beats
beats copied to clipboard
elastic
[Filebeat] Add lumberjack input
What does this PR do?
Add an input for receiving data over the Lumberjack protocol as defined in https://github.com/elastic/go-lumber.
The raw data is written into the lumberjack field which is
mapped as flattened.
Why is it important?
Barracuda CloudGen outputs data over Lumberjack and we plan to build a Fleet integration to accept this data.
Checklist
- [x] My code follows the style guidelines of this project
- [x] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] I have made corresponding change to the default configuration files
- [x] I have added tests that prove my fix is effective or that my feature works
- [ ] I have added an entry in
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.
Author's Notes
Similar to the winlog input I am not adding documentation to Filebeat for lumberjack. The goal is to make this available to Elastic Agent. Once Elastic Agent fully supports the "input v2" architecture where standalone input binaries send data via the shipper then we will want to be able to migrate and remove it from Filebeat.
How to test this PR locally
./filebeat -e -c filebeat.lumberjack.yml
# filebeat.lumberjack.yml
filebeat.inputs:
- type: lumberjack
listen_address: localhost:5044
# Enable dataset metric logging that includes metrics from lumberjack input.
logging.metrics.namespaces: [stats, dataset]
logging.metrics.period: 10s
# Metrics are available at http://localhost:6060/dataset.
http.port: 6060
# Log events to console.
output.console.pretty: true
Related issues
- Relates https://github.com/elastic/integrations/issues/3773
Config
| Option | Default | Description |
|---|---|---|
| listen_address | localhost:5044 | Bind address for the server (e.g. address:port). |
| versions | [v1, v2] | List of Lumberjack versions allowed. (e.g. v1, v2). |
| ssl | TLS options. | |
| keepalive | Keepalive interval for notifying clients that batches that are not yet ACKed. | |
| timeout | Read / write timeouts for Lumberjack server. | |
| max_connections | Maximum number of concurrent connections. Default is 0 which means no limit. |
Logs
Log messages related to input:
{
"log.level": "info",
"@timestamp": "2022-07-20T10:01:32.484-0400",
"log.logger": "input.lumberjack",
"log.origin": {
"file.name": "compat/compat.go",
"file.line": 111
},
"message": "Input lumberjack starting",
"service.name": "filebeat",
"id": "5A9329FF0D5002B5",
"ecs.version": "1.6.0"
}
{
"log.level": "info",
"@timestamp": "2022-07-20T10:01:32.485-0400",
"log.logger": "input.lumberjack",
"log.origin": {
"file.name": "lumberjack/input.go",
"file.line": 61
},
"message": "Starting lumberjack input",
"service.name": "filebeat",
"id": "5A9329FF0D5002B5",
"ecs.version": "1.6.0"
}
{
"log.level": "info",
"@timestamp": "2022-07-20T10:01:32.487-0400",
"log.logger": "input.lumberjack",
"log.origin": {
"file.name": "lumberjack/server.go",
"file.line": 47
},
"message": "lumberjack is listening at tcp://127.0.0.1:5044.",
"service.name": "filebeat",
"id": "5A9329FF0D5002B5",
"ecs.version": "1.6.0"
}
{
"log.level": "info",
"@timestamp": "2022-07-20T10:01:48.750-0400",
"log.logger": "input.lumberjack",
"log.origin": {
"file.name": "compat/compat.go",
"file.line": 132
},
"message": "Input 'lumberjack' stopped",
"service.name": "filebeat",
"id": "5A9329FF0D5002B5",
"ecs.version": "1.6.0"
}
{
"log.level": "info",
"@timestamp": "2022-07-20T10:01:48.753-0400",
"log.logger": "input.lumberjack",
"log.origin": {
"file.name": "lumberjack/input.go",
"file.line": 91
},
"message": "lumberjack input stopped",
"service.name": "filebeat",
"id": "5A9329FF0D5002B5",
"ecs.version": "1.6.0"
}
{
"log.level": "info",
"@timestamp": "2022-07-20T10:01:48.753-0400",
"log.logger": "input.lumberjack",
"log.origin": {
"file.name": "compat/compat.go",
"file.line": 124
},
"message": "Input 'lumberjack' stopped",
"service.name": "filebeat",
"id": "5A9329FF0D5002B5",
"ecs.version": "1.6.0"
}
{
"log.level": "info",
"@timestamp": "2022-07-20T10:01:48.776-0400",
"log.logger": "monitoring",
"log.origin": {
"file.name": "log/log.go",
"file.line": 193
},
"message": "Total metrics",
"service.name": "filebeat",
"monitoring": {
"metrics": {
"beat": {
"cpu": {
"system": {
"ticks": 20,
"time": {
"ms": 20
}
},
"total": {
"ticks": 213,
"time": {
"ms": 213
},
"value": 0
},
"user": {
"ticks": 193,
"time": {
"ms": 193
}
}
},
"info": {
"ephemeral_id": "09338d62-671f-4b1a-b0e1-0c025eed5055",
"name": "filebeat",
"uptime": {
"ms": 16464
},
"version": "8.4.0"
},
"memstats": {
"gc_next": 84957904,
"memory_alloc": 66783208,
"memory_sys": 114348056,
"memory_total": 2891107656,
