forked from elastic/beats
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f1fea95
commit 3e69b5a
Showing
18 changed files
with
784 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
//// | ||
This file is generated! See scripts/docs_collector.py | ||
//// | ||
|
||
[[filebeat-module-zookeeper]] | ||
:modulename: zookeeper | ||
:has-dashboards: true | ||
|
||
== ZooKeeper module | ||
|
||
The +{modulename}+ module collects and parses the logs created by https://zookeeper.apache.org/[Apache ZooKeeper] | ||
|
||
include::../include/what-happens.asciidoc[] | ||
|
||
include::../include/gs-link.asciidoc[] | ||
|
||
[float] | ||
=== Compatibility | ||
|
||
The +{modulename}+ module was tested with logs from versions 3.7.0. | ||
|
||
include::../include/configuring-intro.asciidoc[] | ||
|
||
The following example shows how to set paths in the +modules.d/{modulename}.yml+ | ||
file to override the default paths for logs: | ||
|
||
[source,yaml] | ||
----- | ||
- module: zookeeper | ||
audit: | ||
enabled: true | ||
var.paths: | ||
- "/path/to/logs/audit.log*" | ||
----- | ||
|
||
|
||
To specify the same settings at the command line, you use: | ||
|
||
[source,yaml] | ||
----- | ||
-M "zookeeper.audit.var.paths=[/path/to/logs/audit.log*]" | ||
----- | ||
|
||
|
||
//set the fileset name used in the included example | ||
:fileset_ex: audit | ||
|
||
include::../include/config-option-intro.asciidoc[] | ||
|
||
[float] | ||
==== `audit` fileset settings | ||
|
||
include::../include/var-paths.asciidoc[] | ||
|
||
include::../include/timezone-support.asciidoc[] | ||
|
||
[float] | ||
=== Example dashboard | ||
|
||
This module comes with a sample dashboard to see ZooKeeper Audit logs. | ||
|
||
[role="screenshot"] | ||
image::./images/filebeat-kafka-logs-overview.png[] | ||
|
||
:has-dashboards!: | ||
|
||
:fileset_ex!: | ||
|
||
:modulename!: | ||
|
||
|
||
[float] | ||
=== Fields | ||
|
||
For a description of each field in the module, see the | ||
<<exported-fields-zookeeper,exported fields>> section. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
- module: zookeeper | ||
# All logs | ||
audit: | ||
enabled: true | ||
|
||
# Set custom paths for the log files. If left empty, | ||
# Filebeat will choose the paths depending on your OS. | ||
#var.paths: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
:modulename: zookeeper | ||
:has-dashboards: true | ||
|
||
== ZooKeeper module | ||
|
||
The +{modulename}+ module collects and parses the logs created by https://zookeeper.apache.org/[Apache ZooKeeper] | ||
|
||
include::../include/what-happens.asciidoc[] | ||
|
||
include::../include/gs-link.asciidoc[] | ||
|
||
[float] | ||
=== Compatibility | ||
|
||
The +{modulename}+ module was tested with logs from versions 3.7.0. | ||
|
||
include::../include/configuring-intro.asciidoc[] | ||
|
||
The following example shows how to set paths in the +modules.d/{modulename}.yml+ | ||
file to override the default paths for logs: | ||
|
||
[source,yaml] | ||
----- | ||
- module: zookeeper | ||
audit: | ||
enabled: true | ||
var.paths: | ||
- "/path/to/logs/audit.log*" | ||
----- | ||
|
||
|
||
To specify the same settings at the command line, you use: | ||
|
||
[source,yaml] | ||
----- | ||
-M "zookeeper.audit.var.paths=[/path/to/logs/audit.log*]" | ||
----- | ||
|
||
|
||
//set the fileset name used in the included example | ||
:fileset_ex: audit | ||
|
||
include::../include/config-option-intro.asciidoc[] | ||
|
||
[float] | ||
==== `audit` fileset settings | ||
|
||
include::../include/var-paths.asciidoc[] | ||
|
||
include::../include/timezone-support.asciidoc[] | ||
|
||
[float] | ||
=== Example dashboard | ||
|
||
This module comes with a sample dashboard to see ZooKeeper Audit logs. | ||
|
||
[role="screenshot"] | ||
image::./images/filebeat-kafka-logs-overview.png[] | ||
|
||
:has-dashboards!: | ||
|
||
:fileset_ex!: | ||
|
||
:modulename!: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
- key: zookeeper | ||
title: "ZooKeeper" | ||
description: > | ||
ZooKeeper Module | ||
fields: | ||
- name: zookeeper | ||
type: group | ||
description: > | ||
fields: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
- name: audit | ||
type: group | ||
description: > | ||
ZooKeeper Audit logs. | ||
fields: | ||
- name: session | ||
type: keyword | ||
description: > | ||
Client session id | ||
- name: znode | ||
type: keyword | ||
description: > | ||
Path of the znode | ||
- name: znode_type | ||
type: keyword | ||
description: > | ||
Type of znode in case of creation operation | ||
- name: acl | ||
type: keyword | ||
description: > | ||
String representation of znode ACL like cdrwa(create, delete,read, write, admin). This is logged only for setAcl operation | ||
- name: result | ||
type: keyword | ||
description: > | ||
Result of the operation. Possible values are (success/failure/invoked). Result "invoked" is used for serverStop operation because stop is logged before ensuring that server actually stopped. | ||
- name: user | ||
type: keyword | ||
description: > | ||
XX | ||
- name: ip | ||
type: keyword | ||
description: > | ||
XX | ||
- name: operation | ||
type: keyword | ||
description: > | ||
XX |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
type: log | ||
paths: | ||
{{ range $i, $path := .paths }} | ||
- {{$path}} | ||
{{ end }} | ||
exclude_files: [".gz$"] | ||
processors: | ||
- add_locale: ~ | ||
- add_fields: | ||
target: '' | ||
fields: | ||
ecs.version: 1.9.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
description: Pipeline for parsing ZooKeeper audit messages | ||
processors: | ||
- set: | ||
field: event.ingested | ||
value: '{{_ingest.timestamp}}' | ||
- kv: | ||
field: message | ||
field_split: "\\s+" | ||
value_split: "=" | ||
target_field: zookeeper.audit | ||
- rename: | ||
field: message | ||
target_field: log.original | ||
ignore_missing: true | ||
- rename: | ||
field: zookeeper.audit.operation | ||
target_field: event.action | ||
ignore_missing: true | ||
- set: | ||
field: event.outcome | ||
value: "{{zookeeper.audit.result}}" | ||
ignore_empty_value: true | ||
if: '["success","failure"].contains(ctx.zookeeper?.audit?.result)' | ||
- rename: | ||
field: zookeeper.audit.ip | ||
target_field: client.address | ||
ignore_missing: true | ||
- convert: | ||
field: client.address | ||
target_field: client.ip | ||
type: ip | ||
ignore_missing: true | ||
- split: | ||
field: zookeeper.audit.user | ||
separator: "," | ||
ignore_missing: true | ||
- rename: | ||
field: zookeeper.audit.user | ||
target_field: user.id | ||
ignore_missing: true | ||
|
||
on_failure: | ||
- set: | ||
field: error.log | ||
value: '{{ _ingest.on_failure_message }}' |
Oops, something went wrong.