Merge branch '14707-filebeat-parse-modsec-logs-as-json' into 'master'

Update filebeat managed app to parse modsec logs as JSON See merge request gitlab-org/gitlab!24836

Merge branch '14707-filebeat-parse-modsec-logs-as-json' into 'master'
Update filebeat managed app to parse modsec logs as JSON See merge request gitlab-org/gitlab!24836
10b04c00 · Douglas Barbosa Alexandre · a0c008dc · dbc82d41 · 10b04c00 · 10b04c00
Commit 10b04c00 authored Feb 17, 2020 by Douglas Barbosa Alexandre
Showing with 28 additions and 0 deletions

changelogs/unreleased/14707-filebeat-parse-modsec-logs-as-json.yml ...s/unreleased/14707-filebeat-parse-modsec-logs-as-json.yml +5 -0

vendor/elastic_stack/values.yaml vendor/elastic_stack/values.yaml +23 -0

No files found.
--- a/changelogs/unreleased/14707-filebeat-parse-modsec-logs-as-json.yml
+++ b/changelogs/unreleased/14707-filebeat-parse-modsec-logs-as-json.yml
+---
+title: Parse filebeat modsec logs as JSON
+merge_request: 24836
+author:
+type: changed
--- a/vendor/elastic_stack/values.yaml
+++ b/vendor/elastic_stack/values.yaml
@@ -23,6 +23,29 @@ filebeat:
    output.elasticsearch:
      enabled: true
      hosts: ["http://elastic-stack-elasticsearch-client:9200"]
+    filebeat.prospectors:
+    - type: log
+      enabled: true
+      paths:
+        - /var/log/*.log
+        - /var/log/messages
+        - /var/log/syslog
+    - type: docker
+      containers.ids:
+      - "*"
+      json.keys_under_root: true
+      json.ignore_decoding_error: true
+      processors:
+        - add_kubernetes_metadata:
+        - drop_event:
+            when:
+              equals:
+                kubernetes.container.name: "filebeat"
+        - decode_json_fields:
+            fields: ["message"]
+            when:
+              equals:
+                kubernetes.container.name: "modsecurity-log"
 fluentd:
  enabled: false