```

Consider the following example:

```yaml
- type: journald_input
matches:
- _SYSTEMD_UNIT: ssh
- _SYSTEMD_UNIT: kubelet
_UID: "1000"
units:
- kubelet
- systemd
priority: info
```

The above configuration will be passed to `journalctl` as the following arguments
`journalctl ... --priority=info --unit=kubelet --unit=systemd _SYSTEMD_UNIT=ssh + _SYSTEMD_UNIT=kubelet _UID=1000`,
which is going to effectively retrieve all entries which matches the following set of rules:

- `_PRIORITY` is `6`, and
- `_SYSTEMD_UNIT` is `kubelet` or `systemd`, and
- entry matches at least one of the following rules:

- `_SYSTEMD_UNIT` is `ssh`
- `_SYSTEMD_UNIT` is `kubelet` and `_UID` is `1000`

Note, that if you use some fields which aren't associated with an entry, the entry will always be filtered out.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it worth noting that this configuration will not emit ssh or systemd logs because of the AND between matches and units?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added additional note to explicitly say that the example configuration won't get any entries for ssh and systemd


### Simple journald input

Configuration:
```yaml
Expand Down
93 changes: 77 additions & 16 deletions pkg/stanza/operator/input/journald/journald.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ import (
"fmt"
"io"
"os/exec"
"regexp"
"sort"
"strconv"
"sync"
"time"
Expand Down Expand Up @@ -60,20 +62,42 @@ func NewConfigWithID(operatorID string) *Config {
type Config struct {
helper.InputConfig `mapstructure:",squash"`

Directory *string `mapstructure:"directory,omitempty"`
Files []string `mapstructure:"files,omitempty"`
StartAt string `mapstructure:"start_at,omitempty"`
Units []string `mapstructure:"units,omitempty"`
Priority string `mapstructure:"priority,omitempty"`
Directory *string `mapstructure:"directory,omitempty"`
Files []string `mapstructure:"files,omitempty"`
StartAt string `mapstructure:"start_at,omitempty"`
Units []string `mapstructure:"units,omitempty"`
Priority string `mapstructure:"priority,omitempty"`
Matches []MatchConfig `mapstructure:"matches,omitempty"`
}

type MatchConfig map[string]string

// Build will build a journald input operator from the supplied configuration
func (c Config) Build(logger *zap.SugaredLogger) (operator.Operator, error) {
inputOperator, err := c.InputConfig.Build(logger)
if err != nil {
return nil, err
}

args, err := c.buildArgs()
if err != nil {
return nil, err
}

return &Input{
InputOperator: inputOperator,
newCmd: func(ctx context.Context, cursor []byte) cmd {
if cursor != nil {
args = append(args, "--after-cursor", string(cursor))
}
return exec.CommandContext(ctx, "journalctl", args...) // #nosec - ...
// journalctl is an executable that is required for this operator to function
},
json: jsoniter.ConfigFastest,
}, nil
}

func (c Config) buildArgs() ([]string, error) {
args := make([]string, 0, 10)

// Export logs in UTC time
Expand Down Expand Up @@ -108,17 +132,54 @@ func (c Config) Build(logger *zap.SugaredLogger) (operator.Operator, error) {
}
}

return &Input{
InputOperator: inputOperator,
newCmd: func(ctx context.Context, cursor []byte) cmd {
if cursor != nil {
args = append(args, "--after-cursor", string(cursor))
}
return exec.CommandContext(ctx, "journalctl", args...) // #nosec - ...
// journalctl is an executable that is required for this operator to function
},
json: jsoniter.ConfigFastest,
}, nil
if len(c.Matches) > 0 {
matches, err := c.buildMatchesConfig()
if err != nil {
return nil, err
}
args = append(args, matches...)
}

return args, nil
}

func buildMatchConfig(mc MatchConfig) ([]string, error) {
re := regexp.MustCompile("^[_A-Z]+$")

// Sort keys to be consistent with every run and to be predictable for tests
sortedKeys := make([]string, 0, len(mc))
for key := range mc {
if !re.MatchString(key) {
return []string{}, fmt.Errorf("'%s' is not a valid Systemd field name", key)
}
sortedKeys = append(sortedKeys, key)
}
sort.Strings(sortedKeys)

configs := []string{}
for _, key := range sortedKeys {
configs = append(configs, fmt.Sprintf("%s=%s", key, mc[key]))
}

return configs, nil
}

func (c Config) buildMatchesConfig() ([]string, error) {
matches := []string{}

for i, mc := range c.Matches {
if i > 0 {
matches = append(matches, "+")
}
mcs, err := buildMatchConfig(mc)
if err != nil {
return []string{}, err
}

matches = append(matches, mcs...)
}

return matches, nil
}

// Input is an operator that process logs using journald
Expand Down
80 changes: 80 additions & 0 deletions pkg/stanza/operator/input/journald/journald_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"testing"
"time"

"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"

