Jakub Latusek | c586acb | 2020-10-21 13:36:29 +0200 | [diff] [blame] | 1 | {{/* |
Mukul | 7de56c8 | 2018-09-04 08:03:27 +0000 | [diff] [blame] | 2 | # Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. |
| 6 | # You may obtain a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | # See the License for the specific language governing permissions and |
| 14 | # limitations under the License. |
Jakub Latusek | c586acb | 2020-10-21 13:36:29 +0200 | [diff] [blame] | 15 | */}} |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 16 | input { |
| 17 | beats { |
| 18 | |
| 19 | ## Add a id to plugin configuration. Can be anything unique. |
| 20 | id => 'beats_plugin' |
| 21 | |
| 22 | ######## Connection configurations ######## |
| 23 | |
| 24 | ## The port to listen on. |
BorislavG | 5f3b619 | 2018-03-25 18:12:38 +0300 | [diff] [blame] | 25 | port => {{.Values.service.externalPort}} |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 26 | |
| 27 | ## Close Idle clients after the specified time in seconds. Default is 60 seconds |
| 28 | #client_inactivity_timeout => 60 |
| 29 | |
| 30 | ######## Security configurations ######## |
| 31 | |
| 32 | ## Enable encryption. Default false. |
| 33 | #ssl => $filebeat_ssl |
| 34 | |
| 35 | ## ssl certificate path. |
| 36 | #ssl_certificate => $filebeat_ssl_certificate |
| 37 | |
| 38 | ## SSL key to use. |
| 39 | #ssl_key => $filebeat_ssl_key |
| 40 | |
| 41 | ##SSL key passphrase to use. |
| 42 | #ssl_key_passphrase => $filebeat_ssl_key_passphrase |
| 43 | |
| 44 | ## Value can be any of: none, peer, force_peer. |
| 45 | #ssl_verify_mode => $filebeat_ssl_verify_mode |
| 46 | |
| 47 | ## Time in milliseconds for an incomplete ssl handshake to timeout. Default is 10000 ms. |
| 48 | #ssl_handshake_timeout => 10000 |
| 49 | include_codec_tag => false |
| 50 | } |
| 51 | } |
| 52 | |
| 53 | |
| 54 | filter { |
root | c9c3503 | 2018-04-06 18:39:22 +0000 | [diff] [blame] | 55 | grok { |
| 56 | break_on_match => false |
| 57 | match => { |
| 58 | "source" => ["/var/log/onap/(?<componentName>[^/]+)/", |
| 59 | "/var/log/onap/%{GREEDYDATA:componentLogFile}" |
| 60 | ] |
| 61 | } |
| 62 | } |
| 63 | |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 64 | # Filter for log4j xml events |
| 65 | if "</log4j:event>" in [message] { |
root | c9c3503 | 2018-04-06 18:39:22 +0000 | [diff] [blame] | 66 | |
| 67 | #mutate { add_field => { "orgmsg_log4j" => "%{message}" } } # Copy of orginal msg for debug |
| 68 | |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 69 | #Filter to parse xml event and retrieve data |
| 70 | xml { |
| 71 | source => "message" |
| 72 | store_xml => false |
| 73 | remove_namespaces => true |
| 74 | target => "xml_content" |
| 75 | xpath => [ "/event/message/text()", "logmsg" , |
| 76 | "/event/@logger", "Logger", |
| 77 | "/event/@timestamp", "Timestamp", |
| 78 | "/event/@level", "loglevel", |
| 79 | "/event/@thread", "Thread", |
| 80 | "/event/throwable/text()", "Exceptionthrowable", |
| 81 | "/event/NDC/text()", "NDCs", |
| 82 | "/event/properties/data/@name","mdcname", |
| 83 | "/event/properties/data/@value","mdcvalue"] |
| 84 | |
| 85 | } |
| 86 | |
| 87 | #Ruby filter to iterate and separate MDCs into documents |
| 88 | ruby { |
| 89 | code => ' |
| 90 | $i = 0 |
| 91 | $num = 0 |
| 92 | if event.get("[mdcname]") |
| 93 | $num = event.get("[mdcname]").length |
| 94 | end |
