diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 610078d225e..e880deb53a8 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -70,6 +70,7 @@ The list below covers the major changes between 7.0.0-rc2 and main only. - Debug log entries from the acker (`stateful ack ...` or `stateless ack ...`) removed. {pull}39672[39672] - Rename x-pack/filebeat websocket input to streaming. {issue}40264[40264] {pull}40421[40421] - Journald input now calls `journalctl` instead of using `github.com/coreos/go-systemd/v22@v22.5.0/sdjournal`, the CGO dependency has been removed from Filebeat {pull}40061[40061] +- System module events now contain `input.type: systemlogs` instead of `input.type: log` when harvesting log files, however the ingest pipeline sets it back to the original input (log or journald). {pull}41246[41246] ==== Bugfixes diff --git a/filebeat/input/systemlogs/input.go b/filebeat/input/systemlogs/input.go index 789fd65ad5d..05cd541d81c 100644 --- a/filebeat/input/systemlogs/input.go +++ b/filebeat/input/systemlogs/input.go @@ -115,16 +115,20 @@ func PluginV2(logger *logp.Logger, store cursor.StateStore) v2.Plugin { // return false // - Otherwise return true func useJournald(c *conf.C) (bool, error) { + logger := logp.L().Named("input.system-logs") + cfg := config{} if err := c.Unpack(&cfg); err != nil { return false, nil } if cfg.UseJournald { + logger.Info("using journald input because 'use_journald' is set") return true, nil } if cfg.UseFiles { + logger.Info("using log input because 'use_files' is set") return false, nil } @@ -144,6 +148,9 @@ func useJournald(c *conf.C) (bool, error) { if len(paths) != 0 { // We found at least one system log file, // journald will not be used, return early + logger.Info( + "using log input because file(s) was(were) found when testing glob '%s'", + g) return false, nil } } @@ -230,5 +237,6 @@ func toFilesConfig(cfg *conf.C) (*conf.C, error) { if err := cfg.SetString("type", -1, pluginName); err != nil { return nil, fmt.Errorf("cannot set type back to '%s': %w", pluginName, err) } + return newCfg, nil } diff --git a/filebeat/module/system/auth/ingest/files.yml b/filebeat/module/system/auth/ingest/files.yml index fbeebc12b7e..557747b6400 100644 --- a/filebeat/module/system/auth/ingest/files.yml +++ b/filebeat/module/system/auth/ingest/files.yml @@ -54,6 +54,9 @@ processors: value: '{{{ _ingest.on_failure_message }}}' - remove: field: system.auth.timestamp + - set: + field: input.type + value: log on_failure: - set: field: error.message diff --git a/filebeat/module/system/auth/ingest/journald.yml b/filebeat/module/system/auth/ingest/journald.yml index aee3f5263ed..bb43dd63cf5 100644 --- a/filebeat/module/system/auth/ingest/journald.yml +++ b/filebeat/module/system/auth/ingest/journald.yml @@ -24,6 +24,9 @@ processors: - syslog - systemd - message_id + - set: + field: input.type + value: journald on_failure: - set: field: error.message diff --git a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json index 6e2ffbeaa51..ee5afe3f235 100644 --- a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json +++ b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json @@ -6,7 +6,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 0, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -27,7 +27,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 81, "process.name": "sudo", "related.hosts": [ @@ -52,7 +52,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 464, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -75,7 +75,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 570, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -95,7 +95,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 655, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -116,7 +116,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 736, "process.name": "sudo", "related.hosts": [ @@ -141,7 +141,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1121, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -164,7 +164,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1227, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -184,7 +184,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1312, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -205,7 +205,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1393, "process.name": "sudo", "related.hosts": [ @@ -230,7 +230,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1776, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -253,7 +253,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1882, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -273,7 +273,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1967, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -294,7 +294,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2048, "process.name": "sudo", "related.hosts": [ @@ -319,7 +319,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2426, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -342,7 +342,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2532, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -362,7 +362,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2617, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -383,7 +383,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2698, "process.name": "sudo", "related.hosts": [ @@ -408,7 +408,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3083, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -431,7 +431,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3189, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -451,7 +451,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3274, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -471,7 +471,7 @@ "event.module": "system", "event.timezone": "-02:00", "fileset.name": "auth", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3355, "message": "last message repeated 2 times", "process.name": "sshd", @@ -485,7 +485,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3414, "process.name": "sudo", "related.hosts": [ @@ -510,7 +510,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3977, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -533,7 +533,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4083, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -553,7 +553,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4168, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -574,7 +574,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4249, "process.name": "sudo", "related.hosts": [ @@ -599,7 +599,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4632, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -622,7 +622,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4738, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -642,7 +642,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4823, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -663,7 +663,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4904, "process.name": "sudo", "related.hosts": [ @@ -688,7 +688,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5289, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -711,7 +711,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5395, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -731,7 +731,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5480, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -752,7 +752,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5561, "process.name": "sudo", "related.hosts": [ @@ -777,7 +777,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5942, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -800,7 +800,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6048, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -820,7 +820,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6133, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -841,7 +841,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6214, "process.name": "sudo", "related.hosts": [ @@ -866,7 +866,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6597, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -889,7 +889,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6703, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -909,7 +909,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6788, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -930,7 +930,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6869, "process.name": "sudo", "related.hosts": [ @@ -955,7 +955,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7254, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -978,7 +978,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7360, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -998,7 +998,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7445, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1019,7 +1019,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7526, "process.name": "sudo", "related.hosts": [ @@ -1044,7 +1044,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7911, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1067,7 +1067,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8017, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1087,7 +1087,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8102, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1108,7 +1108,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8183, "process.name": "sudo", "related.hosts": [ @@ -1133,7 +1133,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8564, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1156,7 +1156,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8670, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1176,7 +1176,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8755, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1197,7 +1197,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8836, "process.name": "sudo", "related.hosts": [ @@ -1222,7 +1222,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9215, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1245,7 +1245,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9321, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1265,7 +1265,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9406, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1286,7 +1286,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9487, "process.name": "sudo", "related.hosts": [ @@ -1311,7 +1311,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9869, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1334,7 +1334,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9975, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1354,7 +1354,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 10060, "process.name": "sudo", "related.hosts": [ @@ -1379,7 +1379,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11099, "message": "vagrant : (command continued) '/etc/metricbeat/metricbeat.yml)", "process.name": "sudo", @@ -1395,7 +1395,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11195, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1418,7 +1418,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11301, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1438,7 +1438,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11386, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1459,7 +1459,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11467, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1480,7 +1480,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11548, "process.name": "sudo", "related.hosts": [ @@ -1505,7 +1505,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11928, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1528,7 +1528,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 12034, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1548,7 +1548,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 12119, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1569,7 +1569,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 12200, "process.name": "sudo", "related.hosts": [ @@ -1594,7 +1594,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 12583, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1617,7 +1617,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 12689, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1637,7 +1637,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 12774, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1658,7 +1658,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 12855, "process.name": "sudo", "related.hosts": [ @@ -1683,7 +1683,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 13241, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1706,7 +1706,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 13347, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1726,7 +1726,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 13432, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1747,7 +1747,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 13513, "process.name": "sudo", "related.hosts": [ @@ -1772,7 +1772,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 13898, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1795,7 +1795,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 14004, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1815,7 +1815,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 14089, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1836,7 +1836,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 14170, "process.name": "sudo", "related.hosts": [ @@ -1861,7 +1861,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 14549, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1884,7 +1884,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 14655, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1904,7 +1904,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 14740, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -1925,7 +1925,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 14821, "process.name": "sudo", "related.hosts": [ @@ -1950,7 +1950,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 