Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add awsfargate module to collect container logs from Amazon ECS on Fargate #25041

Merged
merged 13 commits into from
Apr 20, 2021
Merged

Add awsfargate module to collect container logs from Amazon ECS on Fargate #25041

merged 13 commits into from
Apr 20, 2021

Conversation

kaiyan-sheng
Copy link
Contributor

@kaiyan-sheng kaiyan-sheng commented Apr 13, 2021

What does this PR do?

This PR is to add support for collecting logs from AWS Fargate with awsfargate module.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Step1: Follow steps in Metricbeat documentation to create some containers running using Fargate.

Step2: Check CloudWatch to get the log group ARN where your fargate logs are sent to.

Step3: Enable awsfargate module using ./filebeat modules enable awsfargate.

Step4: Modify awsfargate.yml with credentials and the log group ARN. For example:

- module: awsfargate
  log:
    enabled: true
    var.credential_profile_name: elastic-beats
    var.log_group_arn: arn:aws:logs:us-east-1:1234567890:log-group:/ecs/metricbeat-awsfargate:*

Step5: Start Filebeat and you should be able to see logs getting ingested into ES.

Related issues

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 13, 2021
@kaiyan-sheng kaiyan-sheng self-assigned this Apr 13, 2021
@kaiyan-sheng kaiyan-sheng added Team:Integrations Label for the Integrations team Team:Platforms Label for the Integrations - Platforms team labels Apr 13, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations (Team:Integrations)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations (Team:Platforms)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 13, 2021
@kaiyan-sheng kaiyan-sheng added needs_team Indicates that the issue/PR needs a Team:* label test-plan Add this PR to be manual test plan and removed Team:Platforms Label for the Integrations - Platforms team labels Apr 13, 2021
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 13, 2021
@botelastic
Copy link

botelastic bot commented Apr 13, 2021

This pull request doesn't have a Team:<team> label.

@kaiyan-sheng kaiyan-sheng added the in progress Pull request is currently in progress. label Apr 13, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 13, 2021

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #25041 updated

  • Start Time: 2021-04-20T04:04:55.351+0000

  • Duration: 56 min 27 sec

  • Commit: bf0a8b2

Test stats 🧪

Test Results
Failed 0
Passed 13609
Skipped 2271
Total 15880

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 13609
Skipped 2271
Total 15880

Copy link
Member

@ChrsMark ChrsMark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

One question: Is there any way we can enrich this logs with container metadata?

filebeat/docs/modules/awsfargate.asciidoc Outdated Show resolved Hide resolved
@kaiyan-sheng
Copy link
Contributor Author

One question: Is there any way we can enrich this logs with container metadata?

@ChrsMark Thanks for the review!! I'm relying on the add_docker_metadata processor to add container info container.id and this can be used to connect logs from Filebeat with monitoring metrics from awsfargate Metricbeat module.

@ChrsMark
Copy link
Member

ChrsMark commented Apr 19, 2021

One question: Is there any way we can enrich this logs with container metadata?

@ChrsMark Thanks for the review!! I'm relying on the add_docker_metadata processor to add container info container.id and this can be used to connect logs from Filebeat with monitoring metrics from awsfargate Metricbeat module.

Hmm, add_docker_metadata requires access to docker socket, not sure if it's gonna work here since the setup is different. Or do I miss something 🤔 ?

Copy link
Member

@ChrsMark ChrsMark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ChrsMark
Copy link
Member

/test

@kaiyan-sheng
Copy link
Contributor Author

CI failure should be fixed by #25141

Comment on lines 8 to 10
field: message
target_field: event.original
ignore_missing: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you provide some detail on why doing this rename?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh sorry!! I thought we are moving all message to event.oiriginal. But I see #14708 is the other way around. I will remove this renaming here.

Comment on lines 11 to 19
{
"event.dataset": "awsfargate.log",
"event.module": "awsfargate",
"event.original": "10.0.1.195 - - [24/Sep/2020:16:45:19 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"ELB-HealthChecker/2.0\" \"-\"",
"fileset.name": "log",
"input.type": "log",
"log.offset": 189,
"service.type": "awsfargate"
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering, is cloudwatch providing any extra meta about the source of the logs? I would expect some info about the containers generating these logs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm the only metadata I can find is the container ID, which is in the name of the log stream. For example: ecs/metricbeat-awsfargate/397eb2787a7d4f7783d03c49cafd244c.

@mergify
Copy link
Contributor

mergify bot commented Apr 19, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fargate_logs upstream/fargate_logs
git merge upstream/master
git push upstream fargate_logs

@kaiyan-sheng kaiyan-sheng merged commit 9013d07 into elastic:master Apr 20, 2021
@kaiyan-sheng kaiyan-sheng deleted the fargate_logs branch April 20, 2021 07:17
kaiyan-sheng added a commit that referenced this pull request Apr 20, 2021
… logs from Amazon ECS on Fargate (#25161)

* Add awsfargate module to collect container logs from Amazon ECS on Fargate (#25041)

(cherry picked from commit 9013d07)
v1v added a commit to v1v/beats that referenced this pull request Apr 20, 2021
…-github-pr-comment-template

* upstream/master:
  [Ingest Manager] Keep http and logging config during enroll (elastic#25132)
  Refactor kubernetes autodiscover to avoid skipping short-living pods (elastic#24742)
  [libbeat] New decode xml wineventlog processor (elastic#25115)
  Add svc to agent k8s clusterRole (elastic#25146)
  Add awsfargate module to collect container logs from Amazon ECS on Fargate (elastic#25041)
  [Filebeat][Cisco ASA] log enhancement and performance (elastic#24744)
  Watch kubernetes namespaces for autodiscover metadata for pods (elastic#25117)
  Cyberark Privileged Access Security module (elastic#24803)
  [Elastic Agent] Log the container command output with LOGS_PATH (elastic#25150)
  Fix for tests after `device...` field has been removed (elastic#25141)
  [Ingest Manager] Restart process on output change (elastic#24907)
  Set --insecure in container when FLEET_SERVER_ENABLE and FLEET_INSECURE set. (elastic#25137)
  [filebeat] Update documentation / changelog / beta warnings for the syslog input (elastic#25047)
  Add support for ignore_inactive in filestream input (elastic#25036)
  Fix bug with annotations dedot config on k8s not used (elastic#25111)
@andresrc andresrc added the test-plan-added This PR has been added to the test plan label Apr 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in progress Pull request is currently in progress. Team:Integrations Label for the Integrations team test-plan Add this PR to be manual test plan test-plan-added This PR has been added to the test plan v7.13.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Logs] Add Fargate support
5 participants