MongoDB 4.4.4 compatibility with Filebeat 7.12.0

Cihan_Tunali · April 13, 2021, 1:30pm

Hi there,

I was using MongoDB 4.2.4 with Filebeat 7.9.0 without any problem. After updating MongoDB to 4.4.4 I got GROK problems. I also updated Filebeat to 7.12.0 as well but still got GROK error so that I can not parse the mongodb log file correctly and dashboards are not working. Can somebody help me to figure it out?

Here is JSON output:

{
"_index": "filebeat-ali-2021.04.13",
"_type": "_doc",
"_id": "mK1oy3gBXre3GWy8tlNL",
"_version": 1,
"_score": null,
"fields": {
"agent.version.keyword": [
"7.12.0"
],
"host.architecture.keyword": [
"x86_64"
],
"host.name.keyword": [
"ali"
],
"event.dataset.keyword": [
"mongodb.log"
],
"host.hostname": [
"ali"
],
"host.mac": [
"00:50:56:9a:bd:da"
],
"agent.hostname.keyword": [
"ali"
],
"service.type": [
"mongodb"
],
"ecs.version.keyword": [
"1.8.0"
],
"host.ip.keyword": [
"10.41.51.10",
"fe80::ec07:38ab:afa6:74b3"
],
"host.os.version": [
"7 (Core)"
],
"host.os.name": [
"CentOS Linux"
],
"agent.name": [
"ali"
],
"host.id.keyword": [
"f3af7575105848b28be2fc5b29f9e9f3"
],
"host.name": [
"ali"
],
"host.os.version.keyword": [
"7 (Core)"
],
"host.os.type": [
"linux"
],
"agent.id.keyword": [
"aff3a2b1-e0e8-4090-9ee0-75ee8ac27ec5"
],
"fileset.name": [
"log"
],
"input.type": [
"log"
],
"log.offset": [
555979475
],
"agent.hostname": [
"ali"
],
"host.architecture": [
"x86_64"
],
"fileset.name.keyword": [
"log"
],
"agent.id": [
"aff3a2b1-e0e8-4090-9ee0-75ee8ac27ec5"
],
"ecs.version": [
"1.8.0"
],
"host.containerized": [
false
],
"event.module.keyword": [
"mongodb"
],
"host.hostname.keyword": [
"ali"
],
"agent.version": [
"7.12.0"
],
"host.os.family": [
"redhat"
],
"service.type.keyword": [
"mongodb"
],
"input.type.keyword": [
"log"
],
"host.ip": [
"10.41.51.10",
"fe80::ec07:38ab:afa6:74b3"
],
"agent.type": [
"filebeat"
],
"event.module": [
"mongodb"
],
"host.os.kernel.keyword": [
"3.10.0-1160.21.1.el7.x86_64"
],
"host.os.kernel": [
"3.10.0-1160.21.1.el7.x86_64"
],
"host.os.name.keyword": [
"CentOS Linux"
],
"host.id": [
"f3af7575105848b28be2fc5b29f9e9f3"
],
"log.file.path.keyword": [
"/data/mongo/log/mongod.log"
],
"agent.type.keyword": [
"filebeat"
],
"agent.ephemeral_id.keyword": [
"30d873bb-1a22-4c27-a5c0-993b0f535ecd"
],
"host.os.codename.keyword": [
"Core"
],
"host.mac.keyword": [
"00:50:56:9a:bd:da"
],
"agent.name.keyword": [
"ali"
],
"host.os.codename": [
"Core"
],
"message": [
"{"t":{"$date":"2021-04-13T16:25:40.054+03:00"},"s":"I", "c":"COMMAND", "id":51803, "ctx":"conn30112","msg":"Slow query","attr":{"type":"command","ns":"cto_grc_ayn_elogo_2021_main_gbz.fs.chunks","command":{"find":"fs.chunks","filter":{"files_id":"G|DESPATCHADVICE|123861487","n":{"$gte":0}},"sort":{"n":1},"$db":"cto_grc_ayn_elogo_2021_main_gbz","$clusterTime":{"clusterTime":{"$timestamp":{"t":1618320339,"i":286}},"signature":{"hash":{"$binary":{"base64":"AAAAAAAAAAAAAAAAAAAAAAAAAAA=","subType":"0"}},"keyId":0}},"lsid":{"id":{"$uuid":"5fbcd3dd-8685-4a7b-a67e-e92c1f25cfeb"}}},"planSummary":"IXSCAN { files_id: 1, n: 1 }","keysExamined":1,"docsExamined":1,"cursorExhausted":true,"numYields":1,"nreturned":1,"queryHash":"CCD12291","planCacheKey":"75F8304D","reslen":13757,"locks":{"ReplicationStateTransition":{"acquireCount":{"w":2}},"Global":{"acquireCount":{"r":2}},"Database":{"acquireCount":{"r":2}},"Collection":{"acquireCount":{"r":2}},"Mutex":{"acquireCount":{"r":1}}},"storage":{"data":{"bytesRead":32531,"timeReadingMicros":265664}},"protocol":"op_msg","durationMillis":266}}"
],
"host.os.family.keyword": [
"redhat"
],
"event.ingested": [
"2021-04-13T13:25:40.553Z"
],
"@timestamp": [
"2021-04-13T13:25:40.334Z"
],
"host.os.type.keyword": [
"linux"
],
"host.os.platform": [
"centos"
],
"host.os.platform.keyword": [
"centos"
],
"error.message": [
"Provided Grok expressions do not match field value: [{\"t\":{\"$date\":\"2021-04-13T16:25:40.054+03:00\"},\"s\":\"I\", \"c\":\"COMMAND\", \"id\":51803, \"ctx\":\"conn30112\",\"msg\":\"Slow query\",\"attr\":{\"type\":\"command\",\"ns\":\"cto_grc_ayn_elogo_2021_main_gbz.fs.chunks\",\"command\":{\"find\":\"fs.chunks\",\"filter\":{\"files_id\":\"G|DESPATCHADVICE|123861487\",\"n\":{\"$gte\":0}},\"sort\":{\"n\":1},\"$db\":\"cto_grc_ayn_elogo_2021_main_gbz\",\"$clusterTime\":{\"clusterTime\":{\"$timestamp\":{\"t\":1618320339,\"i\":286}},\"signature\":{\"hash\":{\"$binary\":{\"base64\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAA=\",\"subType\":\"0\"}},\"keyId\":0}},\"lsid\":{\"id\":{\"$uuid\":\"5fbcd3dd-8685-4a7b-a67e-e92c1f25cfeb\"}}},\"planSummary\":\"IXSCAN { files_id: 1, n: 1 }\",\"keysExamined\":1,\"docsExamined\":1,\"cursorExhausted\":true,\"numYields\":1,\"nreturned\":1,\"queryHash\":\"CCD12291\",\"planCacheKey\":\"75F8304D\",\"reslen\":13757,\"locks\":{\"ReplicationStateTransition\":{\"acquireCount\":{\"w\":2}},\"Global\":{\"acquireCount\":{\"r\":2}},\"Database\":{\"acquireCount\":{\"r\":2}},\"Collection\":{\"acquireCount\":{\"r\":2}},\"Mutex\":{\"acquireCount\":{\"r\":1}}},\"storage\":{\"data\":{\"bytesRead\":32531,\"timeReadingMicros\":265664}},\"protocol\":\"op_msg\",\"durationMillis\":266}}]"
],
"log.file.path": [
"/data/mongo/log/mongod.log"
],
"agent.ephemeral_id": [
"30d873bb-1a22-4c27-a5c0-993b0f535ecd"
],
"event.dataset": [
"mongodb.log"
]
},
"sort": [
1618320340334
]
}

Marius_Iversen · April 13, 2021, 11:51pm

Seems like MongoDB made a full 180 and started logging in JSON compared to their old syslog format in 4.4, ref: Log Messages — MongoDB Manual

As it is a whole new format it's unfortunately no direct easy fix, but I see that there is a change/PR open to add support: [Filebeat] [MongoDB] Support MongoDB 4.4 json logs by tetianakravchenko · Pull Request #24774 · elastic/beats · GitHub, I would recommend following that for updates.

system · May 12, 2021, 1:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.