Problems migrating from filebeat 5 to 7 - not gettings the data/fields we need in logstash

fjkoz · August 17, 2023, 7:03am

Hi all,

Rather new to ELK in general, I am trying to migrate from filebeat v5.6.4 to filebeat 7.17.3. The problem is that the messages from the new install are not being parsed correctly. I know the document_type as type was deprecated in v6, and have tried to adapt our configuration accordingly to use input type or some other field for filtering in logstash, but it does not seem to work.

The new version is sending events to logstash, but these are not parsed the same way the old version did and we are missing several necessary fields. The old version is for now still running in production/test/dev, while the new one is being tested in our playground/alpha, but the logs these different environments produce have the same format. We are indexing them based on environment, loglevel and year/part.

Both filebeats use the same logstash output configuration. e.g. sent to the same place and we use an IF condition to differentiate what filters events from old and new filebeat gets. In general, its the exact same config, apart from a few things

The main issue is that the log level is not being set unless i manually set it through logstash-indexer.conf, and that log lines/messages are not being parsed correctly into different fields like, pods, containers, namespaces etc. so its easily can be search for in ELK/Kibana.

As the old filebeat is REALLY OLD now, we would def. like to move to the more recent 7.17.3, but we cannot until this is sorted. Any and all suggestions are very welcome and most grateful for!

Below are some examples of events from the "new" filebeat as seen in ELK, as well as its config, followed by examples from the "old" filebeat as well as its config and a common logstash-indexer.conf at the end.

