1 # Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
7 # http://www.apache.org/licenses/LICENSE-2.0
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
17 ## Add a id to plugin configuration. Can be anything unique.
20 ######## Connection configurations ########
22 ## The port to listen on.
23 port => {{.Values.service.externalPort}}
25 ## Close Idle clients after the specified time in seconds. Default is 60 seconds
26 #client_inactivity_timeout => 60
28 ######## Security configurations ########
30 ## Enable encryption. Default false.
33 ## ssl certificate path.
34 #ssl_certificate => $filebeat_ssl_certificate
37 #ssl_key => $filebeat_ssl_key
39 ##SSL key passphrase to use.
40 #ssl_key_passphrase => $filebeat_ssl_key_passphrase
42 ## Value can be any of: none, peer, force_peer.
43 #ssl_verify_mode => $filebeat_ssl_verify_mode
45 ## Time in milliseconds for an incomplete ssl handshake to timeout. Default is 10000 ms.
46 #ssl_handshake_timeout => 10000
47 include_codec_tag => false
54 break_on_match => false
56 "source" => ["/var/log/onap/(?<componentName>[^/]+)/",
57 "/var/log/onap/%{GREEDYDATA:componentLogFile}"
62 # Filter for log4j xml events
63 if "</log4j:event>" in [message] {
65 #mutate { add_field => { "orgmsg_log4j" => "%{message}" } } # Copy of orginal msg for debug
67 #Filter to parse xml event and retrieve data
71 remove_namespaces => true
72 target => "xml_content"
73 xpath => [ "/event/message/text()", "logmsg" ,
74 "/event/@logger", "Logger",
75 "/event/@timestamp", "Timestamp",
76 "/event/@level", "loglevel",
77 "/event/@thread", "Thread",
78 "/event/throwable/text()", "Exceptionthrowable",
79 "/event/NDC/text()", "NDCs",
80 "/event/properties/data/@name","mdcname",
81 "/event/properties/data/@value","mdcvalue"]
85 #Ruby filter to iterate and separate MDCs into documents
90 if event.get("[mdcname]")
91 $num = event.get("[mdcname]").length
95 if event.get("[mdcname]").at($i) and event.get("[mdcvalue]").at($i)
96 event.set(event.get("[mdcname]").at($i), event.get("[mdcvalue]").at($i))
105 if [Exceptionthrowable]
109 "exceptionmessage" => "%{[Exceptionthrowable]}"
125 "Logger" =>"%{[Logger]}"
126 "logmsg" =>"%{[logmsg]}"
127 "Timestamp" =>"%{[Timestamp]}"
128 "loglevel" =>"%{[loglevel]}"
129 "message" => "%{logmsg}"
130 "Thread" => "%{[Thread]}"
132 remove_field => ["mdcname", "mdcvalue", "logmsg","Exceptionthrowable","NDCs"]
138 match => ["Timestamp", "UNIX_MS"]
139 target => "Timestamp"
143 # Filter for logback events
146 #mutate { add_field => { "orgmsg" => "%{message}" } } # Copy of orginal msg for debug
150 'message', ' = ', '=',
151 'message', '= ', '=null',
152 'message', '=\t', '=null ', #This null is followed by a tab
153 'message', '\t$', '\t'
156 # The grok below parses the message field for all current logback patterns used by oom components.
