From 3098911113a945ff0d75e043423e29ee013bedf8 Mon Sep 17 00:00:00 2001 From: Tudor Golubenco Date: Wed, 5 Apr 2017 22:56:44 +0200 Subject: [PATCH] Filebeat syslog module: support for lines without a program name Closes #3913. --- CHANGELOG.asciidoc | 1 + .../module/system/syslog/ingest/pipeline.json | 3 +- .../syslog/test/darwin-syslog-sample.log | 1 + .../darwin-syslog-sample.log-expected.json | 28 +++++++++++++++++++ 4 files changed, 32 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 8b181fb65a6..65e8a2f20f3 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -56,6 +56,7 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff] - Fix empty registry file on machine crash. {issue}3537[3537] - Allow `-` in Apache access log byte count. {pull}3863[3863] - Downgrade Elasticsearch per batch item failure log to debug level. {issue}3953[3953] +- Allow log lines without a program name in the Syslog fileset. {pull}3944[3944] *Heartbeat* diff --git a/filebeat/module/system/syslog/ingest/pipeline.json b/filebeat/module/system/syslog/ingest/pipeline.json index b6f099c93a9..121905091e9 100644 --- a/filebeat/module/system/syslog/ingest/pipeline.json +++ b/filebeat/module/system/syslog/ingest/pipeline.json @@ -5,7 +5,8 @@ "grok": { "field": "message", "patterns": [ - "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:system.syslog.hostname} %{DATA:system.syslog.program}(?:\\[%{POSINT:system.syslog.pid}\\])?: %{GREEDYMULTILINE:system.syslog.message}" + "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:system.syslog.hostname} %{DATA:system.syslog.program}(?:\\[%{POSINT:system.syslog.pid}\\])?: %{GREEDYMULTILINE:system.syslog.message}", + "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}" ], "pattern_definitions" : { "GREEDYMULTILINE" : "(.|\n)*" diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log b/filebeat/module/system/syslog/test/darwin-syslog-sample.log index 55e44c52b2d..ec5b4bd666a 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog-sample.log +++ b/filebeat/module/system/syslog/test/darwin-syslog-sample.log @@ -18,3 +18,4 @@ Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 errors=0 > Dec 13 11:35:28 a-mac-with-esc-key GoogleSoftwareUpdateAgent[21412]: 2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'. +Apr 4 03:39:57 --- last message repeated 1 time --- diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json index 5bb4fa923c4..cf6e1ae645f 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json @@ -58,5 +58,33 @@ }, "type" : "log" } + }, + { + "_index": "test-filebeat-modules", + "_type": "doc", + "_id": "AVtFVFY1nbkdi71WgGxo", + "_score": 1, + "_source": { + "@timestamp": "2017-04-04T03:39:57.000Z", + "system": { + "syslog": { + "message": "--- last message repeated 1 time ---", + "timestamp": "Apr 4 03:39:57" + } + }, + "offset": 1228, + "beat": { + "hostname": "a-mac-with-esc-key-2.local", + "name": "a-mac-with-esc-key-2.local", + "version": "6.0.0-alpha1" + }, + "input_type": "log", + "source": "/Users/tsg/src/github.com/elastic/beats/filebeat/module/system/syslog/test/darwin-syslog-sample.log", + "fileset": { + "module": "system", + "name": "syslog" + }, + "type": "log" + } } ]