Copy log.syslog.appname to process.name#10646
Merged
nicholasberlin merged 3 commits intomainfrom Jul 30, 2024
Merged
Conversation
Before the syslog processor was added to the default filebeat yaml configuration, process.name was set by a Grok ingest pipeline. However, when the syslog processor was added a condition was also added to the Grok ingest pipeline, `if: ctx.log?.syslog == null`. This condition always evaluates to false when the data is supplied by the syslog processor, and therefore `process.name` is not extraced from the syslog message. This commit copies the process name from `log.syslog.appname` to `process.name` before an pipeline processors which use it are executed. With this change, `process.name`, `event.category`, and `event.type` are now populated when data arrives from the syslog processor.
🚀 Benchmarks reportTo see the full report comment with |
Member
|
Can you fix the .github/CODEOWNERS file while you are in there. I think the auth data stream belongs under the sec-linux-platform team instead of windows. integrations/.github/CODEOWNERS Line 331 in aba9540 |
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
andrewkroh
reviewed
Jul 30, 2024
packages/system/data_stream/auth/_dev/test/pipeline/test-host-syslog-processor.json
Outdated
Show resolved
Hide resolved
packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
andrewkroh
approved these changes
Jul 30, 2024
|
💚 Build Succeeded
History
|
|
Package system - 1.60.1 containing this change is available at https://epr.elastic.co/search?package=system |
harnish-crest-data
pushed a commit
to chavdaharnish/integrations
that referenced
this pull request
Feb 4, 2025
* Copy log.syslog.appname to process.name Before the syslog processor was added to the default filebeat yaml configuration, process.name was set by a Grok ingest pipeline. However, when the syslog processor was added a condition was also added to the Grok ingest pipeline, `if: ctx.log?.syslog == null`. This condition always evaluates to false when the data is supplied by the syslog processor, and therefore `process.name` is not extraced from the syslog message. This commit copies the process name from `log.syslog.appname` to `process.name` before an pipeline processors which use it are executed. With this change, `process.name`, `event.category`, and `event.type` are now populated when data arrives from the syslog processor.
harnish-crest-data
pushed a commit
to chavdaharnish/integrations
that referenced
this pull request
Feb 5, 2025
* Copy log.syslog.appname to process.name Before the syslog processor was added to the default filebeat yaml configuration, process.name was set by a Grok ingest pipeline. However, when the syslog processor was added a condition was also added to the Grok ingest pipeline, `if: ctx.log?.syslog == null`. This condition always evaluates to false when the data is supplied by the syslog processor, and therefore `process.name` is not extraced from the syslog message. This commit copies the process name from `log.syslog.appname` to `process.name` before an pipeline processors which use it are executed. With this change, `process.name`, `event.category`, and `event.type` are now populated when data arrives from the syslog processor.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Before the syslog processor was added to the default filebeat yaml configuration, process.name was set by a Grok ingest pipeline. However, when the syslog processor was added a condition was also added to the Grok ingest pipeline,
if: ctx.log?.syslog == null. This condition always evaluates to false when the data is supplied by the syslog processor, and thereforeprocess.nameis not extraced from the syslog message. This commit copies the process name fromlog.syslog.appnametoprocess.namebefore an pipeline processors which use it are executed. With this change,process.name,event.category, andevent.typeare now populated when data arrives from the syslog processor.And add tests.
Checklist
changelog.ymlfile.How to test this PR locally
Related issues