[Platform Observability] Create initial PO package for ingesting kibana ECS formatted logs

[crespocarlos]

What does this PR do?

This PR is the initial work for creating the new Platform Observability package. We will start with ingesting Kibana logs but its capabilities will be extended over time. This package is heavily based on the solution provided here #2972

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• Define the package name
• Align current Kibana package ingest pipelines with this one (This is a duplication of the existing Kibana package)
• Decide whether we will go with Filebeat processors to parse the json object or not

How to test this PR locally

In order to tests this we first need to edit the configuration used by elastic-packages

• Enable kibana logging, by adding the configuration below to ~/.elastic-package/profiles/default/stack/kibana.config.8x.yml

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: ./.kbn-logs/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10
  layout:
    type: json

logging:
  appenders:
    file:
      type: file
      fileName: ./.kbn-logs/kibana.log
      layout:
        type: json
  root:
    appenders: [default, file]
    level: all

  loggers:
    - name: server
      level: fatal
    - name: telemetry
      appenders: [file]
      level: all
    - name: metrics.ops
      appenders: [file]
      level: debug

• Edit ~/.elastic-package/profiles/default/stack/snapshot.yml, adding "../../../tmp/service_logs:/usr/share/kibana/.kbn-logs" to the list of volumes for kibana container, to enable the agent to see the logs
• From the repo root folder go to packages/platform_observability folder and run elastic-package build
• Run elastic-package stack up -v -d
• On Kibana, go to Integrations
• Install Platform Observability with default configuration, adding it to Elastic-Agent host

Related issues

• Closes #2226

Screenshots

Integration page

Kibana logs

Kibana audit logs

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-07-22T07:06:36.514+0000

• Duration: 15 min 37 sec

Test stats 🧪

Test	Results
Failed	0
Passed	8
Skipped	0
Total	8

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[matschaffer]

The first time I made the changes I hit this which reverted them:

❯ elastic-package version
2022/06/30 12:26:04  WARN Default profile has been changed by user or updated by elastic-package. The current profile will be moved.
elastic-package has been installed.
elastic-package version-hash 3144604 (build time: 2022-06-30T12:23:43+09:00)

Maybe due to me having run elastic-package on an older version. Thought I'd mention it incase other testers bumped into the same thing.

[matschaffer]

heh, so far my attempts at starting the stack are failing. Will have to dig:

Creating elastic-package-stack_kibana_1                    ... done

ERROR: for fleet-server  Container "a6027ac4a639" is unhealthy.

ERROR: for kibana_is_ready  Container "a6027ac4a639" is unhealthy.
ERROR: Encountered errors while bringing up the project.
Error: booting up the stack failed: running docker-compose failed: running command failed: running Docker Compose up command failed: exit status 1

[matschaffer]

Interestingly enough, the kibana healthcheck checks for the ES security index. which is red. Go figure 😆

https://github.com/elastic/elastic-package/blob/3b2d1e91503707f6be7685c9478a2107bd2a2ed7/internal/install/_static/kibana_healthcheck.sh#L6

[matschaffer]

ah!

❯ docker logs elastic-package-stack_elasticsearch_1 -n 1
{"@timestamp":"2022-06-30T05:55:51.586Z", "log.level": "WARN", "message":"high disk watermark [90%] exceeded on [Vo4wyn23ReWufzMT2R9n3g][5b4a83809124][/usr/share/elasticsearch/data] free: 5.6gb[9.6%], shards will be relocated away from this node; currently relocating away shards totalling [0] bytes; the node is expected to continue to exceed the high disk watermark when these relocations are complete", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[5b4a83809124][masterService#updateTask][T#1]","log.logger":"org.elasticsearch.cluster.routing.allocation.DiskThresholdMonitor","elasticsearch.cluster.uuid":"wzlK4-GBTymeP6n_Izf6ZA","elasticsearch.node.id":"Vo4wyn23ReWufzMT2R9n3g","elasticsearch.node.name":"5b4a83809124","elasticsearch.cluster.name":"elasticsearch"}

[matschaffer]

Success! I also had to do this stuff to get your package to show up https://github.com/elastic/integrations/blob/main/docs/developer_workflow_design_build_test_integration.md#build

The elastic-package stack was surprisingly hard to setup. A full docker disk failed in a way that looked like kibana was wrong, I had to import & trust the self-signed SSL cert. Either I'm holding it wrong or we have some work to do there. :)

Oh, and not sure where the kibana logo SVG is from. It's a little different than https://brand.elastic.co/302f66895/p/41ff52-solution-logos/b/14d954/i/11013297 - maybe good to re-import?

[matschaffer]

I see a /usr/share/kibana/logs in the container. Wondering if we should default to that path and update the elastic-package stack bindmounts to go there.

[crespocarlos]

Yeah. Should we also enable Kibana logging by default?

[matschaffer]

Definitely :)

[matschaffer]

I'm guessing we can add "filebeat" processors (like https://www.elastic.co/guide/en/beats/filebeat/current/decode-json-fields.html) to the manifest and have them show up here. Or maybe just put them in this file directly.

Not sure what's in-fashion for packages today regarding reader-vs-ES side processing but personally I like to push as many simple transformations as I can to the collection point. Maybe @mtojek can advise.

