[Logstash] Add CEL native data collection, and dashboards for Pipeline and Pipeline Details

[robbavey]

Proposed commit message

This PR follows on from #7704, and adds data collection to the integration, as well as standard Dashboards for Logstash Pipelines.

The short term goal for this is to enable Logstash to be monitored with Serverless Elasticsearch instances, which do not provide a Stack Monitoring UI, with the long term goal of iterating on this to replace the existing Stack Monitoring UI.

This PR includes 3 new data streams - node_cel, pipelines and plugins, with data collected from the Logstash Metrics API using the CEL input, intended to replace the existing metricbeat collection.

This give us more flexibility going forward, and should improve our velocity to add new features to the Logstash dashboards straight from the API, without needing to update several code bases.

The CEL data streams will create a single document per node for the node_cel data stream, a document per pipeline per node for the pipeline data stream, and a document per plugin per pipeline per node for the plugins data stream. For this reason, we default to a lower sending cadence for the plugins data stream than for the other.

Note that the existing data collection from metricbeat defaults to sending large documents, including significant data for the entire pipeline graph every 10 seconds.

This integration also includes ingest pipelines to clean up the data from the Logstash flow metrics API, to remove entries we don't necessarily need at this stage, and to remove the string representation of "Infinity".

When installing a Logstash integration, users will be presented with an option to collect Metrics for Stack Monitoring or for Technical Preview

(Note: If there was a way to have an either/or option in the UI, that would be very helpful)

The dashboards are described in the Screenshots section.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

• Install elastic-package
• Checkout this PR
• Navigate to the integrations/packages/logstash directory
• Run elastic-package build to build the package
• Run elastic-package stack up to bring up the Elastic stack
• Start an instance of Logstash
• Install the Logstash integration
• Uncheck the Metrics (Stack Monitoring) option
• Check the Metrics (Technical Preview) option
• Click 'Save and Continue' and follow the instructions to enroll the agent

Related issues

Follows on from #7704

Screenshots

Integration Selection Page

Pipelines Dashboard

This Dashboard provides an overview of running pipelines, with a table containing details of pipelines running, which can be drilled down into a "details view"

Proposed Page

This is intended to replace the existing pipelines page in the Stack monitoring solution

Existing Page

The page includes additional details, including Persistent Queue usage per pipeline, and more visibility into which pipelines may be blocked

Pipeline Details Dashboard

The Pipeline Details dashboard takes a different approach to the pipeline details view in stack monitoring

The page includes some general pipeline information, showing the rate of events flowing through the pipelines and state of persistent queues, broken down per node running the pipeline:

Proposed Page

General Information

It also includes information for each plugin type:

Inputs

Filters

Outputs

Codecs

This has benefits and drawbacks compared with the existing approach:

The benefits are:

• More information and more rich drill downs to help track down slow performing plugins
• Can track PQ usage on a per-pipeline and per-node basis

Drawbacks:

• The lack of visual representation may make it more difficult to figure out which plugin is at fault when multiple plugins of the same type are at play
  • Note - this can be mitigated by users including an id in their plugin definition
  • We will be looking to add more information (originating file + line number of plugin) in a subsequent follow-up PR.

Existing Dashboard

The existing dashboard contains a representation of the pipeline graph, which we are not easily able to show using standard Kibana Dashboards

And a small pop-up drilldown for each plugin

Note: This will require a follow-up PR to enable for serverless - the existing integration has some compatibility issues that I would like to fold into a subsequent PR

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-10-09T18:01:25.647+0000

• Duration: 22 min 1 sec

Test stats 🧪

Test	Results
Failed	0
Passed	40
Skipped	0
Total	40

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[robbavey]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (2/2)	💚
Files	100.0% (6/6)	💚
Classes	100.0% (6/6)	💚
Methods	100.0% (55/55)	💚 36.585
Lines	87.558% (190/217)	👎 -12.306
Conditionals	100.0% (0/0)	💚

[andrewkroh]

My personal preference is to name this file based on the input type used like cel.yml.hbs. If you do so, then update the template_path attribute in the manifest.yml.