//fjkoz

event from "new" filebeat as seen in ELK/kibana

{
  "_index": "logstash-alpha-%{level2}-2023.33",
  "_type": "_doc",
  "_id": "GIAz-YkBle9XL6NxCHIr",
  "_version": 1,
  "_score": 1,
  "_source": {
    "ecs": {
      "version": "1.12.0"
    },
    "stream": "stderr",
    "level": "UNDEFINED-LEVEL", #<< Manually set in logstash-indexer.conf with "if [level] else mutate add_field...."
    "@timestamp": "2023-08-15T12:36:55.436Z",
    "agent": {
      "hostname": "host41",
      "id": "0cdd806e-73b0-4256-ab6d-9ff14c084a63",
      "ephemeral_id": "7f3a4dcb-a7d9-409e-869e-1c753f8f8bae",
      "name": "host41",
      "type": "filebeat",
      "version": "7.17.3"
    },
    "environment": "alpha",
    "time": "2023-08-15T12:36:55.030181603Z",
    "host": {
      "name": "host41"
    },
    "@version": "1",
    "log": {
      "offset": 6634937,
      "file": {
        "path": "/var/log/containers/kong-egress-kong-94d6f648d-9x4fk_kong-egress_proxy-f014bbc316fe21dbc02ce7d80685dabd8e5b14b200f2ab7a1792cfd2eed9287b.log"
      }
    },
    "message": "2023/08/15 12:36:55 [warn] 1525#0: *41353 [lua] targets.lua:504: queryDns(): querying dns for echoserver.devdev.no failed: dns server error: 3 name error. Tried [\"(short)echoserver.devdev.no:(na) - cache-miss\",\"echoserver.devdev.no.kong-egress.svc.k8s-vmware-3:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.svc.k8s-vmware-3:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.k8s-vmware-3:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.kong-egress.svc.k8s-vmware-3:1 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.svc.k8s-vmware-3:1 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.k8s-vmware-3:1 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:1 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:1 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no:1 - cache-hit/stale/in progress (async)/dns client error: 101 empty record received\",\"echoserver.devdev.no.kong-egress.svc.k8s-vmware-3:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.svc.k8s-vmware-3:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.k8s-vmware-3:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\"], context: ngx.timer\n",
    "tags": [
      "beats_input_codec_plain_applied",
      "_jsonparsefailure"
    ],
    "input": {
      "type": "filestream"
    }
  },
  "fields": {
    "agent.version.keyword": [
      "7.17.3"
    ],
    "environment.keyword": [
      "alpha"
    ],
    "stream.keyword": [
      "stderr"
    ],
    "input.type.keyword": [
      "filestream"
    ],
    "host.name.keyword": [
      "host41"
    ],
    "tags.keyword": [
      "beats_input_codec_plain_applied",
      "_jsonparsefailure"
    ],
    "agent.hostname.keyword": [
      "host41"
    ],
    "agent.type": [
      "filebeat"
    ],
    "ecs.version.keyword": [
      "1.12.0"
    ],
    "stream": [
      "stderr"
    ],
    "@version": [
      "1"
    ],
    "agent.name": [
      "host41"
    ],
    "host.name": [
      "host41"
    ],
    "log.file.path.keyword": [
      "/var/log/containers/kong-egress-kong-94d6f648d-9x4fk_kong-egress_proxy-f014bbc316fe21dbc02ce7d80685dabd8e5b14b200f2ab7a1792cfd2eed9287b.log"
    ],
    "agent.type.keyword": [
      "filebeat"
    ],
    "agent.ephemeral_id.keyword": [
      "7f3a4dcb-a7d9-409e-869e-1c753f8f8bae"
    ],
    "level": [
      "UNDEFINED-LEVEL"
    ],
    "agent.name.keyword": [
      "host41"
    ],
    "agent.id.keyword": [
      "0cdd806e-73b0-4256-ab6d-9ff14c084a63"
    ],
    "input.type": [
      "filestream"
    ],
    "log.offset": [
      6634937
    ],
    "message": [
      "2023/08/15 12:36:55 [warn] 1525#0: *41353 [lua] targets.lua:504: queryDns(): querying dns for echoserver.devdev.no failed: dns server error: 3 name error. Tried [\"(short)echoserver.devdev.no:(na) - cache-miss\",\"echoserver.devdev.no.kong-egress.svc.k8s-vmware-3:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.svc.k8s-vmware-3:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.k8s-vmware-3:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no:33 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.kong-egress.svc.k8s-vmware-3:1 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.svc.k8s-vmware-3:1 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.k8s-vmware-3:1 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:1 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:1 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no:1 - cache-hit/stale/in progress (async)/dns client error: 101 empty record received\",\"echoserver.devdev.no.kong-egress.svc.k8s-vmware-3:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.svc.k8s-vmware-3:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.k8s-vmware-3:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no.example.no:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\",\"echoserver.devdev.no:5 - cache-hit/stale/in progress (async)/dns server error: 3 name error\"], context: ngx.timer\n"
    ],
    "agent.hostname": [
      "host41"
    ],
    "tags": [
      "beats_input_codec_plain_applied",
      "_jsonparsefailure"
    ],
    "environment": [
      "alpha"
    ],
    "@timestamp": [
      "2023-08-15T12:36:55.436Z"
    ],
    "level.keyword": [
      "UNDEFINED-LEVEL"
    ],
    "agent.id": [
      "0cdd806e-73b0-4256-ab6d-9ff14c084a63"
    ],
    "ecs.version": [
      "1.12.0"
    ],
    "log.file.path": [
      "/var/log/containers/kong-egress-kong-94d6f648d-9x4fk_kong-egress_proxy-f014bbc316fe21dbc02ce7d80685dabd8e5b14b200f2ab7a1792cfd2eed9287b.log"
    ],
    "agent.ephemeral_id": [
      "7f3a4dcb-a7d9-409e-869e-1c753f8f8bae"
    ],
    "agent.version": [
      "7.17.3"
    ],
    "time": [
      "2023-08-15T12:36:55.030Z"
    ]
  }
}

filebeat config

filebeatConfig:
    filebeat.yml: |-
      filebeat.registry.path: /var/log/containers/registry

      filebeat.inputs:
      - type: filestream
        enabled: true
        id: kube-logs
        paths:
          - ${log_path_kong}
          - ${log_path_common}
          - ${log_path_ingress_nginx}
          - ${log_path_flux}
        processors:
        - add_kubernetes_metadata:
            host: "$${NODE_NAME}"
            matchers:
            - logs_path:
                logs_path: "/var/log/containers/"
        prospector.scanner.symlinks: true
        parsers:
          - container:
            stream: all
        fields:
          environment: ${environment}
          host: "$${HOSTNAME}"
        fields_under_root: true

      output.logstash:
        hosts: ["applogs.example.com:5044"]
        timeout: 15

      logging.level: "$${LOG_LEVEL:debug}"

