blob: 5c1d47d18e385644ba8e104ffeaef76c6a42b37f [file] [log] [blame]
ac2550a61b86e2018-10-10 13:54:08 +02001# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14input {
15 http_poller {
16 urls => {
17 event_queue => {
18 method => get
19 url => "${dmaap_base_url}/events/${event_topic}/${dmaap_consumer_group}/${dmaap_consumer_id}?timeout=15000"
20 headers => {
21 Accept => "application/json"
22 }
23 add_field => { "topic" => "${event_topic}" }
24 type => "dmaap_event"
25 }
26 notification_queue => {
27 method => get
28 url => "${dmaap_base_url}/events/${notification_topic}/${dmaap_consumer_group}/${dmaap_consumer_id}?timeout=15000"
29 headers => {
30 Accept => "application/json"
31 }
32 add_field => { "topic" => "${notification_topic}" }
33 type => "dmaap_notification"
34 }
35 request_queue => {
36 method => get
37 url => "${dmaap_base_url}/events/${request_topic}/${dmaap_consumer_group}/${dmaap_consumer_id}?timeout=15000"
38 headers => {
39 Accept => "application/json"
40 }
41 add_field => { "topic" => "${request_topic}" }
42 type => "dmaap_request"
43 }
44 }
45 socket_timeout => 30
46 request_timeout => 30
47 codec => "plain"
48 schedule => { "every" => "1m" }
49 cacert => "/certs.d/aafca.pem"
50 }
51}
52
53input {
54 file {
55 path => [
56 "/log-input/*"
57 ]
58 type => "dmaap_log"
59 codec => "json"
60 }
61}
62
63filter {
osgn422we69ed982018-10-30 17:04:03 +010064 if [type] != "dmaap_log" {
65 #only execute this section for dmaap events from http request
66 #it doesn't apply to dmaap events from log file
ac2550a61b86e2018-10-10 13:54:08 +020067
osgn422we69ed982018-10-30 17:04:03 +010068 # avoid noise if no entry in the list
69 if [message] == "[]" {
70 drop { }
71 }
ac2550a61b86e2018-10-10 13:54:08 +020072
osgn422we69ed982018-10-30 17:04:03 +010073 if [http_request_failure] or [@metadata][code] != "200" {
74 mutate {
75 add_tag => [ "error" ]
76 }
77 }
78
79 if "dmaap_source" in [tags] {
80 #
81 # Dmaap provides a json list, whose items are Strings containing the event
82 # provided to Dmaap, which itself is an escaped json.
83 #
84 # We first need to parse the json as we have to use the plaintext as it cannot
85 # work with list of events, then split that list into multiple string events,
86 # that we then transform into json.
87 #
88 json {
89 source => "[message]"
90 target => "message"
91 }
92 ruby {
93 code => "
94 for ev in event.get('message', [])
95 ev.set('@metadata', event.get('@metadata'))
96 end
97 "
98 }
99
100 split {
101 field => "message"
102 }
103 json {
104 source => "message"
105 }
106 mutate {
107 remove_field => [ "message" ]
108 }
109 }
110 }
111 #now start the common, to both http request and log file events, processing
ac2550a61b86e2018-10-10 13:54:08 +0200112
113 #
114 # Some timestamps are expressed as milliseconds, some are in microseconds
115 #
116 if [closedLoopAlarmStart] {
117 ruby {
118 code => "
119 if event.get('closedLoopAlarmStart').to_s.to_i(10) > 9999999999999
120 event.set('closedLoopAlarmStart', event.get('closedLoopAlarmStart').to_s.to_i(10) / 1000)
121 else
122 event.set('closedLoopAlarmStart', event.get('closedLoopAlarmStart').to_s.to_i(10))
123 end
124 "
125 }
126 date {
127 match => [ "closedLoopAlarmStart", UNIX_MS ]
128 target => "closedLoopAlarmStart"
129 }
130 }
131
132 if [closedLoopAlarmEnd] {
133 ruby {
134 code => "
135 if event.get('closedLoopAlarmEnd').to_s.to_i(10) > 9999999999999
136 event.set('closedLoopAlarmEnd', event.get('closedLoopAlarmEnd').to_s.to_i(10) / 1000)
137 else
138 event.set('closedLoopAlarmEnd', event.get('closedLoopAlarmEnd').to_s.to_i(10))
139 end
