Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traefik module for Filebeat is not working as expected #6111

Closed
e8kor opened this issue Jan 19, 2018 · 5 comments
Closed

Traefik module for Filebeat is not working as expected #6111

e8kor opened this issue Jan 19, 2018 · 5 comments
Assignees
@sayden
Labels
Filebeat Filebeat module Team:Integrations Label for the Integrations team

Comments

@e8kor
Copy link

e8kor commented Jan 19, 2018
edited

Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.

For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.

For confirmed bugs, please report:

Traefik access log example:

94.254.131.115 - - [19/Jan/2018:10:01:02 +0000] "GET /assets/52f8f2e711d235d76044799e/owners?oauth_token=ya29.GltABOXd_gtG-XVvYX2YhxXJiXVvbHRMXn9fbzc_mDfl2rDhqK0CrAlwuwwRWnNnEaMDwkmyI7-QGbRSB0Hzje2cc__FjTQ1iuiYTSIBaIPfxSWip5jx6zqvsVVo HTTP/1.1" 200 85 - "Android" 623112 "Host-api-wearerealitygames-com-2" "http://172.25.0.9:4140" 13ms
89.64.35.193 - - [19/Jan/2018:10:01:02 +0000] "GET /marketplace/tax?oauth_token=ya29.Gl0fBWnrJ7DcEU-tN-O3Vxn2XZVaz2I-hFTjP1JQzhYFVT-SKtlmo9hSzrx3n82LUwUxJ1s5lmU8U3Mc9gA_aCxBk49ShYEwvmYOWxJJyldDIJ7hY4us4LoiSY1OqAM HTTP/1.1" 200 150 - "Android" 623114 "Host-api-wearerealitygames-com-2" "http://172.25.0.6:4140" 8ms

Grok pattern:
link: https://github.com/elastic/beats/blob/master/filebeat/module/traefik/access/ingest/pipeline.json#L7
pattern:
%{IPORHOST:traefik.access.remote_ip} - %{DATA:traefik.access.user_name} \[%{HTTPDATE:traefik.access.time}\] "%{WORD:traefik.access.method} %{DATA:traefik.access.url} HTTP%{NUMBER:traefik.access.http_version}" %{NUMBER:traefik.access.response_code} (?:%{NUMBER:traefik.access.body_sent.bytes}|-)( "%{DATA:traefik.access.referrer}")?( "%{DATA:traefik.access.agent}")?(?:%{NUMBER:traefik.access.request_count}|-)?( "%{DATA:traefik.access.frontend_name}")?( "%{DATA:traefik.access.backend_url}")?

Resut:
error: field [agent] not present as part of path [traefik.access.agent]

From what I understand is that current pattern is not working properly its not parsing data since user_agent field.

here is example of pattern that works for me:
initial (pattern for support of old version of traefik):
%{IPORHOST:traefik.access.remote_ip} - (?:-|"%{DATA:traefik.access.user_name}") \[%{HTTPDATE:traefik.access.time}\] "%{WORD:traefik.access.method} %{DATA:traefik.access.url} HTTP/%{NUMBER:traefik.access.http_version}" (?:-|%{NUMBER:traefik.access.response_code:int}) (?:-|%{NUMBER:traefik.access.body_sent.bytes:int}) "(?:-|%{DATA:traefik.access.referrer})" "(?:-|%{DATA:traefik.access.agent})" (?:-|%{NUMBER:traefik.access.request_count:int}) (?:-|"%{DATA:traefik.access.frontend_name}") (?:-|"%{DATA:traefik.access.backend_url}") %{NUMBER:traefik.access.duration:int}ms
fallback (pattern for support of new version of traefik):
%{IPORHOST:traefik.access.remote_ip} - (?:-|"%{DATA:traefik.access.user_name}") \[%{HTTPDATE:traefik.access.time}\] "%{WORD:traefik.access.method} %{DATA:traefik.access.url} HTTP/%{NUMBER:traefik.access.http_version}" (?:-|%{NUMBER:traefik.access.response_code:int}) (?:-|%{NUMBER:traefik.access.body_sent.bytes:int}) (?:-|"%{DATA:traefik.access.referrer}") (?:-|"%{DATA:traefik.access.agent}") (?:-|%{NUMBER:traefik.access.request_count:int}) (?:-|"%{DATA:traefik.access.frontend_name}") (?:-|"%{DATA:traefik.access.backend_url}") %{NUMBER:traefik.access.duration:int}ms

patterns are based on: https://github.com/containous/traefik/blob/5140bbe99a79b45f98c27fbb8e9b6833194af4cb/middlewares/accesslog/logger_formatters.go

related discussion: https://discuss.elastic.co/t/traefik-module-for-filbeat-dont-parse-traefik-logs/116170/3

