src/main/docker/logstash/pipeline/logstash.conf

   1 # Copyright (c) 2018 AT&T Intellectual Property.  All rights reserved.
   2 #
   3 # Licensed under the Apache License, Version 2.0 (the "License");
   4 # you may not use this file except in compliance with the License.
   5 # You may obtain a copy of the License at
   6 #
   7 #       http://www.apache.org/licenses/LICENSE-2.0
   8 #
   9 # Unless required by applicable law or agreed to in writing, software
  10 # distributed under the License is distributed on an "AS IS" BASIS,
  11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12 # See the License for the specific language governing permissions and
  13 # limitations under the License.
  14 input {
  15     http_poller {
  16         urls => {
  17             event_queue => {
  18                 method => get
  19                 url => "${dmaap_base_url}/events/${event_topic}/${dmaap_consumer_group}/${dmaap_consumer_id}?timeout=15000"
  20                 headers => {
  21                     Accept => "application/json"
  22                 }
  23                 add_field => { "topic" => "${event_topic}" }
  24                 type => "dmaap_event"
  25             }
  26             notification_queue => {
  27                 method => get
  28                 url => "${dmaap_base_url}/events/${notification_topic}/${dmaap_consumer_group}/${dmaap_consumer_id}?timeout=15000"
  29                 headers => {
  30                     Accept => "application/json"
  31                 }
  32                 add_field => { "topic" => "${notification_topic}" }
  33                 type => "dmaap_notification"
  34             }
  35             request_queue => {
  36                 method => get
  37                 url => "${dmaap_base_url}/events/${request_topic}/${dmaap_consumer_group}/${dmaap_consumer_id}?timeout=15000"
  38                 headers => {
  39                     Accept => "application/json"
  40                 }
  41                 add_field => { "topic" => "${request_topic}" }
  42                 type => "dmaap_request"
  43             }
  44         }
  45         socket_timeout => 30
  46         request_timeout => 30
  47         codec => "plain"
  48         schedule => { "every" => "1m"  }
  49         cacert => "/certs.d/aafca.pem"
  50     }
  51 }
  52
  53 input {
  54     file {
  55         path => [
  56             "/log-input/*"
  57             ]
  58         type => "dmaap_log"
  59         codec => "json"
  60     }
  61 }
  62
  63 filter {
  64     # avoid noise if no entry in the list
  65     if [message] == "[]" {
  66         drop { }
  67     }
  68
  69     if [http_request_failure] or [@metadata][code] != "200" {
  70        mutate {
  71            add_tag => [ "error" ]
  72        }
  73     }
  74
  75     if "dmaap_source" in [tags] {
  76         #
  77         # Dmaap provides a json list, whose items are Strings containing the event
  78         # provided to Dmaap, which itself is an escaped json.
  79         #
  80         # We first need to parse the json as we have to use the plaintext as it cannot
  81         # work with list of events, then split that list into multiple string events,
  82         # that we then transform into json.
  83         #
  84         json {
  85             source => "[message]"
  86             target => "message"
  87         }
  88         ruby {
  89             code => "
  90             for ev in event.get('message', [])
  91                 ev.set('@metadata', event.get('@metadata'))
  92             end
  93             "
  94         }
  95
  96         split {
  97             field => "message"
  98         }
  99         json {
 100             source => "message"
 101         }
 102         mutate {
 103             remove_field => [ "message" ]
 104         }
 105     }
 106
 107     #
 108     # Some timestamps are expressed as milliseconds, some are in microseconds
 109     #
 110     if [closedLoopAlarmStart] {
 111         ruby {
 112             code => "
 113             if event.get('closedLoopAlarmStart').to_s.to_i(10) > 9999999999999
 114               event.set('closedLoopAlarmStart', event.get('closedLoopAlarmStart').to_s.to_i(10) / 1000)
 115             else
 116               event.set('closedLoopAlarmStart', event.get('closedLoopAlarmStart').to_s.to_i(10))
 117             end
 118             "
 119         }
 120         date {
 121             match => [ "closedLoopAlarmStart", UNIX_MS ]
 122             target => "closedLoopAlarmStart"
