[Filebeat] Add postgresql csv fileset

[azlev]

As a configuration option, create another pipeline inside the module to
parse CSV log files.

Although it's necessary to configure the database to emit such logs,
there is some advantages: configured properly, some events like
statement timeout and lock timeout will display the query in the
same event, opposed to multiple lines, one with the error message and
other with statement.

What does this PR do?

This PR creates a new fileset/pipeline inside PostgreSQL module. This new fileset parses and create events based on CSV log files from postgresql.

Why is it important?

PostgreSQL logs weren't designed to be parsed, so, without very complicated logic, it's not possible to encapsulate all information in just one event. One example of that is statement timeout:

2021-01-04 02:07:15.470 UTC [13470] [user=postgres,db=postgres,app=[unknown]] ERROR:  canceling statement due to statement timeout
2021-01-04 02:07:15.470 UTC [13470] [user=postgres,db=postgres,app=[unknown]] STATEMENT:  SELECT pg_sleep(100)

Using the CSV log, those 2 lines become 1:

2021-01-04 02:07:15.470 UTC,"postgres","postgres",13470,"127.21.1.7:28182",5ff27834.349e,1,"SELECT",2021-01-04 02:06:44 UTC,16/4181895,0,ERROR,57014,"canceling statement due to statement timeout",,,,,,"SELECT pg_sleep(100)",,,""

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• Documentation

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #23334 updated

• Start Time: 2021-02-17T12:54:54.177+0000

• Duration: 49 min 46 sec

• Commit: a518be6

Test stats 🧪

Test	Results
Failed	0
Passed	13056
Skipped	2215
Total	15271

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	13056
Skipped	2215
Total	15271

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[jsoriano]

Thanks for this contribution, very interesting, and quite complete!

[jsoriano]

jenkins run the tests please

[jsoriano]

jenkins run the tests please

[jsoriano]

By the way, there is another approach to support multiple formats. For example the elasticsearch module contains pipelines for plain and JSON logs, and it chooses automatically which one to use.

Multiple pipelines can be included like this in the fileset manifest:

beats/filebeat/module/elasticsearch/server/manifest.yml

Lines 15 to 18 in 8e8bfc8

	ingest_pipeline:
	- ingest/pipeline.yml
	- ingest/pipeline-plaintext.yml
	- ingest/pipeline-json.yml

The first pipeline is executed when an event is received, in this case pipeline.yml. It contains some common processing for all formats, but in an specific part, it chooses to run one of the other pipelines depending on the format of the message:

beats/filebeat/module/elasticsearch/server/ingest/pipeline.yml

Lines 15 to 20 in 8e8bfc8

	- pipeline:
	if: ctx.first_char != '{'
	name: '{< IngestPipeline "pipeline-plaintext" >}'
	- pipeline:
	if: ctx.first_char == '{'
	name: '{< IngestPipeline "pipeline-json" >}'

This approach is also used in other modules like kibana, logstash, coredns, envoyproxy... you can look for examples that use the IngestPipeline helper in the pipeline.

If we can do something similar for these postgresql logs, we could add a CSV-specific pipeline to the existing log metricset, and we could more easily reuse the common parts of the pipelines, as well as the common fields. And it would be easier for users, as they wouldn't need to configure a different fileset depending on the format.

@azlev what do you think? would it be possible to do it this way in this case?

[azlev]

By the way, there is another approach to support multiple formats. For example the elasticsearch module contains pipelines for plain and JSON logs, and it chooses automatically which one to use.

Multiple pipelines can be included like this in the fileset manifest:

beats/filebeat/module/elasticsearch/server/manifest.yml

Lines 15 to 18 in 8e8bfc8

	ingest_pipeline:
	- ingest/pipeline.yml
	- ingest/pipeline-plaintext.yml
	- ingest/pipeline-json.yml

The first pipeline is executed when an event is received, in this case pipeline.yml. It contains some common processing for all formats, but in an specific part, it chooses to run one of the other pipelines depending on the format of the message:

beats/filebeat/module/elasticsearch/server/ingest/pipeline.yml

Lines 15 to 20 in 8e8bfc8

	- pipeline:
	if: ctx.first_char != '{'
	name: '{< IngestPipeline "pipeline-plaintext" >}'
	- pipeline:
	if: ctx.first_char == '{'
	name: '{< IngestPipeline "pipeline-json" >}'

This approach is also used in other modules like kibana, logstash, coredns, envoyproxy... you can look for examples that use the IngestPipeline helper in the pipeline.