guillaume.lambert | 30ec390 | 2021-09-14 12:32:24 +0200 | [diff] [blame] | 95 | if $num != 0 |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 96 | until $i > $num do |
| 97 | if event.get("[mdcname]").at($i) and event.get("[mdcvalue]").at($i) |
| 98 | event.set(event.get("[mdcname]").at($i), event.get("[mdcvalue]").at($i)) |
| 99 | end |
| 100 | $i=$i+1 |
| 101 | end |
guillaume.lambert | 30ec390 | 2021-09-14 12:32:24 +0200 | [diff] [blame] | 102 | end |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 103 | ' |
| 104 | } |
| 105 | |
| 106 | #Validations |
| 107 | if [Exceptionthrowable] |
| 108 | { |
| 109 | mutate { |
| 110 | replace => { |
| 111 | "exceptionmessage" => "%{[Exceptionthrowable]}" |
| 112 | } |
| 113 | } |
| 114 | } |
| 115 | |
| 116 | if [NDCs] |
| 117 | { |
| 118 | mutate { |
| 119 | replace => { |
| 120 | "NDC" => "%{[NDCs]}" |
| 121 | } |
| 122 | } |
| 123 | } |
| 124 | |
| 125 | mutate { |
| 126 | replace => { |
| 127 | "Logger" =>"%{[Logger]}" |
| 128 | "logmsg" =>"%{[logmsg]}" |
| 129 | "Timestamp" =>"%{[Timestamp]}" |
| 130 | "loglevel" =>"%{[loglevel]}" |
| 131 | "message" => "%{logmsg}" |
| 132 | "Thread" => "%{[Thread]}" |
| 133 | } |
| 134 | remove_field => ["mdcname", "mdcvalue", "logmsg","Exceptionthrowable","NDCs"] |
| 135 | } |
| 136 | |
| 137 | if [Timestamp] |
| 138 | { |
| 139 | date { |
| 140 | match => ["Timestamp", "UNIX_MS"] |
| 141 | target => "Timestamp" |
| 142 | } |
| 143 | } |
| 144 | } |
| 145 | # Filter for logback events |
| 146 | else { |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 147 | |
root | c9c3503 | 2018-04-06 18:39:22 +0000 | [diff] [blame] | 148 | #mutate { add_field => { "orgmsg" => "%{message}" } } # Copy of orginal msg for debug |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 149 | |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 150 | mutate { |
| 151 | gsub => [ |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 152 | 'message', ' = ', '=', |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 153 | 'message', '= ', '=null', |
guillaume.lambert | 30ec390 | 2021-09-14 12:32:24 +0200 | [diff] [blame] | 154 | 'message', '=\t', '=null\t', #This null is followed by a tab |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 155 | 'message', '\t$', '\t' |
| 156 | ] |
| 157 | } |
root | c9c3503 | 2018-04-06 18:39:22 +0000 | [diff] [blame] | 158 | # The grok below parses the message field for all current logback patterns used by oom components. |
| 159 | # Example logback pattern: %d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC}|%X{RequestId}|%msg |
| 160 | # Example grok pattern: %{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:message} |
| 161 | # Use the following command to find all logback patterns in oom directory: find oom -name "logback*xml" -exec grep "property.*attern.*value" {} \;|sort|uniq |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 162 | grok { |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 163 | match => { |
root | c9c3503 | 2018-04-06 18:39:22 +0000 | [diff] [blame] | 164 | "message" => [ |
| 165 | "%{TIMESTAMP_ISO8601:Timestamp}\\t[%{GREEDYDATA:Thread}]\\t%{GREEDYDATA:loglevel}\\t%{JAVACLASS:Logger}\\t%{GREEDYDATA:MDCs}\\t%{GREEDYDATA:message}", |
