GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → vanilla → fluent-plugin-burrow

vanilla / fluent-plugin-burrow

Licence: MIT license
This plugin for Fluentd allows to extract a single key from an existing record and re-parse it with a supplied format.

Programming Languages

ruby
36898 projects - #4 most used programming language

Labels

operations

Projects that are alternatives of or similar to fluent-plugin-burrow

Control Tower
Deploy and operate Concourse CI in a single command
Stars: ✭ 105 (+556.25%)
Mutual labels:  operations
terraform-google-bootstrap
Bootstraps Terraform usage and related CI/CD in a new Google Cloud organization
Stars: ✭ 152 (+850%)
Mutual labels:  operations
terraform-google-slo
Creates SLOs on Google Cloud from custom Stackdriver metrics capability to export SLOs to Google Cloud services and other systems
Stars: ✭ 59 (+268.75%)
Mutual labels:  operations
Reckoner
Declaratively install and manage multiple Helm chart releases
Stars: ✭ 177 (+1006.25%)
Mutual labels:  operations
Akka Management
Akka Management is a suite of tools for operating Akka Clusters.
Stars: ✭ 218 (+1262.5%)
Mutual labels:  operations
VAOS
Virtual Aviation Operations System
Stars: ✭ 44 (+175%)
Mutual labels:  operations
Recurring Integrations Scheduler
Recurring Integrations Scheduler (RIS) is a solution that can be used in file-based integration scenarios for Dynamics 365 Finance and Dynamics 365 Supply Chain Management.
Stars: ✭ 96 (+500%)
Mutual labels:  operations
sqlops-widgets
SQL Operations Studio Dashboard Widgets - including Always ON
Stars: ✭ 22 (+37.5%)
Mutual labels:  operations
crowbar-core
Core deployment for Crowbar
Stars: ✭ 16 (+0%)
Mutual labels:  operations
cloudstackOps
Handy tools to operate a CloudStack cloud
Stars: ✭ 47 (+193.75%)
Mutual labels:  operations
Cloud Ops Sandbox
Cloud Operations Sandbox is an open source tool that helps practitioners to learn Service Reliability Engineering practices from Google and apply them on their cloud services using Cloud Operations suite of tools.
Stars: ✭ 191 (+1093.75%)
Mutual labels:  operations
Flow
Operation Oriented Programming in Swift
Stars: ✭ 215 (+1243.75%)
Mutual labels:  operations
PSRemotely
Remote operations validation framework, exposes a DSL to wrap existing Pester/PoshSpec based validation tests.
Stars: ✭ 45 (+181.25%)
Mutual labels:  operations
Juju
Universal Operator Lifecycle Manager (OLM) for Kubernetes operators, and operators for traditional Linux and Windows apps, with declarative integration between operators for automated microservice integration.
Stars: ✭ 1,942 (+12037.5%)
Mutual labels:  operations
operational-review-docs
PagerDuty's public operational review documentation.
Stars: ✭ 19 (+18.75%)
Mutual labels:  operations
Honcho
Honcho: a python clone of Foreman. For managing Procfile-based applications.
Stars: ✭ 1,395 (+8618.75%)
Mutual labels:  operations
documentation
BHoM Docs
Stars: ✭ 69 (+331.25%)
Mutual labels:  operations
BLUELAY
Searches online paste sites for certain search terms which can indicate a possible data breach.
Stars: ✭ 24 (+50%)
Mutual labels:  operations
factbeat
Ship Facter facts to Elasticsearch or Logstash.
Stars: ✭ 13 (-18.75%)
Mutual labels:  operations
trento
An open cloud-native web console improving on the work day of SAP Applications administrators.
Stars: ✭ 35 (+118.75%)
Mutual labels:  operations
View All Similar Projects ➔

fluent-plugin-burrow

Open Issues Pull Requests Gem Downloads

This plugin for Fluentd allows extracting a single key from an existing record and re-parsing it with a supplied format. A new event is then emitted, with the record modified by the now-decoded key's value.

Motivation

out_burrow is designed to allow post-facto re-parsing of nested key elements.

For example, lets say your source application writes to syslog, but instead of plain string messages, it writes JSON encoded data. /var/log/syslog contains the following entry:

Jun 17 21:16:22 app1 5012162: {"event":"csrf_failure","msg":"Invalid transient key for System.","username":"System","userid":"1","ip":"192.34.93.74","method":"GET","domain":"http://timgunter.ca","path":"/dashboard/settings","tags":["csrf","failure"],"accountid":5009392,"siteid":5012162}

In td-agent.conf, you might have something like this to read this event:

<source>
    type syslog
    port 5140
    bind 127.0.0.1
    tag raw.app.vanilla.events
</source>

Unfortunately, in_syslog does not understand that the message field is encoded with JSON, so it escapes all the data and makes it unusable down the line. If we piped these events to a file, we would see something like this:

2014-06-17T21:16:22Z	raw.app.vanilla.events.local0.err	{"host":"app1","ident":"5012162","message":"{\"event\":\"csrf_failure\",\"msg\":\"Invalid transient key for System.\",\"username\":\"System\",\"userid\":\"1\",\"ip\":\"192.34.93.74\",\"method\":\"GET\",\"domain\":\"http://timgunter.ca\",\"path\":\"/dashboard/authentication\",\"tags\":[\"csrf\",\"failure\"],\"accountid\":5009392,\"siteid\":5012162}"}

Note how the message field has been escaped. This means that when this event eventually makes its way to a file, or another system (like elasticsearch for example), it will not be ready for consumption. That's where out_burrow comes in.

