-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log raw events to a separate log file #4549
base: main
Are you sure you want to change the base?
Conversation
This pull request is now in conflicts. Could you fix it? 🙏
|
This pull request does not have a backport label. Could you fix it @belimawr? 🙏
NOTE: |
09d6ef8
to
2e1fa45
Compare
This pull request is now in conflicts. Could you fix it? 🙏
|
2e1fa45
to
86a7b1c
Compare
This pull request is now in conflicts. Could you fix it? 🙏
|
4141bab
to
5a51e88
Compare
Pinging @elastic/elastic-agent (Team:Elastic-Agent) |
@bturquet could we please have someone to review here? |
ea58b66
to
c880414
Compare
Co-authored-by: Paolo Chilà <[email protected]>
ZipLogsWithPath needs to exclude the folder 'events', so we cannot suffix it with '/'. Comments explaining the situation are also added. zipLogsAndAssertFiles now calls t.Helper().
Stop calling `paths.SetTop()` in the diagnostics test. This refactoring makes arguments and fields instead of modifying the global state starting from the test in `internal/pkg/diagnostics/diagnostics_test.go` up to the cobra command.
c880414
to
a9c266f
Compare
Quality Gate passedIssues Measures |
What does this PR do?
This commit introduces a new logger core, used when collecting logs from sub process, that can be configured through
logging.event_data
and is used to log any message that contains the whole event or could contain any sensitive data. This is accomplished by addinglog.type
: event to the log entry. The logger core is responsible for filtering the log entries and directing them to the correct files.Why is it important?
Some Beats outputs will log raw event data on certain types of errors, events can contain sensitive information that should not be present in the log files. This PR address this problem by logging event data to a separate log file.
Checklist
./changelog/fragments
using the changelog toolAuthor's Checklist
elastic-agent.reference.yml
elastic-agent logs
should handle the event log filemock-es
once Move themain
package tocmd/mock-es
so the API can be imported by other packages leehinman/mock-es#1 is mergedmain
once https://github.com/Usego install
instead ofgo get
#4672 is mergedThe diagnostics command
The diagnostics collect command will by default collect all events log files, there is a flag to opt out of this behaviour that can both: be passed via CLI or Fleet Action.
The logs command
The logs command can also read the events log files, it creates two streams for reading logs, one for the events logs and another for the normal logs, they share the same settings, but the line count is independent, i.e, if you set
-n 10
, each stream will read 10 lines.When reading a number of lines, not in follow mode, both streams will get mixed up and the entries might not be completely ordered by time.
When in follow mode and as new lines are added, the streams will be correctly ordered.
How to test this PR locally
/tmp/flog.log
with a few lines, the data is not importantTo create ingest failures the easiest way is to close the write index from the datastream, to do that go to Kibana -> Dev Tools
To get the backing index for a datastream:
This will return something like:
Take note of the index_name
.ds-logs-generic-default-2024.01.22-000001
.Close this index:
/tmp/flog.log
data/elastic-agent-<hash>/logs/events
the file name is something likeelastic-agent-events-data-20240125.ndjson
. You should see a log entry like this one:Note the
"log.type": "event"
and that this log entry is not present in other log files or the logs that go to stdout/stderr.Related issues
Error: failed to run msiextract: exec: "msiextract": executable file not found in %PATH% (output: )
golang-crossbuild#400## Use cases## Screenshots## LogsQuestions to ask yourself