Add additional log.syslog fields (#1793)

- Add additional fields for RFC 5424 messages (log.syslog.version,
log.syslog.msgid, log.syslog.data)
- Add log.syslog.hostname, log.syslog.appname, and log.syslog.procid
for hostname, process name, and process ID fields present in syslog
messages, respectively. These fields are added since it is not always
known that user wants these values copied to the more general ECS fields
(host.hostname, process.name, process.pid).
- Updating changelog entry to 8.2

Co-authored-by: Kylie Geller <[email protected]>

Author: taylor-swanson

CHANGELOG.next.md

@@ -47,6 +47,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Add beta `container.*` metric fields. #1789
+* Add six new syslog fields to `log.syslog.*`. #1793
 
 #### Improvements
 

docs/fields/field-details.asciidoc

@@ -5411,6 +5411,22 @@ type: object
 
 
 
+| extended
+
+// ===============================================================
+
+|
+[[field-log-syslog-appname]]
+<<field-log-syslog-appname, log.syslog.appname>>
+
+| The device or application that originated the Syslog message, if available.
+
+type: keyword
+
+
+
+example: `sshd`
+
 | extended
 
 // ===============================================================
@@ -5449,6 +5465,38 @@ example: `local7`
 
 // ===============================================================
 
+|
+[[field-log-syslog-hostname]]
+<<field-log-syslog-hostname, log.syslog.hostname>>
+
+| The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector.
+
+type: keyword
+
+
+
+example: `example-host`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-log-syslog-msgid]]
+<<field-log-syslog-msgid, log.syslog.msgid>>
+
+| An identifier for the type of Syslog message, if available. Only applicable for RFC 5424 messages.
+
+type: keyword
+
+
+
+example: `ID47`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-log-syslog-priority]]
 <<field-log-syslog-priority, log.syslog.priority>>
@@ -5467,6 +5515,22 @@ example: `135`
 
 // ===============================================================
 
+|
+[[field-log-syslog-procid]]
+<<field-log-syslog-procid, log.syslog.procid>>
+
+| The process name or ID that originated the Syslog message, if available.
+
+type: keyword
+
+
+
+example: `12345`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-log-syslog-severity-code]]
 <<field-log-syslog-severity-code, log.syslog.severity.code>>
@@ -5503,6 +5567,38 @@ example: `Error`
 
 // ===============================================================
 
+|
+[[field-log-syslog-structured-data]]
+<<field-log-syslog-structured-data, log.syslog.structured_data>>
+
+| Structured data expressed in RFC 5424 messages, if available. These are key-value pairs formed from the structured data portion of the syslog message, as defined in RFC 5424 Section 6.3.
+
+type: flattened
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-log-syslog-version]]
+<<field-log-syslog-version, log.syslog.version>>
+
+| The version of the Syslog protocol specification. Only applicable for RFC 5424 messages.
+
+type: keyword
+
+
+
+example: `1`
+
+| extended
+
+// ===============================================================
+
 |=====
 
 

experimental/generated/beats/fields.ecs.yml

@@ -3837,6 +3837,14 @@
       type: object
       description: The Syslog metadata of the event, if the event was transmitted
         via Syslog. Please see RFCs 5424 or 3164.
+    - name: syslog.appname
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The device or application that originated the Syslog message, if
+        available.
+      example: sshd
+      default_field: false
     - name: syslog.facility.code
       level: extended
       type: long
@@ -3852,6 +3860,25 @@
       ignore_above: 1024
       description: The Syslog text-based facility of the log event, if available.
       example: local7
+    - name: syslog.hostname
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The hostname, FQDN, or IP of the machine that originally sent the
+        Syslog message. This is sourced from the hostname field of the syslog header.
+        Depending on the environment, this value may be different from the host that
+        handled the event, especially if the host handling the events is acting as
+        a collector.
+      example: example-host
+      default_field: false
+    - name: syslog.msgid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: An identifier for the type of Syslog message, if available. Only
+        applicable for RFC 5424 messages.
+      example: ID47
+      default_field: false
     - name: syslog.priority
       level: extended
       type: long
@@ -3861,6 +3888,13 @@
         According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
         This number is therefore expected to contain a value between 0 and 191.'
       example: 135
+    - name: syslog.procid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The process name or ID that originated the Syslog message, if available.
+      example: 12345
+      default_field: false
     - name: syslog.severity.code
       level: extended
       type: long
@@ -3882,6 +3916,21 @@
         If the event source does not specify a distinct severity, you can optionally
         copy the Syslog severity to `log.level`.'
       example: Error
+    - name: syslog.structured_data
+      level: extended
+      type: flattened
+      description: Structured data expressed in RFC 5424 messages, if available. These
+        are key-value pairs formed from the structured data portion of the syslog
+        message, as defined in RFC 5424 Section 6.3.
+      default_field: false
+    - name: syslog.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The version of the Syslog protocol specification. Only applicable
+        for RFC 5424 messages.
+      example: 1
+      default_field: false
   - name: network
     title: Network
     group: 2