event from "old" filebeat as seen in ELK/Kibana

{
  "_index": "logstash-prod-info-2023.33",
  "_type": "_doc",
  "_id": "4Rtq_okBHBzSRVfx5rDG",
  "_version": 1,
  "_score": 1,
  "_source": {
    "log": "127.0.0.1 - - [16/Aug/2023:12:56:03 +0000] \"GET /status HTTP/1.1\" 200 1344 \"-\" \"Go-http-client/1.1\"",
    "environment": "prod",
    "level2": "info",
    "container_name": "proxy",
    "pod_name": "kong-egress-kong-685dcdf858-7pr2p",
    "container_id": "551d92cf9af17d08f2203af1a68c0f06ba0b38c2a575b17d8191d4a8e1094e43",
    "namespace": "kong-egress",
    "@timestamp": "2023-08-16T12:56:03.737Z",
    "offset": 13537728,
    "type": "kube-logs",
    "@version": "1",
    "tags": [
      "beats_input_raw_event",
      "_jsonparsefailure"
    ],
    "host": "host100",
    "level": "INFO"
  },
  "fields": {
    "environment.keyword": [
      "prod"
    ],
    "log": [
      "127.0.0.1 - - [16/Aug/2023:12:56:03 +0000] \"GET /status HTTP/1.1\" 200 1344 \"-\" \"Go-http-client/1.1\""
    ],
    "tags.keyword": [
      "beats_input_raw_event",
      "_jsonparsefailure"
    ],
    "level2.keyword": [
      "info"
    ],
    "container_id.keyword": [
      "551d92cf9af17d08f2203af1a68c0f06ba0b38c2a575b17d8191d4a8e1094e43"
    ],
    "type": [
      "kube-logs"
    ],
    "container_name.keyword": [
      "proxy"
    ],
    "type.keyword": [
      "kube-logs"
    ],
    "@version": [
      "1"
    ],
    "host": [
      "host100"
    ],
    "host.keyword": [
      "host100"
    ],
    "pod_name.keyword": [
      "kong-egress-kong-685dcdf858-7pr2p"
    ],
    "offset": [
      13537728
    ],
    "level": [
      "INFO"
    ],
    "namespace.keyword": [
      "kong-egress"
    ],
    "tags": [
      "beats_input_raw_event",
      "_jsonparsefailure"
    ],
    "pod_name": [
      "kong-egress-kong-685dcdf858-7pr2p"
    ],
    "environment": [
      "prod"
    ],
    "@timestamp": [
      "2023-08-16T12:56:03.737Z"
    ],
    "level.keyword": [
      "INFO"
    ],
    "container_name": [
      "proxy"
    ],
    "log.keyword": [
      "127.0.0.1 - - [16/Aug/2023:12:56:03 +0000] \"GET /status HTTP/1.1\" 200 1344 \"-\" \"Go-http-client/1.1\""
    ],
    "namespace": [
      "kong-egress"
    ],
    "container_id": [
      "551d92cf9af17d08f2203af1a68c0f06ba0b38c2a575b17d8191d4a8e1094e43"
    ],
    "level2": [
      "info"
    ]
  }
}

Filebeat config

filebeat.yml: |-
    filebeat.registry_file: /var/log/containers/filebeat_registry

    filebeat.prospectors:
    - input_type: log
      paths:
        - ${LOG_PATH_COMMON:null}
        - ${LOG_PATH_KONG:null}
        - ${LOG_PATH_INGRESS_NGINX:null}
        - ${LOG_PATH_FLUX:null}
      symlinks: true
      json.message_key: log
      json.keys_under_root: true
      json.add_error_key: true
      multiline.pattern: '^\s'
      multiline.match: after
      document_type: kube-logs
      fields:
        host: ${FILEBEAT_HOST:${HOSTNAME:null}}
        environment: ${FILEBEAT_ENVIRONMENT:undefined-env}
      fields_under_root: true

    output.logstash:
        hosts: ${LOGSTASH_HOSTS:null}
        timeout: 15

    logging.level: ${LOG_LEVEL:error}

logstash-indexer.conf for both old and new

input {
  beats {
    port => 5044
  }
}


filter {
  if [environment] == "alpha" {

  mutate {
    lowercase => [ "environment" ]
  }

  if [input][type] == "filestream" {
    json {
      source => "log"
    }

    mutate {
      #rename => ["log", "message"]
      remove_field => [ "fields", "beat", "input_type", "stream" ]
   }

    date {
      match => ["time", "ISO8601"]
      remove_field => ["time"]
    }

    grok {
        match => { "source" => "/var/log/containers/%{DATA:pod_name}_%{DATA:namespace}_%{GREEDYDATA:container_name}-%{DATA:container_id}.log" }
        remove_field => ["source"]
       add_field => {"grok" => "MATCHED"}
    }
  }