If we can do something similar for these postgresql logs, we could add a CSV-specific pipeline to the existing log metricset, and we could more easily reuse the common parts of the pipelines, as well as the common fields. And it would be easier for users, as they wouldn't need to configure a different fileset depending on the format.

@azlev what do you think? would it be possible to do it this way in this case?

I tried a minimal approach to avoid breaking changes, and I assumed that it would be easier to merge. So now I'll try to do a more integrated code. I'll give a try, but those changes will take a while to implement.

[azlev]

@jsoriano I found 2 ways to choose the ingest pipeline:

• file extension (PostgreSQL always use .csv to those files)
• regular expression like this: ctx =~ /^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}(.\d{1,3})( \w{3,4}),/

I couldn't find any way to get the file name, and this will break the tests. The regular expression doesn't look as a good idea in a critical path like this, and looks fragile.

Do you have other ideas?

[jsoriano]

@jsoriano I found 2 ways to choose the ingest pipeline:

• file extension (PostgreSQL always use .csv to those files)
• regular expression like this: ctx =~ /^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}(.\d{1,3})( \w{3,4}),/

I couldn't find any way to get the file name, and this will break the tests. The regular expression doesn't look as a good idea in a critical path like this, and looks fragile.

Do you have other ideas?

@azlev I agree that the simpler we can do the selection, the better, to avoid affecting the critical path.

Checking the file extension could be a good option. File path should be available in log.file.path. You don't see it in tests because it is removed to avoid issues validating the expected events, but at the moment of processing the path should be there.
The problem I see with this approach is that not all inputs collect from files, e.g. the postgresql module could be used with logs collected with syslog, or from s3 buckets. So even if this is more straightforward, it may not work in all cases.

Ideally, the decision of using one or the other pipeline should be based on something available in the message itself, as you are doing with the regular expression.

Other possible approach could be to add a format setting to the fileset, this value could be set in the events with add_fields, so pipelines can decide what to do. But it would be better if the module can do the parsing automatically without depending on user configuration.

Another approach you could try is to parse as grok with the current pipeline, but if grok fails, fallback to the CSV pipeline with on_failure. This can also affect the performance of the pipeline, but maybe you could give it a try if other options are not good enough.

If we are not convinced by any of these approaches I am ok with going back to the approach of using two different filesets.

[azlev]

I've split the grok pipeline in 2 parts: the first one parse the timestamp plus 1 char. This char will be used to choose the correct pipeline: log or csv.

In the process, I deprecated the core_id field since I couldn't find it inside postgresql documentation.

Still, there is some fields that I need work on, the 2 that I'm currently thinking about are error.code and event.type

• The PostgreSQL error code is not a number: https://www.postgresql.org/docs/current/errcodes-appendix.html
• I duplicated event.type in error_severity. I'm checking how to deal with it

[azlev]

@jsoriano I have a question here: https://github.com/elastic/beats/blob/master/filebeat/module/postgresql/log/ingest/pipeline.yml#L40

In the current code, if there is an error, the final event will have: "event.type": ["info", "error"]. Is that right?

[jsoriano]

jenkins run the tests please

[jsoriano]

@azlev I think this is almost ready to merge, I have added some small questions/suggestions, let me know what you think.

[jsoriano]

Query step is captured in postgresql.log.query_step in the plain text pipeline, should it be also captured in this pipeline?

[azlev]

That one I was in doubt. This query_step overlaps with command_tag, but not 100%, so I opted to let it empty since I was creating a new fileset at first. Now that I merged, I can review this. I'll populate it, at least to some backward compatibility.

[jsoriano]

The set processor could be used to add event.type instead of append, so it is not set as an array in the document.

[jsoriano]

jenkins run the tests again please

[jsoriano]

LGTM, let's wait for a green build. Thanks @azlev!

[jsoriano]

jenkins run the tests

[jsoriano]

/test

[jsoriano]

Looks good. Only a couple of small details, sorry I didn't see them before.

[jsoriano]

Please uppercase first letter of sentences in these descriptions.

Suggested change

	description: internal query that led to the error (if any).
	description: >
	Internal query that led to the error (if any).

[jsoriano]

🙂

[azlev]

👀

[jsoriano]

Great 👍

[jsoriano]

Merged and backported to 7.x, this will be hopefuly available in 7.12, thanks @azlev!