Expand Down Expand Up @@ -115,3 +116,82 @@ func TestInputJournald(t *testing.T) {
require.FailNow(t, "Timed out waiting for entry to be read")
}
}

func TestBuildConfig(t *testing.T) {
testCases := []struct {
Name string
Config func(cfg *Config)
Expected []string
ExpectedError string
}{
{
Name: "empty config",
Config: func(cfg *Config) {},
Expected: []string{"--utc", "--output=json", "--follow", "--priority", "info"},
},
{
Name: "units",
Config: func(cfg *Config) {
cfg.Units = []string{
"dbus.service",
"user@1000.service",
}
},
Expected: []string{"--utc", "--output=json", "--follow", "--unit", "dbus.service", "--unit", "user@1000.service", "--priority", "info"},
},
{
Name: "matches",
Config: func(cfg *Config) {
cfg.Matches = []MatchConfig{
{
"_SYSTEMD_UNIT": "dbus.service",
},
{
"_UID": "1000",
"_SYSTEMD_UNIT": "user@1000.service",
},
}
},
Expected: []string{"--utc", "--output=json", "--follow", "--priority", "info", "_SYSTEMD_UNIT=dbus.service", "+", "_SYSTEMD_UNIT=user@1000.service", "_UID=1000"},
},
{
Name: "invalid match",
Config: func(cfg *Config) {
cfg.Matches = []MatchConfig{
{
"-SYSTEMD_UNIT": "dbus.service",
},
}
},
ExpectedError: "'-SYSTEMD_UNIT' is not a valid Systemd field name",
},
{
Name: "units and matches",
Config: func(cfg *Config) {
cfg.Units = []string{"ssh"}
cfg.Matches = []MatchConfig{
{
"_SYSTEMD_UNIT": "dbus.service",
},
}
},
Expected: []string{"--utc", "--output=json", "--follow", "--unit", "ssh", "--priority", "info", "_SYSTEMD_UNIT=dbus.service"},
},
}

for _, tt := range testCases {
t.Run(tt.Name, func(t *testing.T) {
cfg := NewConfigWithID("my_journald_input")
tt.Config(cfg)
args, err := cfg.buildArgs()

if tt.ExpectedError != "" {
require.Error(t, err)
require.ErrorContains(t, err, tt.ExpectedError)
return
}
require.NoError(t, err)
assert.Equal(t, tt.Expected, args)
})
}
}
63 changes: 59 additions & 4 deletions receiver/journaldreceiver/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,9 @@ Journald receiver is dependent on `journalctl` binary to be present and must be
| `directory` | `/run/log/journal` or `/run/journal` | A directory containing journal files to read entries from |
| `files` | | A list of journal files to read entries from |
| `start_at` | `end` | At startup, where to start reading logs from the file. Options are beginning or end |
| `units` | `[ssh, kubelet, docker, containerd]` | A list of units to read entries from |
| `priority` | `info` | Filter output by message priorities or priority ranges |
| `units` | | A list of units to read entries from. See [Multiple filtering options](#multiple-filtering-options) examples, if you want to use it together with `matches` and/or `priority`. |
| `matches` | | A list of matches to read entries from. See [Matches](#matches) and [Multiple filtering options](#multiple-filtering-options) examples. |
| `priority` | `info` | Filter output by message priorities or priority ranges. See [Multiple filtering options](#multiple-filtering-options) examples, if you want to use it together with `units` and/or `matches`. |
| `storage` | none | The ID of a storage extension to be used to store cursors. Cursors allow the receiver to pick up where it left off in the case of a collector restart. If no storage extension is used, the receiver will manage cursors in memory only. |

### Example Configurations
Expand All @@ -34,5 +35,59 @@ receivers:
priority: info
```

[alpha]: https://github.com/open-telemetry/opentelemetry-collector#alpha
[contrib]: https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib
#### Matches

The following configuration:

```yaml
- type: journald_input
matches:
- _SYSTEMD_UNIT: ssh
- _SYSTEMD_UNIT: kubelet
_UID: "1000"
```

will be passed to `journalctl` as the following arguments: `journalctl ... _SYSTEMD_UNIT=ssh + _SYSTEMD_UNIT=kubelet _UID=1000`,
which is going to retrieve all entries which match at least one of the following rules:

- `_SYSTEMD_UNIT` is `ssh`
- `_SYSTEMD_UNIT` is `kubelet` and `_UID` is `1000`

#### Multiple filtering options

In case of using multiple following options, conditions between them are logically `AND`ed and within them are logically `OR`ed:

```text
( priority )
AND
( units[0] OR units[1] OR units[2] OR ... units[U] )
AND
( matches[0] OR matches[1] OR matches[2] OR ... matches[M] )
```

Consider the following example:

```yaml
- type: journald_input
matches:
- _SYSTEMD_UNIT: ssh
- _SYSTEMD_UNIT: kubelet
_UID: "1000"
units:
- kubelet
- systemd
priority: info
```

The above configuration will be passed to `journalctl` as the following arguments
`journalctl ... --priority=info --unit=kubelet --unit=systemd _SYSTEMD_UNIT=ssh + _SYSTEMD_UNIT=kubelet _UID=1000`,
which is going to effectively retrieve all entries which matches the following set of rules:

- `_PRIORITY` is `6`, and
- `_SYSTEMD_UNIT` is `kubelet` or `systemd`, and
- entry matches at least one of the following rules:

- `_SYSTEMD_UNIT` is `ssh`
- `_SYSTEMD_UNIT` is `kubelet` and `_UID` is `1000`

Note, that if you use some fields which aren't associated with an entry, the entry will always be filtered out.