 # if [type] == "log" {
 #   mutate {
 #     #remove_field => [ "fields", "beat", "input_type" ]
 #   }
 #   json {
 #     source => "message"
 #   }
 # }

  if [level] {
  } else {
    mutate {
      add_field => { "level" => "undefined-level" }
    }
  }

  mutate {
    uppercase => [ "level" ]
  }

  # drop debug level messages
  if [level] == "TRACE" {
    drop{}
  }

  if [level] == "DEBUG" {
   mutate {
    add_field => { "level2" => "debug" }
   }
  }

  if [level] == "INFO" {
   mutate {
    add_field => { "level2" => "info" }
   }
  }

  if [level] == "WARN" {
   mutate {
   add_field => { "level2" => "warn" }
   }
  }

  if [level] == "WARNING" {
   mutate {
   add_field => { "level2" => "warning" }
   }
  }

  if [level] == "ERR" {
   mutate {
   add_field => { "level2" => "err" }
   }
  }

  if [level] == "ERROR" {
   mutate {
   add_field => { "level2" => "error" }
   }
  }

  mutate {

    lowercase => [ "level2" ]
  }

  }

  else {

  if [environment] {
  } else {
    mutate {
      add_field => { "environment" => "undefined-env" }
    }
  }

  # indexes in elastic search must be lowercase, so normalize
  mutate {
    lowercase => [ "environment" ]
  }

  # indexes in elastic search must be lowercase, so normalize
  mutate {
    lowercase => [ "environment" ]
  }

  if [environment] {
  } else {
    mutate {
      add_field => { "environment" => "undefined-env" }
    }
  }

  if [type] == "kube-logs" {
    json {
      source => "log"
    }

    mutate {
      #rename => ["log", "message"]
      remove_field => [ "fields", "beat", "input_type", "stream" ]
    }

    date {
      match => ["time", "ISO8601"]
      remove_field => ["time"]
    }

    grok {
        match => { "source" => "/var/log/containers/%{DATA:pod_name}_%{DATA:namespace}_%{GREEDYDATA:container_name}-%{DATA:container_id}.log" }
        remove_field => ["source"]
    }
  }

  if [type] == "log" {
    mutate {
      remove_field => [ "fields", "beat", "input_type" ]
    }
    json {
      source => "message"
    }
  }

  if [level] {
  } else {
    mutate {
      add_field => { "level" => "INFO" }
    }
  }

  mutate {
    uppercase => [ "level" ]
  }

  # drop debug level messages
  if [level] == "TRACE" {
    drop{}
  }

  if [level] == "DEBUG" {
   mutate {
    add_field => { "level2" => "debug" }
   }
  }

  if [level] == "INFO" {
   mutate {
    add_field => { "level2" => "info" }
   }
  }

  if [level] == "WARN" {
   mutate {
   add_field => { "level2" => "warn" }
   }
  }

  if [level] == "WARNING" {
   mutate {
   add_field => { "level2" => "warning" }
   }
  }

  if [level] == "ERR" {
   mutate {
   add_field => { "level2" => "err" }
   }
  }

  if [level] == "ERROR" {
   mutate {
   add_field => { "level2" => "error" }
   }
  }

  mutate {

    lowercase => [ "level2" ]
  }

  }

}
output {
  elasticsearch {
    hosts => "logstashhost"
    index => "logstash-%{environment}-%{level2}-%{+xxxx.ww}"
  }


}

chouben · August 17, 2023, 12:15pm

Hi

ELK = Elasticsearch, Logstash, Kibana
Since the introduction of Beats, it is called Elastic Stack

You're doing multiple minor upgrades and 2 major upgrades at once. So if you want to understand why/when things changed, check the release notes for breaking changes:
[Release notes | Beats Platform Reference [7.17] | Elastic]

As per my experience, I would suggest to just take your loss and reconfigure the logstash pipeline.
If you're new to Elastic Stack, it might be beneficial to also understand how the pipelines work.

Good luck
Christof

leandrojmp · August 17, 2023, 1:21pm

Moving from Filebeat 5 to Filebeat 7 is a big change, there were a lot of changes between those two versions and some of them are conflicting.

My first suggestion would be to use different pipelines for each version to help with troubleshoot and migration of the pipeline.

What version of Logstash are you using? You didn't say.

system · September 14, 2023, 3:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6} Logstash	3	16313	July 10, 2019
Help jump from logstash to beats Beats filebeat	6	929	December 11, 2017
Logstash parsing broken after upgrading from filebeat 5.6 to 7.6. Appears to be an issue with logs not getting tagged correctly Beats filebeat	2	516	March 25, 2020
Problem caused by change of fieldtype after upgrade of filebeat Beats filebeat	4	428	May 10, 2018
DIfferent Kinds of events from filebeat to Logstash, Assorting and Parsing Logstash	3	339	August 14, 2018

Problems migrating from filebeat 5 to 7 - not gettings the data/fields we need in logstash

Related topics