[Amazon MQ] Add support for ActiveMQ general logs (elastic#13136)

* Add activemq general log support

Author: agithomas

packages/aws_mq/_dev/build/docs/README.md

@@ -9,16 +9,35 @@ The Amazon MQ integration allows you to efficiently collect and monitor broker p
 
 **IMPORTANT: Extra AWS charges on API requests will be generated by this integration. Check [API Requests](https://www.elastic.co/docs/current/integrations/aws#aws-api-requests) for more details.**
 
+## Setup
+
+### ActiveMQ
+
+To enable the `activemq_general_logs` integration, you must configure your ActiveMQ broker to publish general logs to Amazon CloudWatch Logs. Follow these steps:
+
+1. **Assign Necessary Permissions**: Ensure the IAM user creating or managing the broker has the `logs:CreateLogGroup` permission. This allows Amazon MQ to create the required log groups in CloudWatch.
+
+2. **Set Up a Resource-Based Policy**: Configure a policy that permits Amazon MQ to publish logs to your CloudWatch log groups. This involves granting `logs:CreateLogStream` and `logs:PutLogEvents` permissions.
+
+3. **Enable Logging on the Broker**:
+
+    - Navigate to the [Amazon MQ console](https://console.aws.amazon.com/amazon-mq/).
+    - During broker creation or by editing an existing broker, expand the **Additional settings** section.
+    - In the **Logs** section, select the option to publish **General logs** to Amazon CloudWatch Logs.
+
+For detailed instructions, refer to the [Amazon MQ Developer Guide](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/configure-logging-monitoring-activemq.html#security-logging-monitoring-configure-cloudwatch-structure).
+
 ## Compatibility
 
 This integration presently supports Amazon MQ for [Apache ActiveMQ](http://activemq.apache.org/) and [RabbitMQ](https://www.rabbitmq.com/) metrics.
 
 ## Data streams
 
-The Amazon MQ integration collects Apache ActiveMQ and RabbitMQ metrics. 
+The Amazon MQ integration collects metrics and logs from Apache ActiveMQ and metrics from RabbitMQ.
 
 
 Data streams:
+ - `activemq_general_logs`: Collects ActiveMQ general logs, including system events, warnings, and errors, which are published to a designated Amazon CloudWatch log group. 
  - `activemq_metrics`: Collects broker metrics and destination (queue and topic) metrics.
  - `rabbitmq_metrics`: Collects broker, queue and node metrics.
 
@@ -46,6 +65,14 @@ documentation](https://docs.elastic.co/integrations/aws#requirements).
   data to Elastic, where the events will then be processed through the
   integration's ingest pipelines.
 
+## Logs
+
+### Collecting Amazon MQ ActiveMQ General Logs from CloudWatch
+
+When general logging is enabled for your Amazon MQ ActiveMQ broker, it publishes the `activemq.log` file at the default `INFO` logging level to a designated log group. Please note that `DEBUG` logging is not supported.
+
+{{event "activemq_general_logs"}}
+{{fields "activemq_general_logs"}}
 
 ## Metrics
 

packages/aws_mq/changelog.yml

@@ -1,3 +1,8 @@
+- version: "0.5.0"
+  changes:
+    - description: Add activemq_general_logs dataset for ActiveMQ general logs.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13136
 - version: "0.4.0"
   changes:
     - description: Add RabbitMQ overview dashboard.

packages/aws_mq/data_stream/activemq_general_logs/_dev/test/pipeline/test-amazonmq-activemq-general.log

@@ -0,0 +1,2 @@
+2025-03-15 13:47:13,382 | WARN  | Exception occurred for client ID:b-cfab2617-b6fb-4a44-bd7a-052aa4cd96f4-1-45943-1741903831778-5:7 (tcp://127.0.0.1:63868) processing: STOMP -> java.lang.SecurityException: User name [elastic] or password is invalid. | org.apache.activemq.transport.stomp.ProtocolConverter | ActiveMQ Transport: ssl:///127.0.0.1:63868
+2025-03-15 13:47:13,381 | WARN  | Failed to add Connection id=ID:b-cfab2617-b6fb-4a44-bd7a-052aa4cd96f4-1-45943-1741903831778-5:7, clientId=ID:b-cfab2617-b6fb-4a44-bd7a-052aa4cd96f4-1-45943-1741903831778-5:7, clientIP=tcp://127.0.0.1:63868 due to User name [elastic] or password is invalid. | org.apache.activemq.broker.TransportConnection | ActiveMQ Transport: ssl:///127.0.0.1:63868

packages/aws_mq/data_stream/activemq_general_logs/_dev/test/pipeline/test-amazonmq-activemq-general.log-expected.json

