Skip to content

Commit 6a7dbd6

Browse files
blakerouseblakerouse
authored
[Journalbeat] Improve parsing of syslog.pid in journalbeat to strip the username when present (#16116)
* Improve parsing of syslog.pid in journalbeat to strip the username in pid when present. * Add entry to changelog with pull ID. * Improve the comment on the username strip.
1 parent 86434d6 commit 6a7dbd6

3 files changed

Lines changed: 51 additions & 2 deletions

File tree

CHANGELOG.next.asciidoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
2424

2525
*Journalbeat*
2626

27+
- Improve parsing of syslog.pid in journalbeat to strip the username when present {pull}16116[16116]
28+
2729

2830
*Metricbeat*
2931

journalbeat/reader/journal.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -288,8 +288,16 @@ func (r *Reader) convertNamedField(fc fieldConversion, value string) interface{}
288288
if fc.isInteger {
289289
v, err := strconv.ParseInt(value, 10, 64)
290290
if err != nil {
291-
r.logger.Debugf("Failed to convert field: %s \"%v\" to int: %v", fc.name, value, err)
292-
return value
291+
// On some versions of systemd the 'syslog.pid' can contain the username
292+
// appended to the end of the pid. In most cases this does not occur
293+
// but in the cases that it does, this tries to strip ',\w*' from the
294+
// value and then perform the conversion.
295+
s := strings.Split(value, ",")
296+
v, err = strconv.ParseInt(s[0], 10, 64)
297+
if err != nil {
298+
r.logger.Debugf("Failed to convert field: %s \"%v\" to int: %v", fc.name, value, err)
299+
return value
300+
}
293301
}
294302
return v
295303
}

journalbeat/reader/journal_test.go

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,45 @@ func TestToEvent(t *testing.T) {
5757
},
5858
},
5959
},
60+
// 'syslog.pid' field without user append
61+
ToEventTestCase{
62+
entry: sdjournal.JournalEntry{
63+
Fields: map[string]string{
64+
sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "123456",
65+
},
66+
},
67+
expectedFields: common.MapStr{
68+
"syslog": common.MapStr{
69+
"pid": int64(123456),
70+
},
71+
},
72+
},
73+
// 'syslog.pid' field with user append
74+
ToEventTestCase{
75+
entry: sdjournal.JournalEntry{
76+
Fields: map[string]string{
77+
sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "123456,root",
78+
},
79+
},
80+
expectedFields: common.MapStr{
81+
"syslog": common.MapStr{
82+
"pid": int64(123456),
83+
},
84+
},
85+
},
86+
// 'syslog.pid' field empty
87+
ToEventTestCase{
88+
entry: sdjournal.JournalEntry{
89+
Fields: map[string]string{
90+
sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "",
91+
},
92+
},
93+
expectedFields: common.MapStr{
94+
"syslog": common.MapStr{
95+
"pid": "",
96+
},
97+
},
98+
},
6099
// custom field
61100
ToEventTestCase{
62101
entry: sdjournal.JournalEntry{

0 commit comments

Comments
 (0)