157 # Example logback pattern: %d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC}|%X{RequestId}|%msg
158 # Example grok pattern: %{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:message}
159 # Use the following command to find all logback patterns in oom directory: find oom -name "logback*xml" -exec grep "property.*attern.*value" {} \;|sort|uniq
163 "%{TIMESTAMP_ISO8601:Timestamp}\\t[%{GREEDYDATA:Thread}]\\t%{GREEDYDATA:loglevel}\\t%{JAVACLASS:Logger}\\t%{GREEDYDATA:MDCs}\\t%{GREEDYDATA:message}",
164 "%{TIMESTAMP_ISO8601:BeginTimestamp}\|%{TIMESTAMP_ISO8601:EndTimestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:Unknown1}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:TargetEntity}\|%{GREEDYDATA:TargetServiceName}\|%{GREEDYDATA:StatusCode}\|%{GREEDYDATA:ResponseCode}\|%{GREEDYDATA:ResponseDesc}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{GREEDYDATA:Timer}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Unknown2}\|%{GREEDYDATA:Unknown3}\|%{GREEDYDATA:Unknown4}\|%{GREEDYDATA:TargetVirtualEntity}\|%{GREEDYDATA:Unknown5}\|%{GREEDYDATA:Unknown6}\|%{GREEDYDATA:Unknown7}\|%{GREEDYDATA:Unknown8}\|%{GREEDYDATA:message}",
165 "%{TIMESTAMP_ISO8601:BeginTimestamp}\|%{TIMESTAMP_ISO8601:EndTimestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:Unknown1}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:StatusCode}\|%{GREEDYDATA:ResponseCode}\|%{GREEDYDATA:ResponseDesc}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{GREEDYDATA:Timer}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Unknown2}\|%{GREEDYDATA:Unknown3}\|%{GREEDYDATA:Unknown4}\|%{GREEDYDATA:Unknown5}\|%{GREEDYDATA:Unknown6}\|%{GREEDYDATA:Unknown7}\|%{GREEDYDATA:Unknown8}\|%{GREEDYDATA:message}",
166 "%{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ServiceName}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Timer}\|\[%{GREEDYDATA:caller}\]\|%{GREEDYDATA:message}",
167 "%{TIMESTAMP_ISO8601:Timestamp}\|%{GREEDYDATA:RequestId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:TargetEntity}\|%{GREEDYDATA:TargetServiceName}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:ErrorCode}\|%{GREEDYDATA:ErrorDesc}\|%{GREEDYDATA:message}",
168 "%{TIMESTAMP_ISO8601:Timestamp}\|%{GREEDYDATA:RequestId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ClassName}\|%{GREEDYDATA:message}",
169 "%{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:message}",
170 "\[%{TIMESTAMP_ISO8601:Timestamp}\|%{LOGLEVEL:loglevel}\|%{GREEDYDATA:Logger}\|%{GREEDYDATA:Thread}\] %{GREEDYDATA:message}"
173 overwrite => ["message"]
175 # The MDCs are key value pairs that are seperated by "," or "\t". Extra space characters are trimmed from the keys and values.
181 remove_field => [ "MDCs" ]
184 if (![Timestamp] and [EndTimestamp]) {
185 mutate { add_field => { "Timestamp" => "%{EndTimestamp}" } }
188 match => [ "Timestamp", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS" ]
189 target => "Timestamp"
193 remove_field => ["DuplicateRequestID", "Unknown1", "Unknown2", "Unknown3", "Unknown4", "Unknown5", "Unknown6", "Unknown7", "Unknown8"]
196 if ([source] == "/var/log/onap/sdc/sdc-be/audit.log") {
197 #Parse kvps in message
204 #If Request Id is missing and DID is present use as RequestId
205 if (![RequestId] and [DID] =~ /.+/) {
206 mutate { add_field => { "RequestId" => "%{DID}" } }
210 } #Close else statement for logback events
218 ######### Security configurations #########
221 password => "changeme"
223 ## The .cer or .pem file to validate the server's certificate
224 #cacert => $es_cacert
226 ## The keystore used to present a certificate to the server. It can be either .jks or .p12
227 #keystore => $es_keystore
228 #keystore_password => $es_keystore_password
230 ## Enable SSL/TLS secured communication to Elasticsearch cluster.
231 ## Default is not set which in that case depends on the protocol specidfied in hosts list
234 ## Option to validate the server's certificate. Default is true
235 #ssl_certificate_verification => $es_ssl_certificate_verification
237 ## The JKS truststore to validate the server's certificate.
238 #truststore => $es_truststore
239 #truststore_password => $es_truststore_password
242 ######### Elasticsearchcluster and host configurations #########
244 ##can specify one or a list of hosts. If sniffing is set, one is enough and others will be auto-discovered
245 hosts => ["http://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}:{{.Values.config.elasticsearchPort}}"]
248 ## This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list. Default is false.
251 ## How long to wait, in seconds, between sniffing attempts. Default is 5 seconds.
254 ## Set the address of a forward HTTP proxy.
257 ##Use this if you must run Elasticsearch behind a proxy that remaps the root path for the Elasticsearch HTTP API lives
260 ######### Elasticsearch request configurations #########
262 ## This setting defines the maximum sized bulk request Logstash will make.
265 ######### Document configurations #########
267 index => "logstash-%{+YYYY.MM.dd}"
268 document_type => "logs"
270 ## This can be used to associate child documents with a parent using the parent ID.