Allow filebeat to collect syslog events

[ph]

Since Filebeat is installed directly on the machine, it makes sense to allow Filebeat to collect local syslog data and send it to Elasticsearch or Logstash. With the currently available filebeat prospector it is possible to collect syslog events via UDP.

POC

{
  "_index": "filebeat-6.0.1-2017.12.12",
  "_type": "doc",
  "_id": "mO8YTGABuTrMYTLosnUm",
  "_score": 1,
  "_source": {
    "@timestamp": "2017-12-12T18:59:34.077Z",
    "message": "<13>Dec 12 18:59:34 testing root: Hello PH <3",
    "prospector": {
      "type": "udp"
    },
    "beat": {
      "name": "testing",
      "hostname": "testing",
      "version": "6.0.1"
    }
  },
  "fields": {
    "@timestamp": [
      "2017-12-12T18:59:34.077Z"
    ]
  }
}

Filebeat configuration:

- type: udp                                                                                                                                                   
  enabled: true

Rsyslog configuration:

*.* @127.0.0.1:8080

TODO:

• Evaluate the experimental status of UDP
• Decide which syslog format to support
• Create an Ingest pipeline to extract the data.
• Discuss if using the UDP type instead of syslog is confusing for the user, should we create a specific type for syslog.

Related links:
See existing Logstash plugins concerning syslog.
https://github.com/logstash-plugins/?utf8=%E2%9C%93&q=syslog&type=&language=

[ruflin]

@ph We recently created a docker prospector type which is a special type of the log prospector. It adds a very small bit of additional logic but is mostly predefined configs. One of the main advantages is that it makes configuration for the user straight forward and allows us to implement "special features" in this prospector type. I think the same applies here. Instead of making a user to configure udp prospector we should have a syslog prospector which uses udp and potentially applies some predefined configs.

I wonder if udp is enough for syslog or if also tcp is needed?

[ph]

@ruflin I believe TCP will be eventually needed, in my experience most users for LS was using TCP + SSL for their syslog need.

[ph]

@Rufflin Also the docker and the syslog comparison are really what I meant by creating a syslog prospector ++ on everything :)

[ruflin]

@ph I wonder if the first low hanging fruit would be to create an tcp prospector / input and then build the other features on top of it?

[ph]

@ruflin I think we can do it in steps:

Next minor:

• Create a type syslog
• Support Only UDP
• This will require an ingest pipeline to parse it.
• To correctly scale we will need the spool to disk Add ability to queue/spool to disk #575

Next iteration

• Add a TCP input with SSL support.

WDYT ?

cc @monicasarbu

[ruflin]

@ph I would probably go for the TCP one first as then we have the "golang" parts in place and we see what users do with it and where they hit the limits. But in the end I don't think it matters much as I hope the things happen very close together.

Depending on how predictable the syslog format is I would go so far to parse it on the beats side (not the message part) to have a half structured event.

[ph]

Depending on how predictable the syslog format is I would go so far to parse it on the beats side (not the message part) to have a half structured event.

I think this is the dream of all RFCs :D

[ruflin]

@ph One additional thought here: I don't think we need SSL from day one as already having TCP without SSL is a step forward. In general we expect things to happen on localhost (yep, no docker etc. is an exception ...)

[ph]

Agree

On Thu, Dec 21, 2017 at 4:24 PM Nicolas Ruflin ***@***.***> wrote: @ph <https://github.com/ph> One additional thought here: I don't think we need SSL from day one as already having TCP without SSL is a step forward. In general we expect things to happen on localhost (yep, no docker etc. is an exception ...) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5862 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAACgH3BPw4sJOCX6LC9HxPMixGtLbdxks5tCsyhgaJpZM4Q_fmc> .

-- ph