[andrewkroh]

Suggested change

	fields: ~
	fields:
	- password

[andrewkroh]

But if you switch to using auth.basic then you won't need to redact it or configure the request with the Authorization header manually.

auth:
  basic:
    user: {{escape_string username}}
    password: {{escape_string password}}

[andrewkroh]

I think this needs an elastic-package format.

[robbavey]

I'm going to remove for this now - I will add a follow up PR for serverless/3.0 format compatibility

[andrewkroh]

There's a little inconsistency between node_cel and node_stats. control_group is indexed as text in at packages/logstash/data_stream/node_stats/fields/fields.yml:128:27. Same for the *.cpu.control_group.

That might cause some query/agg issues.

[andrewkroh]

This field is already declared in ecs.yml.

[andrewkroh]

A lot of these fields exist in ECS and should use external: ecs.

Suggested change

	- name: account.id
	type: keyword
	ignore_above: 1024
	description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier."
	- name: account.id
	external: ecs

I've been working on a tool to fix this automatically. This command will edit the file for you. (I would only use it on a clean workspace so you can review its edits in isolation.)

go run github.com/andrewkroh/fydler@main -fix packages/logstash/data_stream/node_cel/fields/*yml

[efd6]

This can be done more easily withe the basic_authentication extension.

[robbavey]

Is there something I am missing beyond adding auth.basic.user and auth.basic.password blocks eg -

config_version: "2"
interval: {{period}}
resource.url: "{{url}}/_node/stats?graph=true&vertices=true"
{{#if resource_ssl}}
resource.ssl:
  {{resource_ssl}}
{{/if}}

{{#if username}}
auth.basic.user: {{escape_string username}}
{{/if}}
{{#if password}}
auth.basic.password: {{escape_string password}}
{{/if}}

redact:
  fields: ~

program: |
  get_request(state.url)
  .do_request().as(resp, bytes(resp.Body)
:
:

I have tried this a number of times, and I've never seen the Authorization header sent successfully, hence the workarounds applied here.

[efd6]

These and below can be dotted, eg:

Suggested change

	"events":body['events'],
	"jvm":{
	"uptime_in_millis":body['jvm']['uptime_in_millis'],
	"events":body.events,
	"jvm":{
	"uptime_in_millis":body.jvm.uptime_in_millis,

Stylistic only, but slightly lighter on the page.

[efd6]

What is the intention here? It looks to me like you are wanting a single element array with eve as the element. Is that correct?

Suggested change

	"events":eve.map(each, eve),
	"events": [eve],

[robbavey]

In this case, yes - your suggestion works perfectly

[efd6]

Each with call will need to allocate a Go map. I would combine all these into one.

Suggested change

	.with({
	"es_cluster_id":((body.pipelines[pipeline_name].vertices).as(vertices, vertices.map(each, has(each.cluster_uuid), each.cluster_uuid)))
	})
	.with({
	"es_cluster_id_map":((body.pipelines[pipeline_name].vertices).as(vertices, vertices.map(each, has(each.cluster_uuid), {"plugin_id":each.id, "cluster_id":each.cluster_uuid})))
	})
	.with({
	"outputs":body.pipelines[pipeline_name]["plugins"]["outputs"]
	})
	.with({
	"inputs":body.pipelines[pipeline_name]["plugins"]["inputs"]
	})
	.with({
	"filters":body.pipelines[pipeline_name]["plugins"]["filters"]
	})
	.with({
	"codecs":body.pipelines[pipeline_name]["plugins"]["codecs"]
	})
	.with({
	"host":{
	"name":body.name,
	"address":body.http_address,
	}
	})
	.with({
	"es_cluster_id":((body.pipelines[pipeline_name].vertices).as(vertices, vertices.map(each, has(each.cluster_uuid), each.cluster_uuid))),
	"es_cluster_id_map":((body.pipelines[pipeline_name].vertices).as(vertices, vertices.map(each, has(each.cluster_uuid), {"plugin_id":each.id, "cluster_id":each.cluster_uuid}))),
	"outputs":body.pipelines[pipeline_name].plugins.outputs,
	"inputs":body.pipelines[pipeline_name].plugins.inputs,
	"filters":body.pipelines[pipeline_name].plugins.filters,
	"codecs":body.pipelines[pipeline_name].plugins.codecs,
	"host":{
	"name":body.name,
	"address":body.http_address,
	}
	})