15203, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -1973,7 +1973,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 15309, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -1993,7 +1993,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 15394, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -2014,7 +2014,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 15475, "process.name": "sudo", "related.hosts": [ @@ -2039,7 +2039,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 15860, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -2062,7 +2062,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 15966, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -2082,7 +2082,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16051, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -2103,7 +2103,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16132, "process.name": "sudo", "related.hosts": [ @@ -2128,7 +2128,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16517, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", @@ -2151,7 +2151,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16623, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", @@ -2171,7 +2171,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16708, "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", @@ -2192,7 +2192,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16789, "process.name": "sudo", "related.hosts": [ diff --git a/filebeat/module/system/auth/test/debian-12.journal-expected.json b/filebeat/module/system/auth/test/debian-12.journal-expected.json index ee0d8a69ba0..2ef69b76b22 100644 --- a/filebeat/module/system/auth/test/debian-12.journal-expected.json +++ b/filebeat/module/system/auth/test/debian-12.journal-expected.json @@ -16,7 +16,7 @@ "fileset.name": "auth", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 4, "log.syslog.priority": 6, "message": "Accepted publickey for vagrant from 10.0.2.2 port 48274 ssh2: ED25519 SHA256:k1kjhwoH/H3w31MbGOIGd7qxrkSQJnoAN0eYJVHDmmI", @@ -64,7 +64,7 @@ "fileset.name": "auth", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 4, "log.syslog.priority": 6, "message": "Accepted password for vagrant from 192.168.42.119 port 55310 ssh2", @@ -110,7 +110,7 @@ "fileset.name": "auth", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 4, "log.syslog.priority": 6, "message": "Invalid user test from 192.168.42.119 port 48890", @@ -154,7 +154,7 @@ "fileset.name": "auth", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 4, "log.syslog.priority": 6, "message": "Failed password for root from 192.168.42.119 port 46632 ssh2", @@ -200,7 +200,7 @@ "fileset.name": "auth", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 4, "log.syslog.priority": 6, "message": "Failed password for root from 192.168.42.119 port 46632 ssh2", @@ -246,7 +246,7 @@ "fileset.name": "auth", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 4, "log.syslog.priority": 6, "message": "Failed password for root from 192.168.42.119 port 46632 ssh2", @@ -284,7 +284,7 @@ "fileset.name": "auth", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 10, "log.syslog.priority": 5, "message": " vagrant : TTY=pts/2 ; PWD=/home/vagrant ; USER=root ; COMMAND=/usr/bin/emacs /etc/ssh/sshd_config", @@ -332,7 +332,7 @@ "group.name": "test", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 10, "log.syslog.priority": 6, "message": "new group: name=test, GID=1001", @@ -362,7 +362,7 @@ "fileset.name": "auth", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 4, "log.syslog.priority": 6, "message": "Session 8 logged out. Waiting for processes to exit.", diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json index 71cd8657c7b..731b4db0423 100644 --- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json +++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json @@ -14,7 +14,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 0, "process.name": "sshd", "process.pid": 2738, @@ -47,7 +47,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 97, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -76,7 +76,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 209, "process.name": "sshd", "process.pid": 2738, @@ -109,7 +109,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 306, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -138,7 +138,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 418, "process.name": "sshd", "process.pid": 2738, @@ -171,7 +171,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 515, "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", @@ -188,7 +188,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 618, "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -205,7 +205,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 760, "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", @@ -222,7 +222,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 842, "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -239,7 +239,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 993, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -268,7 +268,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1105, "process.name": "sshd", "process.pid": 2742, @@ -301,7 +301,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1202, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -330,7 +330,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1314, "process.name": "sshd", "process.pid": 2742, @@ -363,7 +363,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1411, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -392,7 +392,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1523, "process.name": "sshd", "process.pid": 2742, @@ -425,7 +425,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1620, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -454,7 +454,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1732, "process.name": "sshd", "process.pid": 2742, @@ -487,7 +487,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1829, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -516,7 +516,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1941, "process.name": "sshd", "process.pid": 2742, @@ -549,7 +549,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2038, "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", @@ -566,7 +566,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2141, "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -583,7 +583,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2283, "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", @@ -600,7 +600,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2365, "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -617,7 +617,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2516, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -638,7 +638,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2628, "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58 user=root", "process.name": "sshd", @@ -655,7 +655,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2777, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -684,7 +684,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2889, "process.name": "sshd", "process.pid": 2754, @@ -717,7 +717,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2986, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -746,7 +746,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3098, "process.name": "sshd", "process.pid": 2758, @@ -783,7 +783,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3194, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -812,7 +812,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3306, "process.name": "sshd", "process.pid": 2754, @@ -845,7 +845,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3403, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -874,7 +874,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3515, "process.name": "sshd", "process.pid": 2758, @@ -911,7 +911,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3611, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -940,7 +940,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3723, "process.name": "sshd", "process.pid": 2754, @@ -973,7 +973,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3820, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1002,7 +1002,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3932, "process.name": "sshd", "process.pid": 2758, @@ -1039,7 +1039,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4028, "message": "Received disconnect from 216.160.83.58: 11: [preauth]", "process.name": "sshd", @@ -1056,7 +1056,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4119, "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58 user=root", "process.name": "sshd", @@ -1081,7 +1081,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4259, "process.name": "sshd", "process.pid": 2754, @@ -1114,7 +1114,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4356, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1143,7 +1143,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4468, "process.name": "sshd", "process.pid": 2754, @@ -1176,7 +1176,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4565, "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", @@ -1193,7 +1193,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4668, "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -1210,7 +1210,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4810, "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", @@ -1227,7 +1227,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 4892, "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -1244,7 +1244,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5043, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1273,7 +1273,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5155, "process.name": "sshd", "process.pid": 2762, @@ -1306,7 +1306,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5252, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1335,7 +1335,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5364, "process.name": "sshd", "process.pid": 2762, @@ -1368,7 +1368,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5461, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1397,7 +1397,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5573, "process.name": "sshd", "process.pid": 2762, @@ -1430,7 +1430,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5670, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1459,7 +1459,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5782, "process.name": "sshd", "process.pid": 2762, @@ -1492,7 +1492,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5879, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1521,7 +1521,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5991, "process.name": "sshd", "process.pid": 2762, @@ -1554,7 +1554,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6088, "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", @@ -1571,7 +1571,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6191, "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -1588,7 +1588,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6333, "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", @@ -1605,7 +1605,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6415, "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -1622,7 +1622,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6566, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1651,7 +1651,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6678, "process.name": "sshd", "process.pid": 2766, @@ -1684,7 +1684,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6775, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1713,7 +1713,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6887, "process.name": "sshd", "process.pid": 2766, @@ -1746,7 +1746,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6984, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1775,7 +1775,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7096, "process.name": "sshd", "process.pid": 2766, @@ -1808,7 +1808,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7193, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1837,7 +1837,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7305, "process.name": "sshd", "process.pid": 2766, @@ -1870,7 +1870,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7402, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -1899,7 +1899,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7514, "process.name": "sshd", "process.pid": 2766, @@ -1932,7 +1932,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7611, "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", @@ -1949,7 +1949,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7714, "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -1966,7 +1966,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7856, "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", @@ -1983,7 +1983,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7938, "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58 user=root", "process.name": "sshd", @@ -2000,7 +2000,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8087, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -2029,7 +2029,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8199, "process.name": "sshd", "process.pid": 2778, @@ -2066,7 +2066,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8295, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -2095,7 +2095,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8407, "process.name": "sshd", "process.pid": 2778, @@ -2132,7 +2132,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8503, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -2161,7 +2161,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8615, "process.name": "sshd", "process.pid": 2778, @@ -2198,7 +2198,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8711, "message": "Received disconnect from 216.160.83.58: 11: [preauth]", "process.name": "sshd", @@ -2215,7 +2215,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8802, "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.160.83.58 