| 166 | "%{TIMESTAMP_ISO8601:BeginTimestamp}\|%{TIMESTAMP_ISO8601:EndTimestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:Unknown1}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:TargetEntity}\|%{GREEDYDATA:TargetServiceName}\|%{GREEDYDATA:StatusCode}\|%{GREEDYDATA:ResponseCode}\|%{GREEDYDATA:ResponseDesc}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{GREEDYDATA:Timer}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Unknown2}\|%{GREEDYDATA:Unknown3}\|%{GREEDYDATA:Unknown4}\|%{GREEDYDATA:TargetVirtualEntity}\|%{GREEDYDATA:Unknown5}\|%{GREEDYDATA:Unknown6}\|%{GREEDYDATA:Unknown7}\|%{GREEDYDATA:Unknown8}\|%{GREEDYDATA:message}", |
| 167 | "%{TIMESTAMP_ISO8601:BeginTimestamp}\|%{TIMESTAMP_ISO8601:EndTimestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:Unknown1}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:StatusCode}\|%{GREEDYDATA:ResponseCode}\|%{GREEDYDATA:ResponseDesc}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{GREEDYDATA:Timer}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Unknown2}\|%{GREEDYDATA:Unknown3}\|%{GREEDYDATA:Unknown4}\|%{GREEDYDATA:Unknown5}\|%{GREEDYDATA:Unknown6}\|%{GREEDYDATA:Unknown7}\|%{GREEDYDATA:Unknown8}\|%{GREEDYDATA:message}", |
| 168 | "%{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ServiceName}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Timer}\|\[%{GREEDYDATA:caller}\]\|%{GREEDYDATA:message}", |
| 169 | "%{TIMESTAMP_ISO8601:Timestamp}\|%{GREEDYDATA:RequestId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:TargetEntity}\|%{GREEDYDATA:TargetServiceName}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:ErrorCode}\|%{GREEDYDATA:ErrorDesc}\|%{GREEDYDATA:message}", |
| 170 | "%{TIMESTAMP_ISO8601:Timestamp}\|%{GREEDYDATA:RequestId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ClassName}\|%{GREEDYDATA:message}", |
| 171 | "%{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:message}", |
| 172 | "\[%{TIMESTAMP_ISO8601:Timestamp}\|%{LOGLEVEL:loglevel}\|%{GREEDYDATA:Logger}\|%{GREEDYDATA:Thread}\] %{GREEDYDATA:message}" |
| 173 | ] |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 174 | } |
| 175 | overwrite => ["message"] |
| 176 | } |
root | c9c3503 | 2018-04-06 18:39:22 +0000 | [diff] [blame] | 177 | # The MDCs are key value pairs that are seperated by "," or "\t". Extra space characters are trimmed from the keys and values. |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 178 | kv { |
| 179 | source => "MDCs" |
root | c9c3503 | 2018-04-06 18:39:22 +0000 | [diff] [blame] | 180 | field_split => ",\t" |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 181 | trim_key => "\s" |
| 182 | trim_value => "\s" |
| 183 | remove_field => [ "MDCs" ] |
| 184 | } |
| 185 | |
root | c9c3503 | 2018-04-06 18:39:22 +0000 | [diff] [blame] | 186 | if (![Timestamp] and [EndTimestamp]) { |
| 187 | mutate { add_field => { "Timestamp" => "%{EndTimestamp}" } } |
| 188 | } |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 189 | date { |
| 190 | match => [ "Timestamp", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS" ] |
| 191 | target => "Timestamp" |
| 192 | } |
| 193 | |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 194 | mutate { |
root | c9c3503 | 2018-04-06 18:39:22 +0000 | [diff] [blame] | 195 | remove_field => ["DuplicateRequestID", "Unknown1", "Unknown2", "Unknown3", "Unknown4", "Unknown5", "Unknown6", "Unknown7", "Unknown8"] |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 196 | } |
| 197 | |
| 198 | if ([source] == "/var/log/onap/sdc/sdc-be/audit.log") { |
| 199 | #Parse kvps in message |
| 200 | kv { |
| 201 | field_split => "\s" |
| 202 | trim_key => "\s" |
| 203 | trim_value => "\s" |
