[ActiveMq Module] Problem with ingest pipeline

Elastic Stack Beats
1

Hey !

Sorry for bothering you.
I'm quite new in the use of Filebeat but I wanted it to run on a server where ActiveMq is installed.

I then installed Filebeat (6.3.0 OSS) and get the ActiveMq module of Activemq. When I enable it and launch Filebeat, I got that error :

2020-01-28T17:17:47.976+0100 DEBUG [modules] fileset/pipelines.go:28 Required processors: [] 2020-01-28T17:17:47.976+0100 ERROR fileset/factory.go:97 Error loading pipeline: Error getting pipeline for fileset activemq/log: Error JSON decoding the pipeline file: ingest/pipeline.yml: invalid character '#' looking for beginning of value

Which I don't really understand cause the doc says it is possible to have a pipeline in YAML.
An anyway, I tried with a JSON but of crouse, I got that mistake
2020-01-28T17:21:41.392+0100 ERROR fileset/factory.go:97 Error loading pipeline: Error getting pipeline for fileset activemq/log: Error reading pipeline file ingest/pipeline.yml: open /appl/wasbivh1/filebeat/share/module/activemq/log/ingest/pipeline.yml: no such file or directory

Could anyone help me please ?

Regards,

Jeffrey

2

Hi @geoffreydjof, thanks for reposting it here. Quick question, is there a specific reason why you are using 6.3.0 version of Filebeat? We always recommend users to try the latest version (we have 7.5.2 now) to make sure you get all the features and bug fixes :grimacing:

Also could you copy paste your config file here please? Thanks!!

3

Hi @Kaiyan_Sheng

I'm using this version of filebeat because in my compagny, the ES version which is used in 6.4...

I found a trick which is pretty dirty (and not totally satisfying to be honnest, but I can find now my parsed logs in Kibana).

So, as I explained before, the yaml format of the ingest pipeline for ActiveMq module seems to be not recognised :

Error getting pipeline for fileset activemq/log: Error JSON decoding the pipeline file: ingest/pipeline.yml: invalid character '#' looking for beginning of value

So what I did (which as I said is pretty dirty), is to "put" a Json in the file called "pipeline.yml"... And now it works (almost).

So the basic config for pipeline.yml was :
---
description: Pipeline for parsing ActiveMQ logs.
processors:
- grok:
field: message
pattern_definitions:
GREEDYMULTILINE: "(.|\n|\t)"
NOPIPEGREEDYDATA: "((?! \|).)"
THREAD_NAME: "((?! \n).)*"
patterns:
- "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}\|%{SPACE}%{LOGLEVEL:log.level}%{SPACE}\|%{SPACE}%{NOPIPEGREEDYDATA:message}%{SPACE}\|%{SPACE}%{NOPIPEGREEDYDATA:activemq.caller}%{SPACE}\|%{SPACE}%{THREAD_NAME:activemq.thread}%{SPACE}?%{GREEDYMULTILINE:activemq.log.stack_trace}"
ignore_missing: true
- date:
if: "ctx.event.timezone == null"
field: timestamp
target_field: "@timestamp"
formats: ["yyyy-MM-dd HH:mm:ss,SSS"]
- date:
if: "ctx.event.timezone != null"
field: "timestamp"
target_field: "@timestamp"
timezone: "{{ event.timezone }}"
formats: ["yyyy-MM-dd HH:mm:ss,SSS"]
- remove:
field:
- timestamp
on_failure:
- set:
field: error.message
value: "{{ _ingest.on_failure_message }}"

And now, this pipeline.yml file is

{
  "description": "Pipeline for parsing ActiveMQ logs.",
  "processors": [
    {
      "grok": {
        "field": "message",
        "pattern_definitions": {
          "GREEDYMULTILINE": "(.|\\n|\\t)*",
          "NOPIPEGREEDYDATA": "((?! \\|).)*",
          "THREAD_NAME": "((?! \n).)*"
        },
        "patterns": [
          "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}\\|%{SPACE}%{LOGLEVEL:log.level}%{SPACE}\\|%{SPACE}%{NOPIPEGREEDYDATA:message}%{SPACE}\\|%{SPACE}%{NOPIPEGREEDYDATA:activemq.caller}%{SPACE}\\|%{SPACE}%{THREAD_NAME:activemq.thread}%{SPACE}?%{GREEDYMULTILINE:activemq.log.stack_trace}"
        ],
        "ignore_missing": true
      }
    },
    {
      "remove": {
        "field": [
          "timestamp"
        ]
      }
    }
  ],
  "on_failure": [
    {
      "set": {
        "field": "error.message",
        "value": "{{ _ingest.on_failure_message }}"
      }
    }
  ]
}

But as you can see, some informations in the json are missing...

Regards.

4

Hello !

Any One have an idea?

Thx in advance !

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.