Filebeat mongo module, grok pattern is incorrect

cwray · July 6, 2018, 6:00pm

The grok pattern ha an extra escape \ in it in the ingest pip line.

elastic/beats/blob/6f99a9627b07aa4bbf00208bcc46d550cb5d563b/filebeat/module/mongodb/log/ingest/pipeline.json#L7


{
"description": "Pipeline for parsing MongoDB logs",
"processors": [{
  "grok": {
    "field": "message",
    "patterns":[
      "%{TIMESTAMP_ISO8601:mongodb.log.timestamp} %{WORD:mongodb.log.severity} %{WORD:mongodb.log.component}  *\\[%{WORD:mongodb.log.context}\\] %{GREEDYDATA:mongodb.log.message}"
    ],
    "ignore_missing": true
  }
},
{
  "remove": {
    "field": "message"
  }
},
{

should look like this.

%{TIMESTAMP_ISO8601:mongodb.log.timestamp} %{WORD:mongodb.log.severity} %{WORD:mongodb.log.component} *\[%{WORD:mongodb.log.context}\] %{GREEDYDATA:mongodb.log.message}

Currently using.

ubuntu@ubuntu sudo apt list elasticsearch
Listing.
elasticsearch/stable 6.3.1 all [upgradable from: 6.3.0]

ubuntu@ubuntu:~$ sudo apt list filebeat
Listing.
filebeat/stable 6.3.1 amd64 [upgradable from: 6.3.0]

adrisr · July 6, 2018, 8:55pm

With your changes I get

2018-07-06T22:52:24.868+0200 ERROR pipeline/output.go:91 Failed to connect: Connection marked as failed because the onConnect callback failed: Error getting pipeline for fileset mongodb/log: Error JSON decoding the pipeline file: ingest/pipeline.json: invalid character '[' in string escape code

The \\[ escape is used in all the module pipelines, is there because the regular expression is inside a JSON string, so its really read by elasticsearch as \[.

Are you experiencing a problem parsing mongodb logs that got fixed by this change?

cwray · July 9, 2018, 2:52pm

With the Current grok pattern, i'm getting a grok parse error for all logs coming from mongo 3.4. Beats is currently sending the message. But it is erroring out in the ingest pipeline.

error.message:Provided Grok expressions do not match field value: [2018-07-09T14:49:47.006+0000 I - [conn208899] Index Build (background): 250096500/463852976 53%]

This would probably be more proper for the 3 types of logs that get populated into mongo log.
%{TIMESTAMP_ISO8601:mongodb.log.timestamp} %{WORD:mongodb.log.severity} (-|%{WORD:mongodb.log.component}) *\\[%{WORD:mongodb.log.context}\\] %{GREEDYDATA:mongodb.log.message}

cwray · July 10, 2018, 1:47am

Managed to get this all to work by adding one more grok line to the patterns list.

"processors": [
      {
        "grok": {
          "field": "message",
          "patterns": [
            "%{TIMESTAMP_ISO8601:mongodb.log.timestamp} %{WORD:mongodb.log.severity} %{WORD:mongodb.log.component} *\\[%{WORD:mongodb.log.context}\\] %{GREEDYDATA:mongodb.log.message}",
            "%{TIMESTAMP_ISO8601:mongodb.log.timestamp} %{WORD:mongodb.log.severity} - *\\[%{WORD:mongodb.log.context}\\] %{GREEDYDATA:mongodb.log.message}"
          ],

adrisr · July 10, 2018, 8:43am

Thanks @cwray, now it makes more sense.

Can you open a Pull-Request to the beats repo or prefer if I do it for you?

cwray · July 10, 2018, 3:33pm

Pull-request sent. It is stating that i did not sign the CLA. I went through the signing process before submitting the pull request. So I don't know what is going on there.

system · August 7, 2018, 5:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
MongoDB Module - Grok Expression does not match Beats filebeat	5	573	August 8, 2018
Filebeat mongo module, grok pattern is incorrect for Mongo 4 Beats filebeat	2	1162	October 24, 2018
Filebeat error using ingest pipeline: Provided Grok expressions do not match field value Beats filebeat	4	6118	June 15, 2017
Filebeat custom patterns Beats filebeat	2	436	September 2, 2020
Import filebeat ingest pipeline Beats	1	236	February 22, 2021

Filebeat mongo module, grok pattern is incorrect

Related topics