Pipeline that works for me

pipeline.json 
{
  "description": "Pipeline for parsing Traefik access logs. Requires the geoip and user_agent plugins.",
  "processors": [{
    "grok": {
      "field": "message",
      "patterns":[
        "%{IPORHOST:traefik.access.remote_ip} - (?:-|\"%{DATA:traefik.access.user_name}\") \\[%{HTTPDATE:traefik.access.time}\\] \"%{WORD:traefik.access.method} %{DATA:traefik.access.url} HTTP/%{NUMBER:traefik.access.http_version}\" (?:-|%{NUMBER:traefik.access.response_code:int}) (?:-|%{NUMBER:traefik.access.body_sent.bytes:int}) \"(?:-|%{DATA:traefik.access.referrer})\" \"(?:-|%{DATA:traefik.access.agent})\" (?:-|%{NUMBER:traefik.access.request_count:int}) (?:-|\"%{DATA:traefik.access.frontend_name}\") (?:-|\"%{DATA:traefik.access.backend_url}\") %{NUMBER:traefik.access.duration:int}ms",
        "%{IPORHOST:traefik.access.remote_ip} - (?:-|\"%{DATA:traefik.access.user_name}\") \\[%{HTTPDATE:traefik.access.time}\\] \"%{WORD:traefik.access.method} %{DATA:traefik.access.url} HTTP/%{NUMBER:traefik.access.http_version}\" (?:-|%{NUMBER:traefik.access.response_code:int}) (?:-|%{NUMBER:traefik.access.body_sent.bytes:int}) (?:-|\"%{DATA:traefik.access.referrer}\") (?:-|\"%{DATA:traefik.access.agent}\") (?:-|%{NUMBER:traefik.access.request_count:int}) (?:-|\"%{DATA:traefik.access.frontend_name}\") (?:-|\"%{DATA:traefik.access.backend_url}\") %{NUMBER:traefik.access.duration:int}ms"
      ],
      "ignore_missing": true
    }
  },{
    "remove":{
      "field": "message",
      "ignore_failure": true
    }
  }, {
    "rename": {
      "field": "@timestamp",
      "target_field": "read_timestamp"
    }
  }, {
    "date": {
      "field": "traefik.access.time",
      "target_field": "@timestamp",
      "formats": ["dd/MMM/YYYY:H:m:s Z"]
    }
  }, {
    "remove": {
      "field": "traefik.access.time",
      "ignore_failure": true
    }
  }, {
    "user_agent": {
      "field": "traefik.access.agent",
      "target_field": "traefik.access.user_agent",
      "ignore_failure": true
    }
  }, {
    "remove": {
      "field": "traefik.access.agent",
      "ignore_failure": true
    }
  }, {
    "geoip": {
      "field": "traefik.access.remote_ip",
      "target_field": "traefik.access.geoip"
    }
  }],
  "on_failure" : [{
    "set" : {
      "field" : "error.message",
      "value" : "{{ _ingest.on_failure_message }}"
    }
  }]
}
@ruflin
Copy link
Member

ruflin commented Jan 21, 2018

@e8kor Which version of Traefik are you using? Can you open a PR with the change so we support both options?

@e8kor
Copy link
Author

e8kor commented Jan 22, 2018

hi, I'm using 1.4.6 and I believe that they will fix logging in 1.5.0. Pull request is coming.

@e8kor e8kor mentioned this issue Jan 22, 2018
Closed
@alastairs
Copy link

I came across this issue after hitting an error running filebeat with the traefik module against traefik 1.6 on Kubernetes:

field [traefik] not present as part of path [traefik.access.message]

Is the traefik module currently broken? I see the PR is somewhat stalled; is there anything I can do to help it along?

@ruflin
Copy link
Member

ruflin commented Oct 15, 2018

Seems like we have 2 open PR's which could be related to this:

We should push these forward to make it into the code.

@ruflin ruflin added the Team:Integrations Label for the Integrations team label Nov 27, 2018
@sayden sayden mentioned this issue Dec 4, 2018
Merged
sayden added a commit that referenced this issue Dec 6, 2018
@sayden
Update Filebeat Traefik module to handle mixed Common and Combined Lo…
0e9054c 
…g Format (#8768)

 * Added support for Common Log Format and Combined Log Format in Traefik which is the default format until now.
* Added more log lines, including one in Common Log Format
* Added user_identifier field which was hardcoded to '-' before
* Added log test inputs where the user_name and user_identifier were set and not set.
* Added duration field which was missing
* Numeric fields added as string have been converted to long
* Added request count field
* Added two log lines more that covers issue #6111
* Make bytes_sent field of type long. Most Grok expressions are optional now
* Added CHANGELOG entry
sayden added a commit to sayden/beats that referenced this issue Dec 6, 2018
@sayden
Update Filebeat Traefik module to handle mixed Common and Combined Lo…
d347b67 
…g Format (elastic#8768)

