Custom log output to Kafka using Elastic Agent

tapiojaa · September 4, 2024, 12:00pm

We have Elasticstack 8.15 in use so that client Filebeat output goes to the Kafka and from there to the Elasticsearch. Filebeat sends different logs to separate Kafka topics. We are using following configuration in "filebeat.yml" (I'll only write lines that are meaningful)

filebeat.inputs: 
- type: filestream
  id: fs1
  enabled: true
  paths:
    - E:/Logs/folder1/*.log
  fields:
    kafka_topic: topic1

- type: filestream
  id: fs2
  enabled: true
  paths:
    - E:/Logs/folder2/*.log
  fields:
    kafka_topic: topic2

output.kafka:
  enabled: true
  topic: '%{[fields.kafka_topic]}'

We'd like to Start using Elastic Agent with Fleet, which is already working, but we have one issue: How to configure Kafka output and dynamic topics? I know that it should be done by adding Custom Logs integration to the Agent policy and the add some code to the "processors"-field. Has someone figured out how this need to be done?

leandrojmp · September 4, 2024, 12:05pm

You can't, Elastic Agent does not support dynamic topics.

leandrojmp · September 4, 2024, 12:16pm

Well, I was wrong, it seems that they added it back.

Support for dynamic topics were removed, but it seems that they reverted this decision and added it back according to this github pull request:

github.com/elastic/beats

[Kafka output] removed regex validation to allow dynamic topic

elastic:main ← juliaElastic:kafka-dynamic-topic

opened 01:00PM - 01 Aug 24 UTC

juliaElastic

+7 -42

## Proposed commit message Removed regex validation to allow dynamic topic. … ## Checklist - [ ] My code follows the style guidelines of this project - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] I have made corresponding change to the default configuration files - [x] I have added tests that prove my fix is effective or that my feature works - [x] I have added an entry in `CHANGELOG.next.asciidoc` or `CHANGELOG-developer.next.asciidoc`. ## How to test this PR locally - build beats, copy over agentbeat to the elastic-agent build ``` # build beats agentbeat cd ~/beats/x-pack/agentbeat SNAPSHOT=true PLATFORMS="darwin/amd64" mage package # build agent cd ~/elastic-agent DEV=true EXTERNAL=false SNAPSHOT=true PLATFORMS=darwin/amd64 PACKAGES=tar.gz mage -v package # copy agentbeat cp ~/beats/x-pack/agentbeat/build/golang-crossbuild/agentbeat-darwin-amd64 ~/elastic-agent/build/distributions/elastic-agent-8.16.0-SNAPSHOT-darwin-x86_64/data/elastic-agent-3f22cc/components/agentbeat ``` To test with a real kafka server, follow this guide: https://hevodata.com/learn/install-kafka-on-mac/#Step_2_Download_Install_Kafka_on_Mac_Manually_or_via_HomeBrew - downloaded and started zookeeper and kafka server - created a topic `system.cpu` and started the script to consume messages ``` cd ~/Downloads/kafka_2.13-3.8.0 ./bin/zookeeper-server-start.sh config/zookeeper.properties ./bin/kafka-server-start.sh config/server.properties ./bin/kafka-topics.sh --create --bootstrap-server localhost:9092 --replication-factor 1 --partitions 1 --topic system.cpu ./bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic system.cpu ``` - added kafka output by entering host `localhost:9092` and topic `%{[data_stream.dataset]}` - after enrolling the agent, see messages showing up in the kafka consumer - in agent logs, expect no errors <img width="818" alt="image" src="https://github.com/user-attachments/assets/c6b1bd48-b173-4440-92a1-817d0f645603"> <img width="2396" alt="image" src="https://github.com/user-attachments/assets/34766b39-d7ad-4c67-98cb-058393fe8522"> <img width="811" alt="image" src="https://github.com/user-attachments/assets/e64e47f2-bffb-4cfd-8458-b7bfba42bd37"> ## Related issues  - Closes https://github.com/elastic/ingest-dev/issues/3618

According to the linked PR you would need to configure it while configuring the output.

tapiojaa · September 4, 2024, 12:30pm

Yes, I know that they remove that feature and now it's back.

So, if I configure output that way. How should I configure "custom log" integration?

leandrojmp · September 4, 2024, 12:39pm

I do not use this integration, but checking the documentation it seems that you would need to use the add_fields processor.

Something like this:

- add_fields:
    target: fields
    fields:
      kafka_topic: test-vm-esagentsda1

The main difference is that you would need one Custom Log Integration per input in filebeat, so in your example you have 2 inputs, so you would need to add one Custom Log integration for each one of the inputs.

tapiojaa · September 4, 2024, 12:46pm

PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe status
┌─ fleet
│ └─ status: (STARTING)
└─ elastic-agent
├─ status: (DEGRADED) 1 or more components/units in a failed state
└─ log-b2d12f01-f359-45dd-be6c-e67c43b81cc9
├─ status: (HEALTHY) Healthy: communicating with pid '4504'
├─ log-b2d12f01-f359-45dd-be6c-e67c43b81cc9
│ └─ status: (FAILED) could not start output: failed to reload output: topic '%{[fields.kafka_topic]}' is invalid, it must match '[a-zA-Z0-9._-]' accessing 'kafka'
└─ log-b2d12f01-f359-45dd-be6c-e67c43b81cc9-logfile-logs-6f3c2805-c5dd-45dc-944a-d8e101173873
└─ status: (STARTING) Starting

leandrojmp · September 4, 2024, 1:05pm

Yeah, it seems to not be on 8.15.0 yet.

8.15 was released August 8th, and the revert commit was merged on August 14th.

You will probably need to wait for 8.15.1 or maybe even 8.16.

Topic		Replies	Views
Can we set kafka output topic dynamically in filebeat? Beats	7	1343	August 8, 2018
Clarification on Output Supported by Elastic Agents - Is Output to Logstash Supported? Beats elastic-agent	6	552	November 15, 2021
Elastic Agent capability over logstash Elastic Agent	1	206	March 13, 2023
ElasticAgent 8.13 and Kafka Elastic Agent	9	188	May 7, 2024
Send logs on a specify output depending on the paths of the prospectors Beats filebeat	5	1307	January 26, 2017

Custom log output to Kafka using Elastic Agent

Related topics