[Filebeat] [MongoDB] Support MongoDB 4.4 json logs

[tetianakravchenko]

What does this PR do?

MongoDB 4.4 changed logs to a structured JSON format, this PR adds support for mongodb logs json format, and support the old format too.

Why is it important?

to support new logs format in filebeat MongoDB module.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes Support MongoDB 4.4 in filebeat's MongoDB module #20501

Use cases

Screenshots

Logs

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #24774 updated

• Start Time: 2021-06-15T11:40:44.621+0000

• Duration: 104 min 5 sec

• Commit: be5576a

Test stats 🧪

Test	Results
Failed	0
Passed	14053
Skipped	2306
Total	16359

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	14053
Skipped	2306
Total	16359

[jsoriano]

/test

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[jsoriano]

@tetianakravchenko thanks for this contribution!

Failure in tests seems related:

Pipeline processor configured for non-existent pipeline [filebeat-8.0.0-mongodb-log-pipeline-plaintext]

I think the problem is that new pipelines need to be added to the manifest in filebeat/module/mongodb/log/manifest.yml, could you please add the pipelines there?

[tetianakravchenko]

@jsoriano thank you for the feedback! I've added new pipelines to the manifest 9f5d34c

[jsoriano]

/test

[jsoriano]

/test

[cihantunali]

Hi there,
I dont know if it helps or not but I created a GROK pattern to parse it. I tried to implement it via manuel way to filebeat (created new pipeline and forced filebeat to use it) but no luck :(

{"t":{"$date":"%{TIMESTAMP_ISO8601:timestamp}"},"s":"%{WORD:severity}",%{SPACE}"c":"%{WORD:component}",%{SPACE}"id":%{INT:id},%{SPACE}"ctx":"%{DATA:context}","msg":"%{GREEDYDATA:message}

I hope, release come soon. Thanks!

[jsoriano]

/test

[cihantunali]

Hi there!
I hope it can build. Thank you @jsoriano for your effort.

[tetianakravchenko]

Hi @jsoriano, as I see that build is failing mainly with timeout error:

E               beat.beat.TimeoutError: Timeout waiting for 'cond' to be true. Waited 10 seconds.

or

E           Failed: Timeout >90.0s

is there anything I can do here?

[jsoriano]

@tetianakravchenko try updating your branch with master, failing tests can be related to outdated files.

[jsoriano]

I have updated the branch, let's see if tests pass now 🤞

[jsoriano]

/test

[cihantunali]

I think there is same error here

E Failed: Timeout >90.0s

[jsoriano]

I am not sure why other modules fail, but there seems to be a problem with the change in the MongoDB module. Running the tests locally I see this error in filebeat logs:

2021-06-07T07:17:32.045-0200    ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(elasticsearch(http://elasticsearch:9200)): Connection marked as failed because the onConnect callback failed: 1 error: error loading pipeline for fileset mongodb/log: couldn't load pipeline: couldn't load json. Error: 400 Bad Request: {"error":{"root_cause":[{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c == 'ACCESS'","       ^---- HERE"],"script":"mongodb.c == 'ACCESS'","lang":"painless","position":{"offset":7,"start":0,"end":21},"suppressed":[{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c == 'WRITE'","       ^---- HERE"],"script":"mongodb.c == 'WRITE'","lang":"painless","position":{"offset":7,"start":0,"end":20}},{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c != 'WRITE' && mongodb. ...","       ^---- HERE"],"script":"mongodb.c != 'WRITE' && mongodb.c != 'ACCESS'","lang":"painless","position":{"offset":7,"start":0,"end":32}},{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.s == 'F' || mongodb.s == ...","       ^---- HERE"],"script":"mongodb.s == 'F' || mongodb.s == 'E'","lang":"painless","position":{"offset":7,"start":0,"end":32}}]}],"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c == 'ACCESS'","       ^---- HERE"],"script":"mongodb.c == 'ACCESS'","lang":"painless","position":{"offset":7,"start":0,"end":21},"caused_by":{"type":"illegal_argument_exception","reason":"cannot resolve symbol [mongodb.c]"},"suppressed":[{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c == 'WRITE'","       ^---- HERE"],"script":"mongodb.c == 'WRITE'","lang":"painless","position":{"offset":7,"start":0,"end":20},"caused_by":{"type":"illegal_argument_exception","reason":"cannot resolve symbol [mongodb.c]"}},{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c != 'WRITE' && mongodb. ...","       ^---- HERE"],"script":"mongodb.c != 'WRITE' && mongodb.c != 'ACCESS'","lang":"painless","position":{"offset":7,"start":0,"end":32},"caused_by":{"type":"illegal_argument_exception","reason":"cannot resolve symbol [mongodb.c]"}},{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.s == 'F' || mongodb.s == ...","       ^---- HERE"],"script":"mongodb.s == 'F' || mongodb.s == 'E'","lang":"painless","position":{"offset":7,"start":0,"end":32},"caused_by":{"type":"illegal_argument_exception","reason":"cannot resolve symbol [mongodb.s]"}}]},"status":400}. Response body: {"error":{"root_cause":[{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c == 'ACCESS'","       ^---- HERE"],"script":"mongodb.c == 'ACCESS'","lang":"painless","position":{"offset":7,"start":0,"end":21},"suppressed":[{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c == 'WRITE'","       ^---- HERE"],"script":"mongodb.c == 'WRITE'","lang":"painless","position":{"offset":7,"start":0,"end":20}},{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c != 'WRITE' && mongodb. ...","       ^---- HERE"],"script":"mongodb.c != 'WRITE' && mongodb.c != 'ACCESS'","lang":"painless","position":{"offset":7,"start":0,"end":32}},{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.s == 'F' || mongodb.s == ...","       ^---- HERE"],"script":"mongodb.s == 'F' || mongodb.s == 'E'","lang":"painless","position":{"offset":7,"start":0,"end":32}}]}],"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c == 'ACCESS'","       ^---- HERE"],"script":"mongodb.c == 'ACCESS'","lang":"painless","position":{"offset":7,"start":0,"end":21},"caused_by":{"type":"illegal_argument_exception","reason":"cannot resolve symbol [mongodb.c]"},"suppressed":[{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c == 'WRITE'","       ^---- HERE"],"script":"mongodb.c == 'WRITE'","lang":"painless","position":{"offset":7,"start":0,"end":20},"caused_by":{"type":"illegal_argument_exception","reason":"cannot resolve symbol [mongodb.c]"}},{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.c != 'WRITE' && mongodb. ...","       ^---- HERE"],"script":"mongodb.c != 'WRITE' && mongodb.c != 'ACCESS'","lang":"painless","position":{"offset":7,"start":0,"end":32},"caused_by":{"type":"illegal_argument_exception","reason":"cannot resolve symbol [mongodb.c]"}},{"type":"script_exception","reason":"compile error","processor_type":"append","script_stack":["mongodb.s == 'F' || mongodb.s == ...","       ^---- HERE"],"script":"mongodb.s == 'F' || mongodb.s == 'E'","lang":"painless","position":{"offset":7,"start":0,"end":32},"caused_by":{"type":"illegal_argument_exception","reason":"cannot resolve symbol [mongodb.s]"}}]},"status":400}

There seems to be a problem with the pipeline.

I can reproduce the error running the following command from the filebeat directory: PYTEST_ADDOPTS="-k test_modules" GENERATE=1 TESTING_FILEBEAT_MODULES=mongodb mage pythonIntegTest.

After running the tests, logs are available in build/system-tests/run/test_modules.Test.test_fileset_file_0_mongodb/output.log.

@tetianakravchenko can you take a look?

[tetianakravchenko]

thank you for the hint, I will have a look 👍

[tetianakravchenko]

Hi @jsoriano. Locally I have the command below running successfully after the latest changes

filebeat directory: PYTEST_ADDOPTS="-k test_modules" GENERATE=1 TESTING_FILEBEAT_MODULES=mongodb mage pythonIntegTest

Could you please trigger tests?

[jsoriano]

/test

[jsoriano]

Thanks @tetianakravchenko! I can confirm that tests pass now locally for me, let's wait for CI 🤞

[jsoriano]

@tetianakravchenko sorry, one last thing, could you please add a changelog entry in the CHANGELOG.next.asciidoc file? For the rest it LGTM, thanks!

[jsoriano]

/test

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b mongodb-json-format upstream/mongodb-json-format
git merge upstream/master
git push upstream mongodb-json-format

[jsoriano]

/test

[jsoriano]

LGTM, thanks!

[cihantunali]

G8 work! When it can be released and which version?

[jsoriano]

@cihantunali this will be likely available in Filebeat 7.14.0.

[jsoriano]

Looking again at this change, I think that we should store the message in the message field, as the pipeline for plaintext does, and also I think that there is no need to keep the original log message as it is fully parsed. I am doing these changes as a follow up in #26338

[tetianakravchenko]

@jsoriano my idea was to keep the original log message, as it contains attr field, where might be stored important information, like locks, readConcern, writeConcern, command, etc (all those logs are part of slow logs). As content of this field depends on log type, it doesn't make sense to parse each subfield, but keeping original message with attr (other optional fields are truncated, size, tags) for debugging purpose I think would be helpful.

[jsoriano]

@tetianakravchenko good point, ok, I will keep the original message but under the ECS log.original field. I have updated the PR, would you mind to review it?
Maybe in the future we can add something to store these attributes.

[jsoriano]

Change applied to integrations in elastic/integrations#1138.