[ES output] Correctly log event fields in events log file #40512
Conversation
botelastic
bot
added
the
needs_team
belimawr
added
the
Team:Elastic-Agent-Data-Plane
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
botelastic
bot
removed
the
needs_team
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
belimawr
force-pushed
the
decode-event-when-loggin-on-es
branch
from
befcdd4
to
3992b2c
Compare
cmacknz
added
the
backport-8.15
belimawr
changed the title
|
This pull request is now in conflicts. Could you fix it? 🙏 |
The Elasticsearch output, when faced with ingestion errors was logging the raw publisher.Event that had already been encoded, hence no event fields were present in the logs. This commit fixes it by adding a String method to the encodedEvent type and using the encodedEvent in the logs instead of the publisher.Event.
belimawr
force-pushed
the
decode-event-when-loggin-on-es
branch
from
4f44670
to
ff5c4f8
Compare
|
Do we know why the existing event log tests failed to catch this, since they were intended to? |
As you'd suggested, the tests were looking for a substring that is also present in the ES response, it was just the value of the field. Now the new tests look for a piece of the JSON encoding of the fields, which at the time of testing was not part of the ES response, it has to come from the event being logged. |
The Elasticsearch output, when faced with ingestion errors was logging the raw publisher.Event that had already been encoded, hence no event fields were present in the logs. This commit fixes it by adding a String method to the encodedEvent type and using the encodedEvent in the logs instead of the publisher.Event. (cherry picked from commit e7732c6) # Conflicts: # libbeat/outputs/elasticsearch/client.go
…nts log file (#40531) * [ES output] Log event fields in events log file (#40512) The Elasticsearch output, when faced with ingestion errors was logging the raw publisher.Event that had already been encoded, hence no event fields were present in the logs. This commit fixes it by adding a String method to the encodedEvent type and using the encodedEvent in the logs instead of the publisher.Event. (cherry picked from commit e7732c6) # Conflicts: # libbeat/outputs/elasticsearch/client.go * Fix merge conflicts --------- Co-authored-by: Tiago Queiroz <[email protected]>
Proposed commit message
The Elasticsearch output, when faced with ingestion errors was logging the raw publisher.Event that had already been encoded, hence no event fields were present in the logs.
This commit fixes it by adding a String method to the encodedEvent type and using the encodedEvent in the logs instead of the publisher.Event.
Closes: #40509
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Disruptive User Impact
None, it fixes a bug.
## Author's ChecklistHow to test this PR locally
Start Filebeat with the following configuration
Create the log file
/tmp/flog.logwith the following content:Look for the event log file:
logs/filebeat-events-data*.ndjsonand ensure the logged events contains their fields.Here is an example of how the content of the event log file should look like:
{ "log.level": "warn", "@timestamp": "2024-08-13T16:42:09.008-0400", "log.logger": "elasticsearch", "log.origin": { "function": "github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.(*Client).applyItemStatus", "file.name": "elasticsearch/client.go", "file.line": 490 }, "message": "Cannot index event '{\"@timestamp\":\"2024-08-13T20:42:05.928Z\",\"host\":{\"name\":\"millennium-falcon\"},\"agent\":{\"version\":\"8.16.0\",\"ephemeral_id\":\"6d195bff-27a4-40c4-9b3e-c3ecb068f06e\",\"id\":\"6a760df8-a3e6-4369-886a-3f499c792302\",\"name\":\"millennium-falcon\",\"type\":\"filebeat\"},\"log\":{\"file\":{\"device_id\":\"40\",\"inode\":\"51817\",\"path\":\"/tmp/flog.log\"},\"offset\":101},\"string\":10,\"message\":\"index failure\",\"int\":\"not a number\",\"input\":{\"type\":\"filestream\"},\"ecs\":{\"version\":\"8.0.0\"}}\n' (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:380] failed to parse field [int] of type [long] in document with id 'iVl6TZEBA82tHj8dCPpP'. Preview of field's value: 'not a number'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"For input string: \\\"not a number\\\"\"}}, dropping event!", "service.name": "filebeat", "log.type": "event", "ecs.version": "1.6.0" } { "log.level": "warn", "@timestamp": "2024-08-13T16:42:09.009-0400", "log.logger": "elasticsearch", "log.origin": { "function": "github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.(*Client).applyItemStatus", "file.name": "elasticsearch/client.go", "file.line": 490 }, "message": "Cannot index event '{\"@timestamp\":\"2024-08-13T20:42:05.928Z\",\"host\":{\"name\":\"millennium-falcon\"},\"agent\":{\"name\":\"millennium-falcon\",\"type\":\"filebeat\",\"version\":\"8.16.0\",\"ephemeral_id\":\"6d195bff-27a4-40c4-9b3e-c3ecb068f06e\",\"id\":\"6a760df8-a3e6-4369-886a-3f499c792302\"},\"ecs\":{\"version\":\"8.0.0\"},\"log\":{\"offset\":162,\"file\":{\"path\":\"/tmp/flog.log\",\"device_id\":\"40\",\"inode\":\"51817\"}},\"message\":\"second index failure\",\"int\":\"not a number\",\"string\":10,\"input\":{\"type\":\"filestream\"}}\n' (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:401] failed to parse field [int] of type [long] in document with id 'ill6TZEBA82tHj8dCPpP'. Preview of field's value: 'not a number'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"For input string: \\\"not a number\\\"\"}}, dropping event!", "service.name": "filebeat", "log.type": "event", "ecs.version": "1.6.0" }## Use cases## Screenshots