experimental/generated/csv/fields.csv

@@ -411,11 +411,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.3.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
 8.3.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
 8.3.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata
+8.3.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
 8.3.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
 8.3.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+8.3.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+8.3.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
 8.3.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+8.3.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
 8.3.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
 8.3.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+8.3.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+8.3.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
 8.3.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name.
 8.3.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
 8.3.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.

experimental/generated/ecs/ecs_flat.yml

@@ -5453,6 +5453,17 @@ log.syslog:
   normalize: []
   short: Syslog metadata
   type: object
+log.syslog.appname:
+  dashed_name: log-syslog-appname
+  description: The device or application that originated the Syslog message, if available.
+  example: sshd
+  flat_name: log.syslog.appname
+  ignore_above: 1024
+  level: extended
+  name: syslog.appname
+  normalize: []
+  short: The device or application that originated the Syslog message.
+  type: keyword
 log.syslog.facility.code:
   dashed_name: log-syslog-facility-code
   description: 'The Syslog numeric facility of the log event, if available.
@@ -5478,6 +5489,32 @@ log.syslog.facility.name:
   normalize: []
   short: Syslog text-based facility of the event.
   type: keyword
+log.syslog.hostname:
+  dashed_name: log-syslog-hostname
+  description: The hostname, FQDN, or IP of the machine that originally sent the Syslog
+    message. This is sourced from the hostname field of the syslog header. Depending
+    on the environment, this value may be different from the host that handled the
+    event, especially if the host handling the events is acting as a collector.
+  example: example-host
+  flat_name: log.syslog.hostname
+  ignore_above: 1024
+  level: extended
+  name: syslog.hostname
+  normalize: []
+  short: The host that originated the Syslog message.
+  type: keyword
+log.syslog.msgid:
+  dashed_name: log-syslog-msgid
+  description: An identifier for the type of Syslog message, if available. Only applicable
+    for RFC 5424 messages.
+  example: ID47
+  flat_name: log.syslog.msgid
+  ignore_above: 1024
+  level: extended
+  name: syslog.msgid
+  normalize: []
+  short: An identifier for the type of Syslog message.
+  type: keyword
 log.syslog.priority:
   dashed_name: log-syslog-priority
   description: 'Syslog numeric priority of the event, if available.
@@ -5492,6 +5529,17 @@ log.syslog.priority:
   normalize: []
   short: Syslog priority of the event.
   type: long
+log.syslog.procid:
+  dashed_name: log-syslog-procid
+  description: The process name or ID that originated the Syslog message, if available.
+  example: 12345
+  flat_name: log.syslog.procid
+  ignore_above: 1024
+  level: extended
+  name: syslog.procid
+  normalize: []
+  short: The process name or ID that originated the Syslog message.
+  type: keyword
 log.syslog.severity.code:
   dashed_name: log-syslog-severity-code
   description: 'The Syslog numeric severity of the log event, if available.
@@ -5523,6 +5571,29 @@ log.syslog.severity.name:
   normalize: []
   short: Syslog text-based severity of the event.
   type: keyword
+log.syslog.structured_data:
+  dashed_name: log-syslog-structured-data
+  description: Structured data expressed in RFC 5424 messages, if available. These
+    are key-value pairs formed from the structured data portion of the syslog message,
+    as defined in RFC 5424 Section 6.3.
+  flat_name: log.syslog.structured_data
+  level: extended
+  name: syslog.structured_data
+  normalize: []
+  short: Structured data expressed in RFC 5424 messages.
+  type: flattened
+log.syslog.version:
+  dashed_name: log-syslog-version
+  description: The version of the Syslog protocol specification. Only applicable for
+    RFC 5424 messages.
+  example: 1
+  flat_name: log.syslog.version
+  ignore_above: 1024
+  level: extended
+  name: syslog.version
+  normalize: []
+  short: Syslog protocol version.
+  type: keyword
 message:
   dashed_name: message
   description: 'For log events the message field contains the log message, optimized