[Filebeat] Add ZooKeeper Module

[legoguy1000]

What does this PR do?

Adds a new module for ZooKeeper logs.

Why is it important?

Requested by Elastic Cloud team to ingest ZooKeeper logs.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

How to test this PR locally

cd beats/filebeat
TESTING_FILEBEAT_MODULES=zookeeper mage -v pythonIntegTest

Related issues

• Closes Filebeat module for zookeeper logs #25061

Use cases

Screenshots

Logs

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: jsoriano commented: /test

• Start Time: 2021-04-28T13:23:29.428+0000

• Duration: 137 min 56 sec

• Commit: 1b1807f

Test stats 🧪

Test	Results
Failed	0
Passed	13709
Skipped	2285
Total	15994

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	13709
Skipped	2285
Total	15994

[legoguy1000]

@matschaffer any thoughts on if more should be done for this? If not I'll take the PR out of draft.

[matschaffer]

@legoguy1000 I haven't run it and not sure when I'll be able to to give it a proper review (starting on-call tomorrow).

Just reading it through looks good though so taking out of draft gets 👍 from me.

Maybe @jsoriano can help recommend a reviewer. I'll mention it to some other folks to get eyes on it.

[legoguy1000]

Oooh, on-call, been there. Sounds good, I'll take it out of draft. It's an initial release so can always be improved later.

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 25061-zookeeper-module upstream/25061-zookeeper-module
git merge upstream/master
git push upstream 25061-zookeeper-module

[jsoriano]

I will take a look, thanks!

[jsoriano]

/test

[jsoriano]

This is looking great, thanks @legoguy1000 for this!

I have added some suggestions, let me know what you think. Some CI jobs are also complaining about some outdated files, these can be probably solved by running mage update from filebeat and x-pack/filebeat directories and committing the changes.

Other comment I have is that in principle new modules are only added to x-pack/filebeat/module, would you mind to move the module there?

[legoguy1000]

This is looking great, thanks @legoguy1000 for this!

I have added some suggestions, let me know what you think. Some CI jobs are also complaining about some outdated files, these can be probably solved by running mage update from filebeat and x-pack/filebeat directories and committing the changes.

Other comment I have is that in principle new modules are only added to x-pack/filebeat/module, would you mind to move the module there?

I can move it. My thought was zookeeper fit alongside Kafka and apache... more than all the security tools but doesn't matter to me.

[legoguy1000]

PR updated

[legoguy1000]

@jsoriano I've updated the PR to account for timestamps in the logs and set accordingly. If it looks good to you, can u run the tests?

[henrikno]

This is pretty rad! I haven't tested the audit log but the app log seems to work nicely, especially given how non-parseable the logs are. I like that it also captures event.created an ingested so we can detect delays. Thanks for making this.

[henrikno]

Note to future self; this needs 7.13 since it was added recently elastic/elasticsearch#71285

[legoguy1000]

This is pretty rad! I haven't tested the audit log but the app log seems to work nicely, especially given how non-parseable the logs are. I like that it also captures event.created an ingested so we can detect delays. Thanks for making this.

Do u have examples of real audit logs? I just used the example logs from the docs and then had to add additional data to match the log pattern.

[jsoriano]

Thanks! I think this is almost ready to go, added some small comments, but nothing serious.

[jsoriano]

/test

[legoguy1000]

@jsoriano I've update the PR with your comments and added your provided sample logs. I think we should be good to test and if it passes merge.

[legoguy1000]

@jsoriano good to retest.

[jsoriano]

/test

[legoguy1000]

@jsoriano same issue with the @timestamp https://beats-ci.elastic.co/blue/organizations/jenkins/Beats%2Fbeats/detail/PR-25128/20/pipeline/1930#step-2215-log-668. I haven't seen this before. I thought the tests ignore the time fields that change every time.

[legoguy1000]

@jsoriano same issue with the @timestamp https://beats-ci.elastic.co/blue/organizations/jenkins/Beats%2Fbeats/detail/PR-25128/20/pipeline/1930#step-2215-log-668. I haven't seen this before. I thought the tests ignore the time fields that change every time.

I know why. its because the 1 set of example logs that doesn't have an timestamp field to parse so the time changes every time. I'm going to get rid of those since u provided logs from the default pattern and it has a timestamp.

[jsoriano]

Oh, I also thought that tests ignored this field for logs without timestamp, but maybe there are no other cases of that. I am ok in any case with testing only with logs with timestamp as they seem to be the usual default.

[jsoriano]

/test

[legoguy1000]

Oh, I also thought that tests ignored this field for logs without timestamp, but maybe there are no other cases of that. I am ok in any case with testing only with logs with timestamp as they seem to be the usual default.

Ya there's a list in the python script to declare the filesets to ignore because they don't have a timestamp but decided to just remove them for the same reason.

[legoguy1000]

@jsoriano finally passed :)

[jsoriano]

Merged and backport open, this will be likely released in 7.14.0. Thanks @legoguy1000 for the good work here!