Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FileBeat] GCP module enhancement - Populate orchestrator.* fields for K8S logs #25368

Merged
merged 11 commits into from
Jun 2, 2021
Merged

[FileBeat] GCP module enhancement - Populate orchestrator.* fields for K8S logs #25368

Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
59af914
Add setOrchestratorMetadata to populate orchestrator.* fields
Apr 28, 2021
778f40f
Correct setOrchestratorMetadata
Apr 28, 2021
912ef55
Improve parsing to populate orchestrator.* fields
Apr 29, 2021
e448521
add changelog
Apr 29, 2021
287ef13
Merge remote-tracking branch 'upstream/master'
Apr 29, 2021
65ce406
Merge remote-tracking branch 'upstream/master'
Jun 1, 2021
14ed118
Bump ECS version to 1.10
Jun 1, 2021
ecafd87
Add generated data based on sample logs
Jun 1, 2021
ceeee69
Correct CHANGELOG.next.asciidoc
Jun 1, 2021
09e5aa0
Correct CHANGELOG.next.asciidoc
Jun 1, 2021
9b88e3d
Correct CHANGELOG.next.asciidoc
Jun 1, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions x-pack/filebeat/module/gcp/audit/config/pipeline.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,35 @@ function Audit(keep_original_message) {
fail_on_error: false,
});

var setOrchestratorMetadata = function(evt) {
if (evt.Get("json.resource.type") === "k8s_cluster") {
evt.Put("orchestrator.type", "kubernetes");
// Dissect to extract the api_version
var dissect_processor = new processor.Dissect({
"tokenizer": "%{}/%{orchestrator.api_version}/%{}",
TonioRyo marked this conversation as resolved.
Show resolved Hide resolved
"field": "json.protoPayload.resourceName",
"target_prefix": "",
}).Run(evt);

var convert_processor = new processor.Convert({
fields: [
{
from: "json.resource.labels.cluster_name",
to: "orchestrator.cluster.name",
type: "string"
},
{
from: "json.protoPayload.resourceName",
TonioRyo marked this conversation as resolved.
Show resolved Hide resolved
to: "orchestrator.resource.type",
type: "string"
}
],
ignore_missing: true,
fail_on_error: false,
}).Run(evt);
}
};

// The log includes a protoPayload field.
// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry
var convertLogEntry = new processor.Convert({
Expand Down Expand Up @@ -290,6 +319,7 @@ function Audit(keep_original_message) {
.Add(dropPubSubFields)
.Add(saveMetadata)
.Add(setCloudMetadata)
.Add(setOrchestratorMetadata)
.Add(convertLogEntry)
.Add(convertProtoPayload)
.Add(copyFields)
Expand Down