Adding the following match block to td-agent.conf allows us to intercept the raw syslog events and re-parse the message field as JSON:

<match raw.app.vanilla.events.**>
    type burrow
    key_name message
    action inplace
    remove_prefix raw
    format json
</match>

There are several components to this rule, but for now lets look at the output:

2014-06-17T21:16:23Z	app.vanilla.events.local0.err	{"host":"app1","ident":"5012162","message":{"event":"csrf_failure","msg":"Invalid transient key for System.","username":"System","userid":"1","ip":"192.34.93.74","method":"GET","domain":"http://timgunter.ca","path":"/dashboard/settings/mobilethemes","tags":["csrf","failure"],"accountid":5009392,"siteid":5012162}}

Now the JSON is no longer escaped, and can be easily parsed by both fluentd and elasticsearch.

Settings

key_name

required

This is the name of the key we want to examine and re-parse, and is required.

format

required

This is format that Fluentd should expect the key_name field to be encoded with. out_burrow supports the same built-in format as Fluent::TextParser (and in_tail):

  • apache
  • apache2
  • nginx
  • syslog
  • json
  • csv
  • tsv
  • ltsv

tag

optional

When this event is re-emitted, change its tag to this setting's value.

remove_prefix

optional

When this event is re-emitted, remove this prefix from the source tag and use the resulting string as the new event's tag. This setting automatically adds a trailing period . to its value before stripping.

add_prefix

optional

When this event is re-emitted, prepend this prefix to the source tag and use the resulting string as the new event's tag. This setting automatically adds a trailing period . to its value before prepending.

One of the tag, remove_prefix, or add_prefix settings is required. remove_prefix and add_prefix can co-exist together.

action

optional and defaults to inplace

The value of this setting determines how the new event will be constructed. There are three distinct options here:

  • inplace

Perform decoding 'in place'. When the key_name field is successfully parsed, its contents will be written back to its original key in the original record, which will then be re-emitted.

  • overlay

Overlay decoded data on top of original record, and re-emit. In our example above, if 'overlay' was used instead of 'inplace', the resulting record would have been:

{
    "host":"app1",
    "ident":"5012162",
    "event":"csrf_failure",
    "msg":"Invalid transient key for System.",
    "username":"System",
    "userid":"1",
    "ip":"192.34.93.74",
    "method":"GET",
    "domain":"http://timgunter.ca",
    "path":"/dashboard/settings",
    "tags":["csrf","failure"],
    "accountid":5009392,
    "siteid":5012162
}
  • replace

Replace the original entirely with the contents of the decoded field. In our example above, if 'replace' was used instead of 'inplace', the resulting record would have been:

{
    "event":"csrf_failure",
    "msg":"Invalid transient key for System.",
    "username":"System",
    "userid":"1",
    "ip":"192.34.93.74",
    "method":"GET",
    "domain":"http://timgunter.ca",
    "path":"/dashboard/settings",
    "tags":["csrf","failure"],
    "accountid":5009392,
    "siteid":5012162
}
  • prefix

Insert the decoded data in the original record, using the data_prefix key. In our example above, if 'prefix' was used instead of 'inplace' with 'data_prefix' = 'data', the resulting record would have been:

{
    "host":"app1",
    "ident":"5012162",
    "data": {
        "event":"csrf_failure",
        "msg":"Invalid transient key for System.",
        "username":"System",
        "userid":"1",
        "ip":"192.34.93.74",
        "method":"GET",
        "domain":"http://timgunter.ca",
        "path":"/dashboard/settings",
        "tags":["csrf","failure"],
        "accountid":5009392,
        "siteid":5012162
    }
}

data_prefix

required if you use 'action' = 'prefix' (defaults to nil)

The prefix used to insert the decoded data in the message.

keep_key

optional and defaults to false

Keep original source key (only valid with 'overlay' and 'replace' actions). When this is true, the original encoded source key is retained in the output.

keep_time

optional and defaults to false

Keep the original record's "time" key. If the original top level record contains a

record_time_key

optional and defaults to time

If keep_time is true, this field specifies the key that contains the original records's time. The value of this key will be copied into the new record after it has been parsed.

time_key

optional and defaults to time

When the key_name field's value is being parsed, look for this key and interpret it as the record's time key.

time_format

optional and defaults to nil

When parsing the key_name field's value and if time_key is set, this field denotes the format to expect the time to be in.

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

If you have a question, open an Issue.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].