@@ -0,0 +1,68 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-03-15T13:47:13.382Z",
+            "activemq": {
+                "log": {
+                    "caller": "org.apache.activemq.transport.stomp.ProtocolConverter",
+                    "thread": "ActiveMQ Transport: ssl:///127.0.0.1:63868"
+                }
+            },
+            "cloud": {
+                "provider": "aws",
+                "service": {
+                    "name": "amazonmq_activemq"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "original": "2025-03-15 13:47:13,382 | WARN  | Exception occurred for client ID:b-cfab2617-b6fb-4a44-bd7a-052aa4cd96f4-1-45943-1741903831778-5:7 (tcp://127.0.0.1:63868) processing: STOMP -> java.lang.SecurityException: User name [elastic] or password is invalid. | org.apache.activemq.transport.stomp.ProtocolConverter | ActiveMQ Transport: ssl:///127.0.0.1:63868",
+                "type": [
+                    "error"
+                ]
+            },
+            "log": {
+                "level": "WARN"
+            },
+            "message": "Exception occurred for client ID:b-cfab2617-b6fb-4a44-bd7a-052aa4cd96f4-1-45943-1741903831778-5:7 (tcp://127.0.0.1:63868) processing: STOMP -> java.lang.SecurityException: User name [elastic] or password is invalid.",
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "@timestamp": "2025-03-15T13:47:13.381Z",
+            "activemq": {
+                "log": {
+                    "caller": "org.apache.activemq.broker.TransportConnection",
+                    "thread": "ActiveMQ Transport: ssl:///127.0.0.1:63868"
+                }
+            },
+            "cloud": {
+                "provider": "aws",
+                "service": {
+                    "name": "amazonmq_activemq"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "original": "2025-03-15 13:47:13,381 | WARN  | Failed to add Connection id=ID:b-cfab2617-b6fb-4a44-bd7a-052aa4cd96f4-1-45943-1741903831778-5:7, clientId=ID:b-cfab2617-b6fb-4a44-bd7a-052aa4cd96f4-1-45943-1741903831778-5:7, clientIP=tcp://127.0.0.1:63868 due to User name [elastic] or password is invalid. | org.apache.activemq.broker.TransportConnection | ActiveMQ Transport: ssl:///127.0.0.1:63868",
+                "type": [
+                    "error"
+                ]
+            },
+            "log": {
+                "level": "WARN"
+            },
+            "message": "Failed to add Connection id=ID:b-cfab2617-b6fb-4a44-bd7a-052aa4cd96f4-1-45943-1741903831778-5:7, clientId=ID:b-cfab2617-b6fb-4a44-bd7a-052aa4cd96f4-1-45943-1741903831778-5:7, clientIP=tcp://127.0.0.1:63868 due to User name [elastic] or password is invalid.",
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ]
+        }
+    ]
+}

packages/aws_mq/data_stream/activemq_general_logs/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,5 @@
+---
+fields:
+  tags:
+    - preserve_original_event
+    - preserve_duplicate_custom_fields

packages/aws_mq/data_stream/activemq_general_logs/agent/stream/aws-cloudwatch.yml.hbs

@@ -0,0 +1,103 @@
+{{#unless log_group_name}}
+{{#unless log_group_name_prefix}}
+{{#if log_group_arn }}
+log_group_arn: {{ log_group_arn }}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+{{#unless log_group_arn}}
+{{#unless log_group_name}}
+{{#if log_group_name_prefix }}
+log_group_name_prefix: {{ log_group_name_prefix }}
+{{/if}}
+{{#if include_linked_accounts_with_prefix }}
+include_linked_accounts_for_prefix_mode: {{ include_linked_accounts_with_prefix }}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+{{#unless log_group_arn}}
+{{#unless log_group_name_prefix}}
+{{#if log_group_name }}
+log_group_name: {{ log_group_name }}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+{{#unless log_group_arn}}
+region_name: {{ region_name }}
+{{/unless}}
+
+{{#unless log_stream_prefix}}
+{{#if log_streams }}
+log_streams: {{ log_streams }}
+{{/if}}
+{{/unless}}
+
+{{#unless log_streams}}
+{{#if log_stream_prefix }}
+log_stream_prefix: {{ log_stream_prefix }}
+{{/if}}
+{{/unless}}
+
+{{#if start_position }}
+start_position: {{ start_position }}
+{{/if}}
+
+{{#if scan_frequency }}
+scan_frequency: {{ scan_frequency }}
+{{/if}}
+
+{{#if api_sleep }}
+api_sleep: {{ api_sleep }}
+{{/if}}
+
+{{#if latency }}
+latency: {{ latency }}
+{{/if}}
+{{#if number_of_workers }}
+number_of_workers: {{ number_of_workers }}
+{{/if}}
+
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if default_region}}
+default_region: {{default_region}}
+{{/if}}
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}

packages/aws_mq/data_stream/activemq_general_logs/elasticsearch/ingest_pipeline/default.yml