"rss": 161419264
},
"runtime": {
"goroutines": 22
}
},
"filebeat": {
"events": {
"active": 0,
"added": 198646,
"done": 198646
},
"harvester": {
"closed": 0,
"open_files": 0,
"running": 0,
"skipped": 0,
"started": 0
},
"input": {
"log": {
"files": {
"renamed": 0,
"truncated": 0
}
},
"netflow": {
"flows": 0,
"packets": {
"dropped": 0,
"received": 0
}
}
}
},
"libbeat": {
"config": {
"module": {
"running": 0,
"starts": 0,
"stops": 0
},
"reloads": 0,
"scans": 0
},
"output": {
"events": {
"acked": 198646,
"active": 0,
"batches": 97,
"dropped": 0,
"duplicates": 0,
"failed": 0,
"toomany": 0,
"total": 198646
},
"read": {
"bytes": 0,
"errors": 0
},
"type": "console",
"write": {
"bytes": 249883880,
"errors": 0
}
},
"pipeline": {
"clients": 0,
"events": {
"active": 0,
"dropped": 0,
"failed": 0,
"filtered": 0,
"published": 198646,
"retry": 0,
"total": 198646
},
"queue": {
"acked": 198646,
"max_events": 4096
}
}
},
"registrar": {
"states": {
"cleanup": 0,
"current": 0,
"update": 0
},
"writes": {
"fail": 0,
"success": 0,
"total": 0
}
},
"system": {
"cpu": {
"cores": 10
},
"load": {
"1": 4.6577,
"15": 4.543,
"5": 4.1641,
"norm": {
"1": 0.4658,
"15": 0.4543,
"5": 0.4164
}
}
}
},
"dataset": {
"5A9329FF0D5002B5": {
"batch_processing_time": {
"histogram": {
"count": 97,
"max": 1036771416,
"mean": 54813506.01030928,
"median": 44263542,
"min": 40871833,
"p75": 45846250,
"p95": 50031133.3,
"p99": 1036771416,
"p999": 1036771416,
"stddev": 100248757.53209181
}
},
"batches_acked_total": 97,
"batches_received_total": 97,
"bind_address": "tcp://127.0.0.1:5044",
"id": "5A9329FF0D5002B5",
"input": "lumberjack",
"messages_received_total": 198646
}
},
"ecs.version": "1.6.0"
}
}
Metrics on http endpoint:
% curl localhost:6060/dataset | jq .
{
"5A9329FF0D5002B5": {
"batch_processing_time": {
"histogram": {
"count": 2,
"max": 1006000834,
"mean": 1003726708.5,
"median": 1003726708.5,
"min": 1001452583,
"p75": 1006000834,
"p95": 1006000834,
"p99": 1006000834,
"p999": 1006000834,
"stddev": 2274125.5
}
},
"batches_acked_total": 2,
"batches_received_total": 2,
"bind_address": "tcp://127.0.0.1:5044",
"id": "5A9329FF0D5002B5",
"input": "lumberjack",
"messages_received_total": 10
}
}
Sample Data
Example of data received by the lumberjack input from another Filebeat instance.
{
"@timestamp": "2022-07-20T14:09:45.019Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "8.4.0"
},
"ecs": {
"version": "8.0.0"
},
"lumberjack": {
"input": {
"type": "log"
},
"ecs": {
"version": "8.0.0"
},
"host": {
"name": "mac16-m1"
},
"agent": {
"version": "8.4.0",
"ephemeral_id": "27f86958-d91a-4cc1-baeb-84a2f4ad4a4d",
"id": "4c8e3100-fbde-416c-bb78-63f11a08e4f1",
"name": "mac16-m1",
"type": "filebeat"
},
"log": {
"offset": 92846,
"file": {
"path": "/var/log/install.log"
}
},
"@timestamp": "2022-07-20T14:09:42.734Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "8.4.0"
},
"message": "2022-03-05 22:41:47-08 MacBook-Pro installer[637]: Running install actions"
},
"input": {
"type": "lumberjack"
},
"host": {
"name": "mac16-m1"
},
"agent": {
"ephemeral_id": "016a16f9-e6d0-446f-b8ea-1a4c76896418",
"id": "f9584e03-3520-425c-b0d3-032b89179648",
"name": "mac16-m1",
"type": "filebeat",
"version": "8.4.0"
}
}
:green_heart: Build Succeeded
the below badges are clickable and redirect to their specific view in the CI or DOCS
Expand to view the summary
Build stats
-
Start Time: 2022-08-19T18:13:51.112+0000
-
Duration: 138 min 26 sec
Test stats :test_tube:
| Test | Results |
|---|---|
| Failed | 0 |
| Passed | 22655 |
| Skipped | 1937 |
| Total | 24592 |
:green_heart: Flaky test report
Tests succeeded.
:robot: GitHub comments
To re-run your PR in the CI, just comment with:
-
/test: Re-trigger the build. -
/package: Generate the packages and run the E2E tests. -
/beats-tester: Run the installation tests with beats-tester. -
runelasticsearch-ci/docs: Re-trigger the docs validation. (use unformatted text in the comment!)
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b feature/fb/lumberjack-input upstream/feature/fb/lumberjack-input
git merge upstream/main
git push upstream feature/fb/lumberjack-input
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request does not have a backport label. If this is a bug or security fix, could you label this PR @andrewkroh? 🙏. For such, you'll need to label your PR with:
- The upcoming major version of the Elastic Stack
- The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change) To fixup this pull request, you need to add the backport labels for the needed branches, such as:
backport-v8./d.0is the label to automatically backport to the8./dbranch./dis the digit