[tcp/udp] Add option to parse syslog#3587
[tcp/udp] Add option to parse syslog#3587taylor-swanson merged 4 commits intoelastic:mainfrom taylor-swanson:generic-syslog
Conversation
- Add option to parse syslog - Fix sample logs to be properly formatted RFC 5424 messages - Add syslog ECS field references - Expose TLS in TCP integration - Add system test for TCP/TLS - Add system tests for syslog
taylor-swanson
added
enhancement
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
🌐 Coverage report
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
It looks like you will need to add a stub ingest pipeline to ensure that the types are correctly mapped. This looks like it comes from Nope, scrub that. I don't see why this is happening, that is doing exactly what it should be doing. This appears to be due to this..../reader/syslog which maps the version as an int, which disagrees with ECS.
FAILURE DETAILS:
tcp/generic syslog:
[0] parsing field value failed: field "log.syslog.version"'s Go type, float64, does not match the expected field type: keyword (field value: 1)
╭─────────┬─────────────┬───────────┬───────────┬───────────────────────────────────────────────────────────────────────────────────────┬───────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼───────────┼───────────────────────────────────────────────────────────────────────────────────────┼───────────────┤
│ tcp │ generic │ system │ tcp │ PASS │ 32.395726252s │
│ tcp │ generic │ system │ syslog │ FAIL: one or more errors found in documents stored in logs-tcp.generic-ep data stream │ 30.910389558s │
│ tcp │ generic │ system │ tls │ PASS │ 30.009228121s │
╰─────────┴─────────────┴───────────┴───────────┴───────────────────────────────────────────────────────────────────────────────────────┴───────────────╯
The system test event gets renders so...
{
<snip>
"input": {
"type": "tcp"
},
"log": {
"source": {
"address": "192.168.48.4:51130"
},
"syslog": {
"appname": "testproductname",
"facility": {
"code": 16,
"name": "local0"
},
"hostname": "testhostname",
"priority": 134,
"procid": "1930",
"severity": {
"code": 6,
"name": "Informational"
},
"version": 1 ← rendered as a number
}
},
"message": "some longer testmessage. - a {2:2}."
}
The udp package has the same behaviour (omitted the event which looks essentially the same, as expected).
FAILURE DETAILS:
udp/generic syslog:
[0] parsing field value failed: field "log.syslog.version"'s Go type, float64, does not match the expected field type: keyword (field value: 1)
╭─────────┬─────────────┬───────────┬───────────┬───────────────────────────────────────────────────────────────────────────────────────┬───────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼───────────┼───────────────────────────────────────────────────────────────────────────────────────┼───────────────┤
│ udp │ generic │ system │ udp │ PASS │ 39.218767859s │
│ udp │ generic │ system │ syslog │ FAIL: one or more errors found in documents stored in logs-udp.generic-ep data stream │ 31.048586593s │
╰─────────┴─────────────┴───────────┴───────────┴───────────────────────────────────────────────────────────────────────────────────────┴───────────────╯
What version of the stack are you running? This was an issue in |
That would explain it. (confirmed) |
4 participants
What does this PR do?
Checklist
changelog.ymlfile.How to test this PR locally
Related issues
Screenshots