Convert Filebeat haproxy.log to ECS#9117
Conversation
ruflin
left a comment
There was a problem hiding this comment.
Don't forget the ecs-migration.yml file.
There was a problem hiding this comment.
So this assume in some cases this is actually not an ip?
There was a problem hiding this comment.
In HAProxy's case, they're too performance-conscious for this to be a name resolved from a reverse DNS query. However this can be populated with text if the connection is coming from a Unix socket LOL
There was a problem hiding this comment.
Unix socket info seems to be one more new twist on the IP field :-(
ced3c6f to
9a471e9
Compare
|
@ruflin Ready for review. Make sure to check out caveats. |
|
For the Caveats:
|
|
@ruflin Looking at the test data we have, I would not use |
|
@webmat SGTM. I assume only thing holding this one back from merging is field aliases? |
|
@ruflin Yes, aliases are the only thing missing. Before I go ahead and add them here, can you check out this comment: #9135 (comment)? I've tried creating aliases, and there are issues. |
|
@webmat I assume our offline conversation resolved this. Let me know when this one is ready for an other round. |
9a471e9 to
d056683
Compare
|
This PR is ready for final review. Note that on top of ECS migration, now pid and port fields are cast to int in event body (they were strings). |
- haproxy.client.port => source.port - haproxy.process_name => process.name - haproxy.pid => process.pid - haproxy.destination.ip => destination.ip - haproxy.destination.port => destination.port Add grok to conditionally extract `haproxy.client.ip` to `source.ip` (if an IP), or to `source.domain` otherwise.
d8907e9 to
d1c9830
Compare
Caveats
haproxy.client.ipis not renamed. If it's an IP, it's copied tosource.ip,otherwise copied to
source.domain.haproxy.sourceis the source's hostname, but Filebeat is already populatinghost.hostname, so leaving ashaproxy.source.This PR does not change this fact, as it's a translation to ECS, not general improvements.
Renames
TODO