-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filebeat coredns module #11200
Filebeat coredns module #11200
Conversation
Pinging @elastic/secops |
x-pack/filebeat/module/coredns/kubernetes/test/coredns-json.log-expected.json
Outdated
Show resolved
Hide resolved
x-pack/filebeat/module/coredns/kubernetes/test/coredns-json.log-expected.json
Outdated
Show resolved
Hide resolved
For awareness, there is also a Metricbeat module for CoreDNS in the works. I wonder if we should sync up on some of the field names? #10585 |
It seems that coredns metricbeat module focuses on stats and uses coredns.stats object, and there does not seem to be a conflict anywhere from a brief first glance. |
….0.0-beta2. Regenerate test result files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few minor issues on the pipeline.
I do wonder if this should just be one fileset like coredns.log
that can be used with k8s+coredns or a standalone coredns deployment. The JSON decoding could be conditional based on the log file extension (like decode_json_fields.when.regexp.message: ‘^{‘
). I’m just not sure how to handle selecting between k8s mode and regular log mode; maybe it could just be that both the k8s json path and regular log path are defaults at the same time.
var:
- name: paths
default:
- /var/lib/docker/containers/*/*-json.log
- /var/log/coredns.log
x-pack/filebeat/module/coredns/kubernetes/test/coredns-json.log-expected.json
Outdated
Show resolved
Hide resolved
x-pack/filebeat/module/coredns/kubernetes/test/coredns-json.log-expected.json
Outdated
Show resolved
Hide resolved
I actually think using a separate fileset will give more flexibility (allow different processing easily) and have better performance. The drawback is to maintain a separate fileset. |
If the resulting events are the same for both filesets I would recommend to build one. @ycombinator did something similar for Elasticsearch where there are also JSON and plain logs. Perhaps he can comment here. |
Note these two deployment modes are exclusive, meaning in one mode it should not ingest logs from the other deployment, and vice versa. Also, one uses auto-discovery and the other does not. |
@alakahakai Not sure I can follow your above comment. I expect that per Filebeat instance, only 1 option is used. But let's assume we have 2 deployments, one with json logs and one without. I expect the events which come from the different filebeat instances to be almost identical. |
@alakahakai In case it's applicable and you're interested in seeing how we handle either JSON or plaintext logs in the Some specifics:
The benefit of this approach is that the user doesn't need to perform any additional configuration . Filebeat automatically figures out the format of their events and handles each format appropriately. Again, I'm not familiar with corednes and I'm not sure if any of the above is applicable in your case. But I just wanted to post it here since @ruflin mentioned it, in case it might give you some ideas. |
@ycombinator Thanks for the information on how to process multiple types of logs files in one fileset. It is useful. However, I may not be able to use it here because of the reason that I mention earlier: These two deployment modes are exclusive, meaning in one mode it should not ingest logs from the other deployment, and vice versa. Also, one uses auto-discovery and the other does not. To clarify further, for the Kubernetes *-json.log files (the asterisk here is an auto-generated 64-byte container ID), not all of them will be for coredns, it depends on auto-disocvery. For example, some will be for filebeat envoy module, some will be for filebeat coredns module, and some will be for something else. So we cannot enable ingestion of all the json files by default in the coredns module, meaning we cannot put *.log and *-json.log in the manifest.yml file, and enable them by default. Notice that currently kubernetes fileset is by default set to disabled in the _meta/config.yml, and it will be enabled by auto-discovery per pod/container when annotations are specified accordingly.
|
@ruflin They are not really identical - the one from Kubernetes has its own meta fields for enrichment. But it is not the main problem. Please take a look at my comments above. Any suggestion is welcome. |
Let's try to split up the issue here. Data structureComparing https://github.com/elastic/beats/pull/11200/files#diff-fe233fd564fc292bbb395cdc55fc5280 with https://github.com/elastic/beats/pull/11200/files#diff-e2e15eb66ce61d13cdd689942e7bfbf2 from my perspective they are almost identical. It seem the non k8s is a subset of the k8s one? And the fields that are added in k8s are all k8s specific, not directly related to coredns itself but more to figure out where the event is coming from, like our k8s add metadata processor. Config filesDifferent config files are needed based on the deployment. This is definitively a challenge. I wonder if we could something similar like we do for os here with If we can't find an easy solution I'm also ok with having 2 metricsets for now but we should have to goal to merge them in my opinion. A more general question about CoreDNS: Is there only 1 log file? Or can it be that CoreDNS has different logs? |
Yes, I agree that the k8s log file is a superset of the native one.
I will take a look at that. If there is an easy way to get the runtime state of filebeat to see whether it is running in k8s mode (daemon-set), and add a var according to that, then this might work.
Yes, using one to cover both dynamically will be pretty cool.
Native deployment will normally only have one log file, while k8s deployment will normally have multiple pods hence multiple log files. |
I am branching into a separate topic. The manifest file that you quoted has the following variable setting:
It seems to me that the |
Thanks for all the help. I have merged two filesets into one. One trick here is to only put native log under path, while let autodiscovery apply to the JSON k8s log files. It works except that filebeat will potentially ingest native coredns log files in k8s deployment mode if they exist on the host, which should not happen in real deployments. So, I guess we can live with this limitation for now. If we have to address this, then I think we might need to introduce some checking of runtime state about kubernetes autodiscovery into fileset.go. |
jenkins, test this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pushing this forward and getting it into 1 fileset.
@odacremolbap Could you have a look at this as you potentially have more knowledge about CoreDNS and could also test this on your end?
x-pack/filebeat/module/coredns/log/test/coredns-json.log-expected.json
Outdated
Show resolved
Hide resolved
x-pack/filebeat/module/coredns/log/test/coredns.log-expected.json
Outdated
Show resolved
Hide resolved
jenkins, test this |
@ruflin Should we move ahead with this? |
|
||
processors: | ||
- add_kubernetes_metadata: | ||
in_cluster: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The indentation here looks like it's off by 2 spaces.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, good catch. It was manually edited for the README and a mistake was made.
Add filebeat coredns module
Still in progress, waiting on #11134 to be merged first.
11134 is now merged. Get this ready for review.