Filebeat Cloudtrail metricset breaks and stops returning "s3 log info" when upgrading past 7.9.1

AddChickpeas · January 16, 2021, 12:15am

I was attempting to upgrade filebeat to the latest release from 7.9.0, but am unable to get any version past 7.9.1 to work.

Starting with 7.9.2, debug shows filebeat receiving the SQS message, but it doesn't return any "s3 log info". It then deletes the sqs message.

 2021-01-16T00:05:08.828Z    DEBUG    [s3]    s3/input.go:241    Processing 3 messages                                                                                                                                                 
 2021-01-16T00:05:08.828Z    DEBUG    [s3]    s3/input.go:261    handleSQSMessage succeed and returned 0 sets of S3 log info                                                                                                           
 2021-01-16T00:05:08.828Z    DEBUG    [s3]    s3/input.go:261    handleSQSMessage succeed and returned 0 sets of S3 log info                                                                                                           
 2021-01-16T00:05:08.828Z    DEBUG    [s3]    s3/input.go:261    handleSQSMessage succeed and returned 0 sets of S3 log info                                                                                                           
 2021-01-16T00:05:08.828Z    DEBUG    [s3]    s3/input.go:270    handleS3Objects succeed                                                                                                                                               
 2021-01-16T00:05:08.828Z    DEBUG    [s3]    s3/input.go:270    handleS3Objects succeed        
 2021-01-16T00:05:08.828Z    DEBUG    [s3]    s3/input.go:291    Deleting message from SQS: 0xc0002d6e00                                                                                                                               
 2021-01-16T00:05:08.828Z    DEBUG    [s3]    s3/input.go:291    Deleting message from SQS: 0xc0002d6e00                                                                                                                               
 2021-01-16T00:05:08.828Z    DEBUG    [s3]    s3/input.go:291    Deleting message from SQS: 0xc0002d6fb0                                                                                                                               
 2021-01-16T00:05:08.828Z    DEBUG    [s3]    s3/input.go:291    Deleting message from SQS: 0xc0002d6ef0

With 7.9.1, it properly breaks down the message and publishes the event

 2021-01-16T00:14:30.424Z    DEBUG    [processors]    processing/processors.go:187    Publish event: {                                                                                                                                 
   "@timestamp": "2021-01-16T00:14:30.424Z",                                                                                                                                                                                           
   "@metadata": {                                                                                                                                                                                                                      
     "beat": "filebeat",                                                                                                                                                                                                               
     "type": "_doc",                                                                                                                                                                                                                   
     "version": "7.9.1",                                                                                                                                                                                                               
     "_id": "4d35b4e3d4-000000017417",                                                                                                                                                                                                 
     "pipeline": "filebeat-7.9.1-aws-cloudtrail-pipeline"                                                                                                                                                                              
   },

mtojek · January 18, 2021, 9:01am

Jus to be sure - could you check and post the body of such SQS message? I wonder if they are correct.

AddChickpeas · January 19, 2021, 12:23am

The messages appear to be formatted correctly. Since it is working fine in 7.9.1, it seems unlikely to me that the logs themselves are too blame. The only change being made is to the version of Filebeat.

{
      "Records": [
        {
          "eventVersion": "2.1",
          "eventSource": "aws:s3",
          "awsRegion": "us-east-2",
          "eventTime": "2021-01-19T00:14:00.509Z",
          "eventName": "ObjectCreated:Put",
          "userIdentity": {
            "principalId": ":regionalDeliverySession"
          },
          "requestParameters": {
            "sourceIPAddress": ""
          },
          "responseElements": {
            "x-amz-request-id": "",
            "x-amz-id-2": "+/NbEuu/v6dlVP1Yd8"
          },
          "s3": {
            "s3SchemaVersion": "1.0",
            "configurationId": "",
            "bucket": {
              "name": "-cloudtrail-logs",
              "ownerIdentity": {
                "principalId": ""
              },
              "arn": "arn:aws:s3:::-cloudtrail--logs"
            },
            "object": {
              "key": "AWSLogs///CloudTrail/us-east-1/2021/01/19/_CloudTrail_us-east-.json.gz",
              "size": 5834,
              "eTag": "",
              "sequencer": ""
            }
          }
        }
      ]
    }

system · February 16, 2021, 2:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.