Add awsfargate module to collect container logs from Amazon ECS on Fargate

[kaiyan-sheng]

What does this PR do?

This PR is to add support for collecting logs from AWS Fargate with awsfargate module.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Step1: Follow steps in Metricbeat documentation to create some containers running using Fargate.

Step2: Check CloudWatch to get the log group ARN where your fargate logs are sent to.

Step3: Enable awsfargate module using ./filebeat modules enable awsfargate.

Step4: Modify awsfargate.yml with credentials and the log group ARN. For example:

- module: awsfargate
  log:
    enabled: true
    var.credential_profile_name: elastic-beats
    var.log_group_arn: arn:aws:logs:us-east-1:1234567890:log-group:/ecs/metricbeat-awsfargate:*

Step5: Start Filebeat and you should be able to see logs getting ingested into ES.

Related issues

• Closes [Logs] Add Fargate support integrations#559

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[elasticmachine]

Pinging @elastic/integrations (Team:Platforms)

[botelastic]

This pull request doesn't have a Team:<team> label.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #25041 updated

• Start Time: 2021-04-20T04:04:55.351+0000

• Duration: 56 min 27 sec

• Commit: bf0a8b2

Test stats 🧪

Test	Results
Failed	0
Passed	13609
Skipped	2271
Total	15880

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	13609
Skipped	2271
Total	15880

[ChrsMark]

Looks great!

One question: Is there any way we can enrich this logs with container metadata?

[kaiyan-sheng]

One question: Is there any way we can enrich this logs with container metadata?

@ChrsMark Thanks for the review!! I'm relying on the add_docker_metadata processor to add container info container.id and this can be used to connect logs from Filebeat with monitoring metrics from awsfargate Metricbeat module.

[ChrsMark]

One question: Is there any way we can enrich this logs with container metadata?

@ChrsMark Thanks for the review!! I'm relying on the add_docker_metadata processor to add container info container.id and this can be used to connect logs from Filebeat with monitoring metrics from awsfargate Metricbeat module.

Hmm, add_docker_metadata requires access to docker socket, not sure if it's gonna work here since the setup is different. Or do I miss something 🤔 ?

[ChrsMark]

lgtm

[ChrsMark]

/test

[kaiyan-sheng]

CI failure should be fixed by #25141

[exekias]

Could you provide some detail on why doing this rename?

[kaiyan-sheng]

Ahh sorry!! I thought we are moving all message to event.oiriginal. But I see #14708 is the other way around. I will remove this renaming here.

[exekias]

I'm wondering, is cloudwatch providing any extra meta about the source of the logs? I would expect some info about the containers generating these logs

[kaiyan-sheng]

Hmm the only metadata I can find is the container ID, which is in the name of the log stream. For example: ecs/metricbeat-awsfargate/397eb2787a7d4f7783d03c49cafd244c.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fargate_logs upstream/fargate_logs
git merge upstream/master
git push upstream fargate_logs