Skip to content

Parse also the port from log sources#9460

Closed
jsoriano wants to merge 1 commit intoelastic:masterfrom
jsoriano:log-source-port
Closed

Parse also the port from log sources#9460
jsoriano wants to merge 1 commit intoelastic:masterfrom
jsoriano:log-source-port

Conversation

@jsoriano
Copy link
Member

@jsoriano jsoriano commented Dec 10, 2018
edited
Loading

If source is a host, and it contains ip and port, it fails
to index after #8902 with an error like:

{"type":"mapper_parsing_exception","reason":"failed to parse field [log.source.ip] of type [ip]","caused_by":{"type":"illegal_argument_exception","reason":"'127.0.0.1:59835' is not an IP string literal."}

It happens at least with the syslog input.

This change parses the source in network inputs so if it
contains a port it is also added to the event in a separate
field.

@jsoriano jsoriano self-assigned this Dec 10, 2018
@jsoriano jsoriano requested a review from ruflin December 10, 2018 10:33
@ruflin
Copy link
Contributor

ruflin commented Dec 10, 2018

I'm wondering if we should call the filed address instead as it could also break if it's hostname like localhost I assume?

This also has an affect on #9435

@jsoriano
Copy link
Member Author

jsoriano commented Dec 10, 2018
edited
Loading

I'm wondering if we should call the filed address instead as it could also break if it's hostname like localhost I assume?

Not sure, I guess this is like the usual discussion about having a field that accepts hostnames or ip. In this case I think this is always an IP, but not sure if under some circunstances this can make inverse lookups.

In any case we can think what to do with the host/ip field in another PR and keep this one only for the port.

@ruflin
Copy link
Contributor

ruflin commented Dec 11, 2018

If we introduce address I wonder if we even have to create ip / port on our end or just can leave it as address? @webmat Perhaps you can chime in here?

@ruflin ruflin mentioned this pull request Dec 11, 2018
Merged
@jsoriano
Copy link
Member Author

jsoriano commented Dec 11, 2018

Oh, you mean using log.source.address instead of log.source.ip to contain host:port and then not adding log.source.port?
address would need to be added to ECS too, right? In ECS I think this can also be confusing because actually and ip is also an address.

@ruflin
Copy link
Contributor

ruflin commented Dec 11, 2018
edited
Loading

For the discussion around address in ECS see: elastic/ecs#247 TL;DR; It's mainly a field for ingestion and should be split up in the processor or later.

For the port: yes, if we use address, I would not add it as a separate field. I see this more as meta information then information that is often queried on.

@jsoriano
Copy link
Member Author

jsoriano commented Dec 11, 2018

Ok, I'm fine with using address then, shall I wait to the ECS issue to be resolved?

@ruflin
Copy link
Contributor

ruflin commented Dec 11, 2018

@jsoriano Yes, should go in latest tonight.

@jsoriano jsoriano mentioned this pull request Dec 11, 2018
Merged
@jsoriano
Copy link
Member Author

jsoriano commented Dec 11, 2018

Created #9487 to go for log.source.address, closing this.

@jsoriano jsoriano closed this Dec 11, 2018
@jsoriano jsoriano deleted the log-source-port branch December 11, 2018 15:23
@narph narph mentioned this pull request Jan 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ruflin ruflin Awaiting requested review from ruflin

Assignees

@jsoriano jsoriano

Labels

bug ecs Filebeat Filebeat review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jsoriano @ruflin