| 204 | } |
| 205 | |
| 206 | #If Request Id is missing and DID is present use as RequestId |
| 207 | if (![RequestId] and [DID] =~ /.+/) { |
| 208 | mutate { add_field => { "RequestId" => "%{DID}" } } |
| 209 | } |
| 210 | } |
| 211 | |
| 212 | } #Close else statement for logback events |
| 213 | } #Close filter |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 214 | |
| 215 | |
| 216 | output { |
| 217 | elasticsearch { |
| 218 | id => 'onap_es' |
| 219 | |
| 220 | ######### Security configurations ######### |
| 221 | |
| 222 | user => "elastic" |
| 223 | password => "changeme" |
| 224 | |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 225 | ## The .cer or .pem file to validate the server's certificate |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 226 | #cacert => $es_cacert |
| 227 | |
| 228 | ## The keystore used to present a certificate to the server. It can be either .jks or .p12 |
| 229 | #keystore => $es_keystore |
| 230 | #keystore_password => $es_keystore_password |
| 231 | |
| 232 | ## Enable SSL/TLS secured communication to Elasticsearch cluster. |
| 233 | ## Default is not set which in that case depends on the protocol specidfied in hosts list |
| 234 | #ssl => $es_ssl |
| 235 | |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 236 | ## Option to validate the server's certificate. Default is true |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 237 | #ssl_certificate_verification => $es_ssl_certificate_verification |
| 238 | |
shanedaniel | fa84710 | 2017-10-25 16:03:42 -0400 | [diff] [blame] | 239 | ## The JKS truststore to validate the server's certificate. |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 240 | #truststore => $es_truststore |
| 241 | #truststore_password => $es_truststore_password |
| 242 | |
| 243 | |
| 244 | ######### Elasticsearchcluster and host configurations ######### |
| 245 | |
BorislavG | 5f3b619 | 2018-03-25 18:12:38 +0300 | [diff] [blame] | 246 | ##can specify one or a list of hosts. If sniffing is set, one is enough and others will be auto-discovered |
| 247 | hosts => ["http://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}:{{.Values.config.elasticsearchPort}}"] |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 248 | |
| 249 | |
| 250 | ## This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list. Default is false. |
| 251 | sniffing => true |
| 252 | |
| 253 | ## How long to wait, in seconds, between sniffing attempts. Default is 5 seconds. |
| 254 | #sniffing_delay => 5 |
| 255 | |
| 256 | ## Set the address of a forward HTTP proxy. |
| 257 | #proxy => $es_proxy |
| 258 | |
| 259 | ##Use this if you must run Elasticsearch behind a proxy that remaps the root path for the Elasticsearch HTTP API lives |
| 260 | #path => $es_path |
| 261 | |
| 262 | ######### Elasticsearch request configurations ######### |
| 263 | |
| 264 | ## This setting defines the maximum sized bulk request Logstash will make. |
| 265 | #flush_size => ? |
| 266 | |
| 267 | ######### Document configurations ######### |
| 268 | |
shanedaniel | 1cdda18 | 2017-11-17 18:21:00 +0000 | [diff] [blame] | 269 | index => "logstash-%{+YYYY.MM.dd}" |
Itay Hassid | e2da86d | 2017-08-24 12:54:42 +0000 | [diff] [blame] | 270 | document_type => "logs" |
| 271 | |
| 272 | ## This can be used to associate child documents with a parent using the parent ID. |
| 273 | #parent => "abcd' |
| 274 | } |
| 275 | } |
| 276 | |