[Filebeat] Convert logstash logEvent.action objects to strings (#23944)

andrewkroh · web-flow · commit 0d4109da65b2 · 2021-02-16T09:37:28.000-05:00
To prevent index failures resulting from indexing a mix of strings and nested objects as logstash.log.log_event.action, this converts any objects to a stringified version of the object using painless toString(). Fixes #20709
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -380,6 +380,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Use rfc6587 framing for fortinet firewall and clientendpoint filesets when transferring over tcp. {pull}23837[23837]
 - Fix httpjson input logging so it doesn't conflict with ECS. {pull}23972[23972]
 - Fix Okta default date formatting. {issue}24018[24018] {pull}24025[24025]
+- Fix Logstash module handling of logstash.log.log_event.action field. {issue}20709[20709]
 
 *Heartbeat*
 
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -86605,6 +86605,13 @@ type: object
 
 --
 
+*`logstash.log.log_event.action`*::
++
+--
+type: keyword
+
+--
+
 *`logstash.log.pipeline_id`*::
 +
 --
diff --git a/filebeat/module/logstash/fields.go b/filebeat/module/logstash/fields.go
diff --git a/filebeat/module/logstash/log/_meta/fields.yml b/filebeat/module/logstash/log/_meta/fields.yml
@@ -19,6 +19,8 @@
       type: object
       description: >
         key and value debugging information.
+    - name: log_event.action
+      type: keyword
     - name: pipeline_id
       type: keyword
       example: main
diff --git a/filebeat/module/logstash/log/ingest/pipeline-json.yml b/filebeat/module/logstash/log/ingest/pipeline-json.yml
@@ -31,6 +31,16 @@ processors:
 - rename:
     field: logstash.log.level
     target_field: log.level
+- script:
+    description: Convert logstash.log.log_event.action elements to string.
+    if: ctx?.logstash?.log?.log_event?.action instanceof List
+    lang: painless
+    source: |
+      def items = [];
+      ctx.logstash.log.log_event.action.forEach(v -> {
+          items.add(v.toString());
+      });
+      ctx.logstash.log.log_event.action = items;
 - set:
     field: event.kind
     value: event
diff --git a/filebeat/module/logstash/log/test/logstash-json.log b/filebeat/module/logstash/log/test/logstash-json.log
@@ -1,3 +1,4 @@
 {"level":"INFO","loggerName":"logstash.agent","timeMillis":1546896321871,"thread":"Ruby-0-Thread-1: /Users/mat/work/elastic/releases/6.5.1/logstash/lib/bootstrap/environment.rb:6","logEvent":{"message":"Pipelines running","count":1,"running_pipelines":[{"metaClass":{"metaClass":{"metaClass":{"running_pipelines":"[:main]","non_running_pipelines":[]}}}}]}}
 {"level":"INFO","loggerName":"logstash.pipeline","timeMillis":1546896322538,"thread":"[main]>worker7","logEvent":{"message":"Pipeline has terminated","pipeline_id":"main","thread":"#<Thread:0x7d16ffef run>"}}
 {"level":"INFO","loggerName":"logstash.agent","timeMillis":1546896322594,"thread":"Api Webserver","logEvent":{"message":"Successfully started Logstash API endpoint","port":9600}}
+{"level":"WARN","loggerName":"logstash.outputs.elasticsearch","timeMillis":1612827484046,"thread":"[foo]>worker1","logEvent":{"message":"Could not index event to Elasticsearch.","status":400,"action":["update",{"_id":"foo-1234abcd-96c6-4828-bcd4-51d33a156431","_index":"filebeat-foo-2021.02","_type":"_doc","retry_on_conflict":1},{"metaClass":{"metaClass":{"metaClass":{"action":"[\"update\", {:_id=>\"foo-1234abcd-96c6-4828-bcd4-51d33a156431\", :_index=>\"filebeat-foo-2021.02\", :routing=>nil, :_type=>\"_doc\", :retry_on_conflict=>1}, #<LogStash::Event:0x51b7cd8e>]","response":{"update":{"_index":"filebeat-foo-2021.02","_type":"_doc","_id":"foo-1234abcd-96c6-4828-bcd4-51d33a156431","status":400,"error":{"type":"mapper_parsing_exception","reason":"failed to parse field [bar] of type [long] in document with id 'foo-1234abcd-96c6-4828-bcd4-51d33a156431'. Preview of field's value: 'ABCDEFGHIJ'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"ABCDEFGHIJ\""}}}}}}}}]}}
diff --git a/filebeat/module/logstash/log/test/logstash-json.log-expected.json b/filebeat/module/logstash/log/test/logstash-json.log-expected.json
@@ -59,5 +59,26 @@
         "logstash.log.thread": "Api Webserver",
         "message": "Successfully started Logstash API endpoint",
         "service.type": "logstash"
+    },
+    {
+        "@timestamp": "2021-02-08T23:38:04.046Z",
+        "event.dataset": "logstash.log",
+        "event.kind": "event",
+        "event.module": "logstash",
+        "event.type": "info",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.level": "WARN",
+        "log.offset": 745,
+        "logstash.log.log_event.action": [
+            "update",
+            "{_index=filebeat-foo-2021.02, _type=_doc, _id=foo-1234abcd-96c6-4828-bcd4-51d33a156431, retry_on_conflict=1}",
+            "{metaClass={metaClass={metaClass={response={update={_index=filebeat-foo-2021.02, _type=_doc, _id=foo-1234abcd-96c6-4828-bcd4-51d33a156431, error={reason=failed to parse field [bar] of type [long] in document with id 'foo-1234abcd-96c6-4828-bcd4-51d33a156431'. Preview of field's value: 'ABCDEFGHIJ', caused_by={reason=For input string: \"ABCDEFGHIJ\", type=illegal_argument_exception}, type=mapper_parsing_exception}, status=400}}, action=[\"update\", {:_id=>\"foo-1234abcd-96c6-4828-bcd4-51d33a156431\", :_index=>\"filebeat-foo-2021.02\", :routing=>nil, :_type=>\"_doc\", :retry_on_conflict=>1}, #<LogStash::Event:0x51b7cd8e>]}}}}"
+        ],
+        "logstash.log.log_event.status": 400,
+        "logstash.log.module": "logstash.outputs.elasticsearch",
+        "logstash.log.thread": "[foo]>worker1",
+        "message": "Could not index event to Elasticsearch.",
+        "service.type": "logstash"
     }
 ]