@@ -0,0 +1,84 @@
+---
+description: Pipeline for ActiveMQ general logs in AmazonMQ.
+processors:
+  - rename:
+      field: message
+      target_field: event.original
+      if: 'ctx.event?.original == null'
+      description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.'
+  - remove:
+      field: message
+      ignore_missing: true
+      if: ctx.event?.original != null
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
+  - set:
+      field: ecs.version
+      value: 8.11.0
+  - set:
+      field: cloud.service.name
+      value: amazonmq_activemq
+  - set:
+      field: cloud.provider
+      value: aws
+  - grok:
+      field: event.original
+      pattern_definitions:
+        GREEDYMULTILINE: "(.|\\n|\\t)*"
+        NOPIPEGREEDYDATA: "(\\n|(?! \\|).)*"
+        THREAD_NAME: "((?! \n).)*"
+        TIMESTAMP_DATA: "%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND},%{NUMBER}"
+      patterns:
+        - "%{TIMESTAMP_DATA:timestamp}%{SPACE}\\|%{SPACE}%{LOGLEVEL:log.level}%{SPACE}\\|%{SPACE}%{NOPIPEGREEDYDATA:message}%{SPACE}\\|%{SPACE}%{NOPIPEGREEDYDATA:activemq.log.caller}%{SPACE}\\|%{SPACE}%{THREAD_NAME:activemq.log.thread}%{SPACE}%{GREEDYMULTILINE:error.stack_trace}"
+      ignore_missing: true
+  - date:
+      if: "ctx.event.timezone == null"
+      field: timestamp
+      target_field: "@timestamp"
+      formats: ["yyyy-MM-dd HH:mm:ss,SSS"]
+  - date:
+      if: "ctx.event.timezone != null"
+      field: timestamp
+      target_field: "@timestamp"
+      timezone: "{{{ event.timezone }}}"
+      formats: ["yyyy-MM-dd HH:mm:ss,SSS"]
+  - remove:
+      field:
+        - timestamp
+  - script:
+      if: "ctx.log?.level != null"
+      lang: painless
+      source: >-
+        def err_levels = ["FATAL", "ERROR", "WARN"];
+        if (err_levels.contains(ctx.log.level)) {
+          ctx.event.type = ["error"];
+        } else {
+          ctx.event.type = ["info"];
+        }
+  - script:
+      description: Drops null/empty values recursively
+      lang: painless
+      ignore_failure: true
+      source: |
+        boolean drop(Object o) {
+          if (o == null || o == "") {
+            return true;
+          } else if (o instanceof Map) {
+            ((Map) o).values().removeIf(v -> drop(v));
+            return (((Map) o).size() == 0);
+          } else if (o instanceof List) {
+            ((List) o).removeIf(v -> drop(v));
+            return (((List) o).length == 0);
+          }
+          return false;
+        }
+        drop(ctx);
+on_failure:
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - set:
+      field: error.message
+      value: >-
+        Processor '{{{ _ingest.on_failure_processor_type }}}'
+        {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+        {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'

packages/aws_mq/data_stream/activemq_general_logs/fields/agent.yml

@@ -0,0 +1,29 @@
+- name: cloud
+  type: group
+  fields:
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: host
+  type: group
+  fields:
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.

packages/aws_mq/data_stream/activemq_general_logs/fields/base-fields.yml

@@ -0,0 +1,16 @@
+- name: data_stream.type
+  external: ecs
+- name: data_stream.dataset
+  external: ecs
+- name: data_stream.namespace
+  external: ecs
+- name: "@timestamp"
+  external: ecs
+- name: event.module
+  type: constant_keyword
+  external: ecs
+  value: aws
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: aws_mq.activemq_general_logs

packages/aws_mq/data_stream/activemq_general_logs/fields/fields.yml

@@ -0,0 +1,9 @@
+- name: activemq.log
+  type: group
+  fields:
+    - name: caller
+      type: keyword
+      description: Name of the caller issuing the logging request (class or resource).
+    - name: thread
+      type: keyword
+      description: Thread that generated the logging event.

packages/aws_mq/data_stream/activemq_general_logs/fields/input.yml

@@ -0,0 +1,7 @@
+- name: aws.cloudwatch
+  type: group
+  fields:
+    - name: message
+      type: text
+      description: |
+        CloudWatch log message.