Maybe also consider pulling out body.pipelines[pipeline_name].plugins once, before the evaluation here.

(oops, missed the initial with, but you get the idea)

[efd6]

Check to see that you still get what you want with only the final drop_empty (L87) in the expression.

[efd6]

Similar here.

[robbavey]

I think I've addressed most of the comments in the original reviews - apart from the simplified basic_auth, which I have been unable to get working thus far

[efd6]

You can merge these as well.

[efd6]

Suggested change

	"ms":body.pipelines[pipeline_name]["events"]["queue_push_duration_in_millis"],
	"ms":body.pipelines[pipeline_name].events.queue_push_duration_in_millis,

(similar below — quoted bracket indexing is only needed when the key is not a valid CEL token)

[efd6]

This can now be the null case.

Suggested change

	fields:
	- password
	fields: ~

[efd6]

Suggested change

	fields:
	- password
	fields: ~

[efd6]

Suggested change

	"outputs":body.pipelines[pipeline_name]["plugins"]["outputs"],
	"outputs":body.pipelines[pipeline_name].plugins.outputs,

(similar below)

[efd6]

Suggested change

	"elasticsearch.cluster.id":event['es_cluster_id_map'].map(tuple, (tuple.plugin_id == input.id), tuple.cluster_id),
	"elasticsearch.cluster.id":event.es_cluster_id_map.map(tuple, (tuple.plugin_id == input.id), tuple.cluster_id),

(similar below)

[robbavey]

This is ready for another round

[efd6]

Minor nits, then LGTM for the CEL code.

[efd6]

Suggested change

	"elasticsearch.cluster.id":event['es_cluster_id_map'].map(tuple, (tuple.plugin_id == filter.id), tuple.cluster_id),
	"elasticsearch.cluster.id":event.es_cluster_id_map..map(tuple, (tuple.plugin_id == filter.id), tuple.cluster_id),

[robbavey]

This is ready for another round @elastic/infra-monitoring-ui

Note, that this is part of the serverless initiative to enable Logstash monitoring in the absence of a stack monitoring UI

I will be following on this PR with the changes necessary to make this package visible to serverless, which includes changes to the existing integration package

[klacabane]

LGTM!

[IanLee1521]

First off, I just found this and it's AWESOME!

Maybe it's better for me to open a new issue, but just before I do, would it make sense to mark these dashboards with a reference to users needing to switch the integration from Stack Monitoring to Technical Preview?

I just ran in to this where I was trying to look at the [Metrics Logstash] * dashboards and getting errors.

Eventually I found this need to change the integration configuration and now things are working.

Thoughts? Is that worth noting on the dashboards?

[robbavey]

@IanLee1521 First of all, thanks for trying out the new dashboards in technical preview - we love to get feedback on new features we are developing, and we appreciate you trying them out as we refine them. Any further comments would be gratefully received.

I think this should be an issue - as we start to transition to the new way of collecting and presenting data for monitoring, we should be making it clearer how to work with this effectively.

I'm on PTO at the moment, but I can make an issue when I get back, unless you would prefer to create one yourself.

[robbavey]

@IanLee1521 - I've added an issue here. And thanks again for the feedback!