[system][syslog] add a pattern in filebeat.system module to capture greedy multiline logs with ISO timestamps

[stefans-elastic]

Proposed commit message

add a pattern in filebeat.system module to capture greedy multiline logs with ISO timestamps

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes https://github.com/elastic/obs-integration-team/issues/198

Screenshots

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[ishleenk17]

Also, can you state details about the second ask as per this issue.

[stefans-elastic]

Also, can you state details about the second ask as per this issue.

Sure.

The gh issue contains two points:

Include the greedy grok pattern not only for SYSLOGTIMESTAMP, but for ISO8601 as well.
A process might send logs to /var/log/messages with white space characters and not the white spaces themselves, something like this
So this PR covets point 1. As for point 2: I'm not sure it is possible to have log entries with escaped whitespace characters. The example given in the issue seems to be coming from result event and for those the whitespace characters are escaped (as can be seen here: https://github.com/elastic/beats/blob/main/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json#L31)

[ishleenk17]

This is still matching the 3rd pattern.
If you see we are getting fields as host.hostname, process.name which matches the 3rd pattern .
To match the 4th pattern , one of these fields should be sipped. So that other than timestamp the complete message becomes part of the greedymessage.

[stefans-elastic]

hmm, what is the "tell" of it (I think I'm missing it)?

[ishleenk17]

Also, can you state details about the second ask as per this issue.

Sure.

The gh issue contains two points:

Include the greedy grok pattern not only for SYSLOGTIMESTAMP, but for ISO8601 as well. A process might send logs to /var/log/messages with white space characters and not the white spaces themselves, something like this So this PR covets point 1. As for point 2: I'm not sure it is possible to have log entries with escaped whitespace characters. The example given in the issue seems to be coming from result event and for those the whitespace characters are escaped (as can be seen here: https://github.com/elastic/beats/blob/main/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json#L31)

Since, we don't observe these logs and this could be a corner case.lets focus on just adding the ISO timestamp for this PR.

[ishleenk17]

Suggested change

	version: "1.67.4"
	version: "1.68.0"

[ishleenk17]

Please make the version change. Otherwise, LGTM.

[ishleenk17]

Suggested change

	- version: "1.67.4"
	- version: "1.68.0"

[stefans-elastic]

Please make the version change. Otherwise, LGTM.

updated the version

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 0ed1fa7

History

• 💚 Build #24404 succeeded 8e62018
• 💚 Build #24352 succeeded ecfc8d7
• 💔 Build #24351 failed 05cf08f
• 💔 Build #24349 failed 09e786f

cc @stefans-elastic

[elastic-vault-github-plugin-prod]

Package system - 1.68.0 containing this change is available at https://epr.elastic.co/package/system/1.68.0/