Convert Filebeat nginx.access to ECS #9081
Conversation
webmat
added
in progress
webmat
force-pushed
the
ecs-nginx-access
branch
from
85ab10d
to
47be6ac
Compare
|
@ruflin Ready for review |
webmat
changed the title
|
I looked into the user_agent problem. The issue is related to the mapping. The |
|
Ok, thanks for figuring this out. I'll go around your feedback on all other PRs. Then I think I'll fix user_agent in each of them before merging. I'll also create the aliases in each module's field defs in each PR. |
webmat
force-pushed
the
ecs-nginx-access
branch
2 times, most recently
from
35bc4ed
to
c971d88
Compare
|
@ruflin Ready for final review. New spin on nginx' IP/socket duality. Since this module groks for an IP list, it means that it doesn't currently support log events with a Unix socket as the source. Fixing this is out of scope for this ECS translation, so I've added a note to #9208 to that effect. We have exactly one custom field left: |
| - name: remote_ip | ||
| type: keyword | ||
| description: > | ||
| Client IP address. The first public IP address from the `remote_ip_list` array. If no public IP |
There was a problem hiding this comment.
I wonder if at some stage we regret removing these descriptions. Ok for now, it's also in git.
There was a problem hiding this comment.
Can alias fields have a description? If so, I don't mind restoring the definitions.
There's a bunch of work needing to happen there anyway for doc generation, right? At this time, these aliases get the module's field name replaced with the ECS field name instead.
So if you want to keep the old field descriptions there, we'll need to have a doc generator that
- lists the old name
- mentions that it's now an alias to the new field, with a mention of the new field (even a link to its definition)
- if a description is provided, provide the description of the deprecated field
|
It could be that CI failure is related. Let's see what Jenkins thinks. |
|
Re-kicked both failing Travis jobs. They both died after a 10m timeout. |
|
Jenkins failures only on Windows, for these 3 jobs (test report):
This has nothing to do with the nginx module. Probably flaky tests? |
|
@webmat Yes the 3 you mention above are flaky tests and I remember @ph wanted to skip them, so potentially already skipped in master (need to catch on PR's from today). For the failing travis jobs: The part I worry is that it's both in Filebeat. Often when module tests time out it means one is really slow or hanging. But if Jenkins goes green, all should be good. Probably worth restarting the travis ones. |
|
One of the Travis jobs is pretty far along in running the tests, this time, while the other one hangs really early: https://travis-ci.org/elastic/beats/jobs/458876579 |
webmat
force-pushed
the
ecs-nginx-access
branch
from
c971d88
to
ef89b6d
Compare
- nginx.access.referrer => http.request.referrer - nginx.access.method => http.request.method - nginx.access.url => url.original - nginx.access.http_version => http.version
- Copy remote_ip to `source.ip` if it's an IP - Copy remote_ip to `source.domain` otherwise - Perform geoIP on `source.ip` when present - Output geo information to `source.geo` - nginx.access.geoip.* => source.geo.*
- `http.request.referrer` - `url.original` This is strange. Not sure how I pushed this PR with these failures unsolved...
Adding a dumb `set` for source.ip, otherwise in the painless context, `source` itself doesn't exist yet. And adding this dictionary in painless sounded more painful than using `set`.
webmat
force-pushed
the
ecs-nginx-access
branch
from
ef89b6d
to
72a22e4
Compare
|
@ruflin Figured out why stuff was always hanging: was incorrectly aliasing to Looks like all tests will be green here as well. Will merge tomorrow unless something comes up. |
Caveat
$http_x_forwarded_for, which is either one IP or more. This means any log line that would contain a unix socket (one possibility, with nginx' default$remote_addr) is already not parsed successfully by this module. This field mapping to ECS does not introduce support for unix sockets.Renames
TODO
user_agentto ECS field namesError loading Elasticsearch template: could not load template. Elasticsearch returned: couldn't load template: couldn't load json. Error: 400 Bad Request: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Invalid [path] value [http.referrer] for field alias [nginx.access.referrer]: an alias must refer to an existing field in the mappings."}]