Skip to content

Adding Cisco support for the Syslog parser#10760

Merged
ph merged 8 commits intoelastic:masterfrom
ph:fix/syslog-and-cisco
Feb 18, 2019
Merged

Adding Cisco support for the Syslog parser#10760
ph merged 8 commits intoelastic:masterfrom
ph:fix/syslog-and-cisco

Conversation

@ph
Copy link
Copy Markdown
Contributor

@ph ph commented Feb 14, 2019

Add support for the "sequence" number in the log format send by cisco devices.
The number will be extracted to "event.sequence"

Fixes: #10654

ph added 3 commits February 14, 2019 16:08
@ph
Adding Cisco support for the Syslog parser
949b0e7 
Add support for the "sequence" number in the log format send by cisco devices.

Fixes: #10654
@ph
Extract sequence to the event.
3484f22
@ph
and event.sequence to the template
f4ea42d
@ph ph requested a review from a team as a code owner February 14, 2019 21:24
@ph
Copy link
Copy Markdown
Contributor Author

ph commented Feb 14, 2019
edited
Loading

@webmat I am currently extracting the sequence number generated from Cisco switch (syslog variant), I've looked at ECS, I saw there was a proposal to add an event.sequence to the format but nothing concrete. I think its a good time to add it, WDYT?

andrewkroh
andrewkroh reviewed Feb 14, 2019
View reviewed changes
@ph
Copy link
Copy Markdown
Contributor Author

ph commented Feb 14, 2019

@andrewkroh I've made the changes, I think that should be ok

andrewkroh
andrewkroh approved these changes Feb 14, 2019
View reviewed changes
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for adding this. 🥇

kaiyan-sheng
kaiyan-sheng reviewed Feb 14, 2019
View reviewed changes
CHANGELOG.next.asciidoc
- Remove field `kafka.log.trace.full` from kafka.log fielset. {pull}10398[10398]
- Change field `kafka.log.class` for kafka.log fileset from text to keyword. {pull}10398[10398]
- Address add_kubernetes_metadata processor issue where old source field is
- Address add_kubernetes_metadata processor issue where old source field is
Copy link
Copy Markdown
Contributor

@kaiyan-sheng kaiyan-sheng Feb 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change intended?

Copy link
Copy Markdown
Contributor Author

@ph ph Feb 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, I presume I wont be the only one removing the additional space, I propose we make the change :)

@ph
Copy link
Copy Markdown
Contributor Author

ph commented Feb 15, 2019

jenkins test this please

@webmat
Copy link
Copy Markdown
Contributor

webmat commented Feb 15, 2019

Yes, I like this change. I've made a note to introduce officially to ECS. I agree with the datatype and the name.

Go for it!

@webmat webmat mentioned this pull request Feb 15, 2019
Closed
@ph ph added the needs_backport PR is waiting to be backported to other branches. label Feb 18, 2019
@ph ph merged commit dd92b6f into elastic:master Feb 18, 2019
@webmat webmat mentioned this pull request Apr 23, 2019
Merged
@inqueue
Copy link
Copy Markdown
Member

inqueue commented Apr 26, 2019

Hi @ph Is there any chance this can be backported to 6.7?

@ph
Copy link
Copy Markdown
Contributor Author

ph commented Apr 29, 2019

@inqueue I can backport it, in retrospect is more of a bug than a new feature.

@ph
Copy link
Copy Markdown
Contributor Author

ph commented Apr 29, 2019

@inqueue backport PR at #11977

webmat pushed a commit to elastic/ecs that referenced this pull request May 1, 2019
Additions to event (#439)
580752c 
- Added `event.code` (See elastic/beats#10333)
- Added `event.sequence` (See #129, elastic/beats#10760)
- Added `event.provider` (See #321)
  - Note: Beats modules currently put the Syslog "programname" in `process.name` which is sometimes accurate, sometimes not (e.g. "kernel"). event.provider would be a better field for this.
- Explain event.module and event.dataset without mentioning Beats
@hrak hrak mentioned this pull request Jan 31, 2020
Closed
hrak pushed a commit to hrak/beats that referenced this pull request Mar 4, 2020
@ph @hrak
Cherry-pick elastic#10760 to 6.8:
245b39c 
Adding Cisco support for the Syslog parser

* Adding Cisco support for the Syslog parser

Add support for the "sequence" number in the log format send by Cisco switch devices.

Fixes: elastic#10654, elastic#15979

(cherry picked from commit dd92b6f)
ph added a commit that referenced this pull request Mar 5, 2020
@ph
Cherry-pick #10760 to 6.8: (#15980)
ecd273d 
Adding Cisco support for the Syslog parser

* Adding Cisco support for the Syslog parser

Add support for the "sequence" number in the log format send by Cisco switch devices.

Fixes: #10654, #15979

(cherry picked from commit dd92b6f)

Co-authored-by: Pier-Hugues Pellerin <phpellerin@gmail.com>
@andrewkroh andrewkroh removed the needs_backport PR is waiting to be backported to other branches. label Mar 11, 2020
@adriansr adriansr mentioned this pull request Oct 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

+2 more reviewers

@kaiyan-sheng kaiyan-sheng kaiyan-sheng left review comments

@kvch kvch kvch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@andrewkroh andrewkroh

Labels

bug Filebeat Filebeat review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Filebeat] Syslog parse error with Cisco Switch logs

6 participants

@ph @webmat @inqueue @kvch @andrewkroh @kaiyan-sheng