debugd: Use very basic JSON regex filter before JSON filter

2025-01-22 21:31:14 -05:00 · 2023-03-20 11:33:51 +01:00 · 2023-03-20 11:33:51 +01:00 · 3fceb2207d
commit 3fceb2207d
parent 6f16e0b6fd
1 changed files with 24 additions and 18 deletions
--- a/debugd/internal/debugd/logcollector/logstash/templates/pipeline.conf
+++ b/debugd/internal/debugd/logcollector/logstash/templates/pipeline.conf
@ -28,25 +28,31 @@ filter {

    # Parse structured logs for following systemd units.
    if [systemd][unit] in ["bootstrapper.service", "constellation-bootstrapper.service"] {
-        json {
-            source => "message"
-            target => "logs"
-            skip_on_invalid_json => true
-        }
-        date {
-            match => [ "[logs][ts]", "ISO8601" ]
-        }
-        mutate {
-            replace => {
-                "message" => "%{[logs][msg]}"
+        # skip_on_invalid_json below does not skip the whole filter, so let's use a cheap workaround here.
+        # See:
+        # https://discuss.elastic.co/t/skip-on-invalid-json-skipping-all-filters/215195
+        # https://discuss.elastic.co/t/looking-for-a-way-to-detect-json/102263
+        if [message] =~ "\A\{.+\}\z" {
+            json {
+                source => "message"
+                target => "logs"
+                skip_on_invalid_json => true
+            }
+            date {
+                match => [ "[logs][ts]", "ISO8601" ]
+            }
+            mutate {
+                replace => {
+                    "message" => "%{[logs][msg]}"
+                }
+                remove_field => [
+                    "[logs][msg]",
+                    "[logs][ts]"
+                ]
+            }
+            de_dot {
+                fields => ["[logs][peer.address]"]
            }
-            remove_field => [
-                "[logs][msg]",
-                "[logs][ts]"
-            ]
-        }
-        de_dot {
-            fields => ["[logs][peer.address]"]
        }
    }
 }