Cherry-pick #9797 to 6.6: Allow users to convert timezone in logstash…

… module filesets (#10407)

Cherry-pick of PR #9797 to 6.6 branch. Original message: 

This PR updates the following filesets in the `logstash` Filebeat module to accept a `var.convert_timezone` configuration setting:

* [x] log
* [x] slowlog

Fixes partially #9756. Related: #9761

CHANGELOG.next.asciidoc

@@ -37,6 +37,7 @@ https://github.com/elastic/beats/compare/1035569addc4a3b29ffa14f8a08c27c1ace16ef
 *Filebeat*
 
 - Fix bad bytes count in `docker` input when filtering by stream. {pull}10211[10211]
+- Add `convert_timezone` option to Logstash module to convert dates to UTC. {issue}9756[9756] {pull}9797[9797]
 
 *Heartbeat*
 

filebeat/module/logstash/_meta/config.yml

@@ -7,9 +7,15 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   # Slow logs
   slowlog:
    enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
+
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false

filebeat/module/logstash/log/config/log.yml

@@ -8,3 +8,8 @@ multiline:
   pattern: ^\[[0-9]{4}-[0-9]{2}-[0-9]{2}
   negate: true
   match: after
+
+{{ if .convert_timezone }}
+processors:
+- add_locale: ~
+{{ end }}

filebeat/module/logstash/log/ingest/pipeline-plain.json

@@ -34,9 +34,19 @@
             }
         },
         {
-            "rename": {
+            "date": {
                 "field": "logstash.log.timestamp",
-                "target_field": "@timestamp"
+                "target_field": "@timestamp",
+                "formats": [
+                  "ISO8601"
+              ],
+              {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
+              "ignore_failure": true
+            }
+        },
+        {
+            "remove": {
+                "field": "logstash.log.timestamp"
             }
         }
     ]

filebeat/module/logstash/log/manifest.yml

@@ -8,6 +8,13 @@ var:
       - /var/log/logstash/logstash-{{.format}}*.log
     os.windows:
       - c:/programdata/logstash/logs/logstash-{{.format}}*.log
+  - name: convert_timezone
+    default: false
+    # if ES < 6.1.0, this flag switches to false automatically when evaluating the
+    # pipeline
+    min_elasticsearch_version:
+      version: 6.1.0
+      value: false
 
 ingest_pipeline: ingest/pipeline-{{.format}}.json
 input: config/log.yml

filebeat/module/logstash/log/test/logstash-plain.log-expected.json

@@ -1,6 +1,6 @@
 [
     {
-        "@timestamp": "2017-10-23T14:20:12,046", 
+        "@timestamp": "2017-10-23T14:20:12.046Z", 
         "event.dataset": "logstash.log", 
         "fileset.module": "logstash", 
         "fileset.name": "log", 
@@ -12,7 +12,7 @@
         "prospector.type": "log"
     }, 
     {
-        "@timestamp": "2017-11-20T03:55:00,318", 
+        "@timestamp": "2017-11-20T03:55:00.318Z", 
         "event.dataset": "logstash.log", 
         "fileset.module": "logstash", 
         "fileset.name": "log", 

filebeat/module/logstash/slowlog/config/slowlog.yml

@@ -4,3 +4,8 @@ paths:
  - {{$path}}
 {{ end }}
 exclude_files: [".gz$"]
+
+{{ if .convert_timezone }}
+processors:
+- add_locale: ~
+{{ end }}

filebeat/module/logstash/slowlog/ingest/pipeline-plain.json

@@ -49,9 +49,19 @@
             }
         },
         {
-            "rename": {
+            "date": {
                 "field": "logstash.slowlog.timestamp",
-                "target_field": "@timestamp"
+                "target_field": "@timestamp",
+                "formats": [
+                  "ISO8601"
+              ],
+              {< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
+              "ignore_failure": true
+            }
+        },
+        {
+            "remove": {
+                "field": "logstash.slowlog.timestamp"
             }
         },
         {

filebeat/module/logstash/slowlog/manifest.yml

@@ -8,6 +8,13 @@ var:
       - /var/log/logstash/logstash-slowlog-{{.format}}*.log
     os.windows:
       - c:/programdata/logstash/logs/logstash-slowlog-{{.format}}*.log
+  - name: convert_timezone
+    default: false
+    # if ES < 6.1.0, this flag switches to false automatically when evaluating the
+    # pipeline
+    min_elasticsearch_version:
+      version: 6.1.0
+      value: false
 
 ingest_pipeline: ingest/pipeline-{{.format}}.json
 input: config/slowlog.yml

filebeat/module/logstash/slowlog/test/slowlog-plain.log-expected.json

@@ -1,6 +1,6 @@
 [
     {
-        "@timestamp": "2017-10-30T09:57:58,243", 
+        "@timestamp": "2017-10-30T09:57:58.243Z", 
         "event.dataset": "logstash.slowlog", 
         "fileset.module": "logstash", 
         "fileset.name": "slowlog", 

filebeat/modules.d/logstash.yml.disabled

@@ -7,9 +7,15 @@
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false
+
   # Slow logs
   slowlog:
    enabled: true
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
+
+    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
+    #var.convert_timezone: false