140 "
141 }
142 date {
143 match => [ "closedLoopAlarmEnd", UNIX_MS ]
144 target => "closedLoopAlarmEnd"
145 }
146
147 }
148
149
150 #
151 # Notification time are expressed under the form "yyyy-MM-dd HH:mm:ss", which
152 # is close to ISO8601, but lacks of T as spacer: "yyyy-MM-ddTHH:mm:ss"
153 #
154 if [notificationTime] {
155 mutate {
156 gsub => [ "notificationTime", " ", "T" ]
157 }
158 date {
159 match => [ "notificationTime", ISO8601 ]
160 target => "notificationTime"
161 }
162 }
163
164
165 #
166 # Renaming some fields for readability
167 #
168 if [AAI][generic-vnf.vnf-name] {
169 mutate {
170 add_field => { "vnfName" => "%{[AAI][generic-vnf.vnf-name]}" }
171 }
172 }
173 if [AAI][generic-vnf.vnf-type] {
174 mutate {
175 add_field => { "vnfType" => "%{[AAI][generic-vnf.vnf-type]}" }
176 }
177 }
178 if [AAI][vserver.vserver-name] {
179 mutate {
180 add_field => { "vmName" => "%{[AAI][vserver.vserver-name]}" }
181 }
182 }
183 if [AAI][complex.city] {
184 mutate {
185 add_field => { "locationCity" => "%{[AAI][complex.city]}" }
186 }
187 }
188 if [AAI][complex.state] {
189 mutate {
190 add_field => { "locationState" => "%{[AAI][complex.state]}" }
191 }
192 }
193
194
195 #
196 # Adding some flags to ease aggregation
197 #
198 if [closedLoopEventStatus] =~ /(?i)ABATED/ {
199 mutate {
200 add_field => { "flagAbated" => "1" }
201 }
202 }
203 if [notification] =~ /^.*?(?:\b|_)FINAL(?:\b|_).*?(?:\b|_)FAILURE(?:\b|_).*?$/ {
204 mutate {
205 add_field => { "flagFinalFailure" => "1" }
206 }
207 }
208
209
210 if "error" not in [tags] {
211 #
212 # Creating data for a secondary index
213 #
214 clone {
215 clones => [ "event-cl-aggs" ]
216 add_tag => [ "event-cl-aggs" ]
217 }
218
219 if "event-cl-aggs" in [tags] {
220 #
221 # we only need a few fields for aggregations; remove all fields from clone except :
222 # vmName,vnfName,vnfType,requestID,closedLoopAlarmStart, closedLoopControlName,closedLoopAlarmEnd,abated,nbrDmaapevents,finalFailure
223 #
224 prune {
225 whitelist_names => ["^@.*$","^topic$","^type$","^tags$","^flagFinalFailure$","^flagAbated$","^locationState$","^locationCity$","^vmName$","^vnfName$","^vnfType$","^requestID$","^closedLoopAlarmStart$","^closedLoopControlName$","^closedLoopAlarmEnd$","^target$","^target_type$","^triggerSourceName$","^policyScope$","^policyName$","^policyVersion$"]
226 }
227
228 }
229 }
230}
231
232output {
233 stdout {
234 codec => rubydebug { metadata => true }
235 }
236
237 if "error" in [tags] {
238 elasticsearch {
239 codec => "json"
240 hosts => ["${elasticsearch_base_url}"]
osgn422w0ce11ea2019-07-17 16:17:13 +0200241 user => "${LOGSTASH_USR}"
242 password => "${LOGSTASH_PWD}"
ac2550a61b86e2018-10-10 13:54:08 +0200243 index => "errors-%{+YYYY.MM.DD}"
244 doc_as_upsert => true
245 }
246
247 } else if "event-cl-aggs" in [tags] {
248 elasticsearch {
249 codec => "json"
250 hosts => ["${elasticsearch_base_url}"]
osgn422w0ce11ea2019-07-17 16:17:13 +0200251 user => "${LOGSTASH_USR}"
252 password => "${LOGSTASH_PWD}"
ac2550a61b86e2018-10-10 13:54:08 +0200253 document_id => "%{requestID}"
254 index => "events-cl-%{+YYYY.MM.DD}" # creates daily indexes for control loop
255 doc_as_upsert => true
256 action => "update"
257 }
258
259 } else {
260 elasticsearch {
261 codec => "json"
262 hosts => ["${elasticsearch_base_url}"]
osgn422w0ce11ea2019-07-17 16:17:13 +0200263 user => "${LOGSTASH_USR}"
264 password => "${LOGSTASH_PWD}"
osgn422we69ed982018-10-30 17:04:03 +0100265 index => "events-raw-%{+YYYY.MM.DD}" # creates daily indexes
ac2550a61b86e2018-10-10 13:54:08 +0200266 doc_as_upsert => true
267 }
268 }
269}