 123         }
 124     }
 125
 126     if [closedLoopAlarmEnd] {
 127         ruby {
 128             code => "
 129             if event.get('closedLoopAlarmEnd').to_s.to_i(10) > 9999999999999
 130               event.set('closedLoopAlarmEnd', event.get('closedLoopAlarmEnd').to_s.to_i(10) / 1000)
 131             else
 132               event.set('closedLoopAlarmEnd', event.get('closedLoopAlarmEnd').to_s.to_i(10))
 133             end
 134             "
 135         }
 136         date {
 137             match => [ "closedLoopAlarmEnd", UNIX_MS ]
 138             target => "closedLoopAlarmEnd"
 139         }
 140
 141     }
 142
 143
 144     #
 145     # Notification time are expressed under the form "yyyy-MM-dd HH:mm:ss", which
 146     # is close to ISO8601, but lacks of T as spacer: "yyyy-MM-ddTHH:mm:ss"
 147     #
 148     if [notificationTime] {
 149         mutate {
 150             gsub => [ "notificationTime", " ", "T" ]
 151         }
 152         date {
 153             match => [ "notificationTime", ISO8601 ]
 154             target => "notificationTime"
 155         }
 156     }
 157
 158
 159     #
 160     # Renaming some fields for readability
 161     #
 162     if [AAI][generic-vnf.vnf-name] {
 163         mutate {
 164             add_field => { "vnfName" => "%{[AAI][generic-vnf.vnf-name]}" }
 165         }
 166     }
 167     if [AAI][generic-vnf.vnf-type] {
 168         mutate {
 169             add_field => { "vnfType" => "%{[AAI][generic-vnf.vnf-type]}" }
 170         }
 171     }
 172     if [AAI][vserver.vserver-name] {
 173         mutate {
 174             add_field => { "vmName" => "%{[AAI][vserver.vserver-name]}" }
 175         }
 176     }
 177     if [AAI][complex.city] {
 178         mutate {
 179             add_field => { "locationCity" => "%{[AAI][complex.city]}" }
 180         }
 181     }
 182     if [AAI][complex.state] {
 183         mutate {
 184             add_field => { "locationState" => "%{[AAI][complex.state]}" }
 185         }
 186     }
 187
 188
 189     #
 190     # Adding some flags to ease aggregation
 191     #
 192     if [closedLoopEventStatus] =~ /(?i)ABATED/ {
 193         mutate {
 194             add_field => { "flagAbated" => "1" }
 195         }
 196     }
 197     if [notification] =~ /^.*?(?:\b|_)FINAL(?:\b|_).*?(?:\b|_)FAILURE(?:\b|_).*?$/ {
 198         mutate {
 199             add_field => { "flagFinalFailure" => "1" }
 200         }
 201     }
 202
 203
 204     if "error" not in [tags] {
 205         #
 206         # Creating data for a secondary index
 207         #
 208         clone {
 209             clones => [ "event-cl-aggs" ]
 210             add_tag => [ "event-cl-aggs" ]
 211         }
 212
 213         if  "event-cl-aggs" in [tags] {
 214             #
 215             # we only need a few fields for aggregations; remove all fields from clone except :
 216             #   vmName,vnfName,vnfType,requestID,closedLoopAlarmStart, closedLoopControlName,closedLoopAlarmEnd,abated,nbrDmaapevents,finalFailure
 217             #
 218             prune {
 219                 whitelist_names => ["^@.*$","^topic$","^type$","^tags$","^flagFinalFailure$","^flagAbated$","^locationState$","^locationCity$","^vmName$","^vnfName$","^vnfType$","^requestID$","^closedLoopAlarmStart$","^closedLoopControlName$","^closedLoopAlarmEnd$","^target$","^target_type$","^triggerSourceName$","^policyScope$","^policyName$","^policyVersion$"]
 220             }
 221
 222         }
 223     }
 224 }
 225
 226 output {
 227     stdout {
 228         codec => rubydebug { metadata => true }
 229     }
 230
 231     if "error" in [tags] {
 232         elasticsearch {
 233             codec => "json"
 234             hosts => ["${elasticsearch_base_url}"]
 235             index => "errors-%{+YYYY.MM.DD}"
 236             doc_as_upsert => true
 237         }
 238
 239     } else if "event-cl-aggs" in [tags] {
 240         elasticsearch {
 241             codec => "json"
 242             hosts => ["${elasticsearch_base_url}"]
 243             document_id => "%{requestID}"
 244             index => "events-cl-%{+YYYY.MM.DD}" # creates daily indexes for control loop
 245             doc_as_upsert => true
 246             action => "update"
 247         }
 248
 249     } else {
 250         elasticsearch {
 251             codec => "json"
 252             hosts => ["${elasticsearch_base_url}"]
 253             index => "events-%{+YYYY.MM.DD}" # creates daily indexes
 254             doc_as_upsert => true
 255         }
 256     }
 257 }