[crespocarlos]

I did a quick test and it seems to work. I'll explore it a bit more. It would simplify the pipeline config

[crespocarlos]

It works.

this is all I have for the pipeline:

[
  {
    "remove": {
      "field": "data_stream.dataset",
      "ignore_missing": true
    }
  },
  {
    "remove": {
      "field": "event.dataset",
      "ignore_missing": true
    }
  },
  {
    "set": {
      "description": "Uses event.dataset as a default for data_stream.dataset if the latter is not set.",
      "field": "data_stream.dataset",
      "copy_from": "event.dataset",
      "if": "ctx.event?.dataset instanceof String && ctx.event.dataset.length() > 1",
      "override": false
    }
  },
  {
    "script": {
      "source": "ctx.data_stream.dataset = /[\\/*?\"<>|, #:-]/.matcher(ctx.data_stream.dataset).replaceAll('_')\n",
      "if": "ctx.data_stream?.dataset != null"
    }
  },
  {
    "script": {
      "source": "ctx.data_stream.namespace = /[\\/*?\"<>|, #:]/.matcher(ctx.data_stream.namespace).replaceAll('_')\n",
      "if": "ctx.data_stream?.namespace != null"
    }
  },
  {
    "set": {
      "field": "data_stream.type",
      "value": "logs"
    }
  },
  {
    "set": {
      "field": "data_stream.dataset",
      "value": "kibana-logs",
      "override": false
    }
  },
  {
    "set": {
      "field": "data_stream.namespace",
      "value": "platform-observability",
      "override": false
    }
  },
  {
    "set": {
      "field": "event.dataset",
      "copy_from": "data_stream.dataset"
    }
  },
  {
    "rename": {
      "field": "message",
      "target_field": "event.original",
      "ignore_missing": true
    }
  }
]

[crespocarlos]

A downside of this approach is that the tests are not able to use filebeat processor to parse the logs

[matschaffer]

Another surprise here :) Hoping we can have some integration experts weigh-in. Are we maybe not supposed to use processors anymore?

[mtojek]

I used to follow the rule of thumb. Are you collecting large observability data and is the network loaded? If so, limit those with processors.

[mtojek]

We had a slack chat with @crespocarlos, and decided to go with the ingest pipeline due to code simplicity and convenient use of pipeline tests.

[matschaffer]

Are you collecting large observability data and is the network loaded?

Interesting. Does the end user get to set processors? I'd expect network load to be a factor of deployment size.

[crespocarlos]

I have changed and polished the PoC as I started to understand a bit better how to create integration packages.

Solutions

For kibana/audit logs, the pipeline is configured to parse the json message using filebeat processors. With this approach, I noticed that the tests are not able to properly parse the json using the filebeat processor, but kibana is.

For kibana/logs, I kept the configuration from the previous iteration, using a similar approach as here #2972

The question is: which approach is the best?

Field files

Field files can impact in some ways. If we follow the approach for kibana/logs all fields present in the test scenario files must be documented in order for the tests to pass. New fields produced by the integration must be documented.

During my tests, I noticed that ECS fields parsed from a json object don't necessarily need to be documented in the package and only what's documented in base-fields.yml must be present at all times in order for the pipeline to work

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (2/2)	💚
Files	100.0% (4/4)	💚 2.941
Classes	100.0% (4/4)	💚 2.941
Methods	80.0% (16/20)	👎 -9.251
Lines	88.889% (96/108)	👎 -1.694
Conditionals	100.0% (0/0)	💚

[klacabane]

I've started a doc when playing with Integrations and updated it with some findings from this document https://github.com/elastic/observability-dev/pull/2253. Feel free to add anything you feel relevant :)

[klacabane]

Is this implementation a drop-in replacement for the one we have in the filebeat module ? If we go the single-package route for SM and PO integration, it'll be interesting to align both implementations. Also for a single-package we'll have to carry over all the ingest pipelines for the legacy pipelines as well, unless we decide to only support starting from v8

[crespocarlos]

Good point @klacabane. I focused more on ingesting the ECS log as-is, but there are fields in the existing Kibana package that haven't been ported to this new package and fields from Kibana logs that I didn't remove in this new pipeline. So I'll probably have to align at least the missing fields and/or make sure the new pipeline generates the same expected output.

Since Kibana generates ECS formatted logs starting from V8 (correct me if I'm wrong) I think we'll probably support this new PO package starting from V8

@matschaffer, what's your opinion here?

[matschaffer]

Since Kibana generates ECS formatted logs starting from V8 (correct me if I'm wrong) I think we'll probably support this new PO package starting from V8

I wasn't thinking we'd try to support anything prior to 8 with this package for now. That will get handled by existing modules.

[mtojek]

👍

I didn't review data stream ingestion as I don't have domain-specific knowledge. I will leave it for your team

[matschaffer]

I had a couple of final-polish questions. But overall this is looking pretty good.

I guess once we add ES we'll need to rethink the package logo (maybe just use the elastic "cluster" logo), but at least it's an up-to-date kibana logo for now. Thanks for that :)

[matschaffer]

@jkakavas this feels like it could be risky to log (from a audit kibana log sample). Do you know if we should chase it down, or with whom? Or maybe if you know it's safe already?

[crespocarlos]

why would it be risky in your opinion? By looking at the docs, it seems that it's an id associated with the current login.

[matschaffer]

ah, thanks that helps.

At least this is nothing new so if it's an issue we don't have to fix it in this PR.

I just get a little nervous whenever I see a base64 string in a log stream. Too many occasions when they turned out to be access-providing tokens (like JWT). Hopefully this is just an encoded UUID. 😅

[matschaffer]

I think this is probably good to merge, especially since it's 0.0.1 so shouldn't end up in a released UI (I think).

This is the deepest I've gone into integrations/packages so could be good to have @klacabane or @neptunian give a look too. Either in this PR or the next one.

[matschaffer]

Oh, sorry about the late feedback, but it took an hour for the stack to start today. Seems like this should be kibana.log no? That's what appears in https://www.elastic.co/guide/en/kibana/master/logging-configuration.html anyway

[crespocarlos]

good catch, I've also aligned the audit log file name with what's in Kibana docs

[matschaffer]

🎉