* Added support for Common Log Format and Combined Log Format in Traefik which is the default format until now.
* Added more log lines, including one in Common Log Format
* Added user_identifier field which was hardcoded to '-' before
* Added log test inputs where the user_name and user_identifier were set and not set.
* Added duration field which was missing
* Numeric fields added as string have been converted to long
* Added request count field
* Added two log lines more that covers issue elastic#6111
* Make bytes_sent field of type long. Most Grok expressions are optional now
* Added CHANGELOG entry

(cherry picked from commit 0e9054c)
@sayden sayden mentioned this issue Dec 6, 2018
Merged
sayden added a commit that referenced this issue Dec 7, 2018
@sayden
Cherry-pick #8768 to 6.x: Update Filebeat Traefik module to handle mi…
14a2fe3 
…xed Common and Combined Log Format (#9419)

* Update Filebeat Traefik module to handle mixed Common and Combined Log Format (#8768)

* Added support for Common Log Format and Combined Log Format in Traefik which is the default format until now.
* Added more log lines, including one in Common Log Format
* Added user_identifier field which was hardcoded to '-' before
* Added log test inputs where the user_name and user_identifier were set and not set.
* Added duration field which was missing
* Numeric fields added as string have been converted to long
* Added request count field
* Added two log lines more that covers issue #6111
* Make bytes_sent field of type long. Most Grok expressions are optional now
* Added CHANGELOG entry

(cherry picked from commit 0e9054c)

* Updated fields.go file
* Upload pre-ECS generated JSON expected file which differs from master
@sayden
Copy link
Contributor

sayden commented Dec 7, 2018

Fixed in #8768

@sayden sayden closed this as completed Dec 7, 2018
sayden added a commit to sayden/beats that referenced this issue Dec 7, 2018
@sayden
Update Filebeat Traefik module to handle mixed Common and Combined Lo…
f22c18d 
…g Format (elastic#8768)

 * Added support for Common Log Format and Combined Log Format in Traefik which is the default format until now.
* Added more log lines, including one in Common Log Format
* Added user_identifier field which was hardcoded to '-' before
* Added log test inputs where the user_name and user_identifier were set and not set.
* Added duration field which was missing
* Numeric fields added as string have been converted to long
* Added request count field
* Added two log lines more that covers issue elastic#6111
* Make bytes_sent field of type long. Most Grok expressions are optional now
* Added CHANGELOG entry

(cherry picked from commit 0e9054c)

fields.go file is updated and pre-ECS generated JSON expected file which differs from master is used

# Conflicts:
#	filebeat/include/fields.go
#	filebeat/module/traefik/access/test/test.log-expected.json
@sayden sayden mentioned this issue Dec 7, 2018
Merged
sayden added a commit that referenced this issue Dec 10, 2018
@sayden
Cherry-pick #8768 to 6.5: Update Filebeat Traefik module to handle mi…
84ef7f0 
…xed Common and Combined Log Format (#9439)

* Update Filebeat Traefik module to handle mixed Common and Combined Log Format (#8768)

 * Added support for Common Log Format and Combined Log Format in Traefik which is the default format until now.
* Added more log lines, including one in Common Log Format
* Added user_identifier field which was hardcoded to '-' before
* Added log test inputs where the user_name and user_identifier were set and not set.
* Added duration field which was missing
* Numeric fields added as string have been converted to long
* Added request count field
* Added two log lines more that covers issue #6111
* Make bytes_sent field of type long. Most Grok expressions are optional now
* Added CHANGELOG entry

(cherry picked from commit 0e9054c)

fields.go file is updated and pre-ECS generated JSON expected file which differs from master is used

# Conflicts:
#	filebeat/include/fields.go
#	filebeat/module/traefik/access/test/test.log-expected.json
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@sayden
Cherry-pick elastic#8768 to 6.5: Update Filebeat Traefik module to ha…
675d34f 
…ndle mixed Common and Combined Log Format (elastic#9439)

* Update Filebeat Traefik module to handle mixed Common and Combined Log Format (elastic#8768)

 * Added support for Common Log Format and Combined Log Format in Traefik which is the default format until now.
* Added more log lines, including one in Common Log Format
* Added user_identifier field which was hardcoded to '-' before
* Added log test inputs where the user_name and user_identifier were set and not set.
* Added duration field which was missing
* Numeric fields added as string have been converted to long
* Added request count field
* Added two log lines more that covers issue elastic#6111
* Make bytes_sent field of type long. Most Grok expressions are optional now
* Added CHANGELOG entry

(cherry picked from commit 5db2afb)

fields.go file is updated and pre-ECS generated JSON expected file which differs from master is used

# Conflicts:
#	filebeat/include/fields.go
#	filebeat/module/traefik/access/test/test.log-expected.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sayden sayden

Labels
Filebeat Filebeat module Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alastairs @ruflin @e8kor @sayden