user=root", "process.name": "sshd", @@ -2232,7 +2232,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8942, "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -2249,7 +2249,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9093, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -2278,7 +2278,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9205, "process.name": "sshd", "process.pid": 2785, @@ -2311,7 +2311,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9302, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -2340,7 +2340,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9414, "process.name": "sshd", "process.pid": 2785, @@ -2373,7 +2373,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9511, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -2402,7 +2402,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9623, "process.name": "sshd", "process.pid": 2785, @@ -2435,7 +2435,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9720, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -2464,7 +2464,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9832, "process.name": "sshd", "process.pid": 2785, @@ -2497,7 +2497,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9929, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -2526,7 +2526,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 10041, "process.name": "sshd", "process.pid": 2785, @@ -2559,7 +2559,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 10138, "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", @@ -2576,7 +2576,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 10241, "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -2593,7 +2593,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 10383, "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", @@ -2610,7 +2610,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 10465, "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.196.224.106 user=root", "process.name": "sshd", @@ -2627,7 +2627,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 10616, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", @@ -2656,7 +2656,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 10728, "process.name": "sshd", "process.pid": 2797, @@ -2689,7 +2689,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 10825, "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index bfe6a5c44b0..16e859a66d3 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -15,7 +15,7 @@ ], "fileset.name": "auth", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.offset": 0, "process.name": "sshd", "process.pid": 3402, @@ -53,7 +53,7 @@ ], "fileset.name": "auth", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.offset": 152, "process.name": "sshd", "process.pid": 7483, @@ -89,7 +89,7 @@ ], "fileset.name": "auth", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.offset": 254, "process.name": "sshd", "process.pid": 3430, @@ -123,7 +123,7 @@ ], "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 324, "process.name": "sshd", "process.pid": 5774, @@ -160,7 +160,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.offset": 420, "process.name": "sudo", "related.hosts": [ @@ -185,7 +185,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "slave22", - "input.type": "system-logs", + "input.type": "log", "log.offset": 522, "process.name": "sshd", "process.pid": 18406, @@ -214,7 +214,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.offset": 616, "process.name": "sudo", "related.hosts": [ @@ -239,7 +239,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "precise32", - "input.type": "system-logs", + "input.type": "log", "log.offset": 735, "process.name": "sudo", "related.hosts": [ @@ -275,7 +275,7 @@ "group.id": "48", "group.name": "apache", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.offset": 860, "process.name": "groupadd", "process.pid": 6991, @@ -300,7 +300,7 @@ "fileset.name": "auth", "group.id": "48", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.offset": 933, "process.name": "useradd", "process.pid": 6995, @@ -323,7 +323,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1056, "process.name": "sshd", "process.pid": 10161, diff --git a/filebeat/module/system/auth/test/timestamp.log-expected.json b/filebeat/module/system/auth/test/timestamp.log-expected.json index 52b028dd3b0..fd083732af6 100644 --- a/filebeat/module/system/auth/test/timestamp.log-expected.json +++ b/filebeat/module/system/auth/test/timestamp.log-expected.json @@ -7,7 +7,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.file.path": "timestamp.log", "log.offset": 0, "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", @@ -32,7 +32,7 @@ "event.timezone": "-02:00", "fileset.name": "auth", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.file.path": "timestamp.log", "log.offset": 118, "message": "user nobody logged out.", diff --git a/filebeat/module/system/syslog/ingest/files.yml b/filebeat/module/system/syslog/ingest/files.yml index b1352f2ad62..f4f5930e198 100644 --- a/filebeat/module/system/syslog/ingest/files.yml +++ b/filebeat/module/system/syslog/ingest/files.yml @@ -59,6 +59,9 @@ processors: value: "{{host.hostname}}" if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" allow_duplicates: false +- set: + field: input.type + value: log on_failure: - set: field: error.message diff --git a/filebeat/module/system/syslog/ingest/journald.yml b/filebeat/module/system/syslog/ingest/journald.yml index 5d011784154..68400c8f507 100644 --- a/filebeat/module/system/syslog/ingest/journald.yml +++ b/filebeat/module/system/syslog/ingest/journald.yml @@ -23,6 +23,9 @@ processors: - syslog - systemd - message_id +- set: + field: input.type + value: journald on_failure: - set: field: error.message diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json index eb8947f85c1..a5957f19b94 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json @@ -6,7 +6,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.flags": [ "multiline" ], @@ -26,7 +26,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 907, "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", "process.name": "GoogleSoftwareUpdateAgent", @@ -42,7 +42,7 @@ "event.module": "system", "event.timezone": "-02:00", "fileset.name": "syslog", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1176, "message": "--- last message repeated 1 time ---", "service.type": "system" diff --git a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json index a1620750ff1..6f12a7a5656 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json @@ -6,7 +6,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 0, "message": "2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check.", "process.name": "GoogleSoftwareUpdateAgent", @@ -23,7 +23,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.flags": [ "multiline" ], @@ -43,7 +43,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1127, "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", "process.name": "GoogleSoftwareUpdateAgent", @@ -60,7 +60,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 1396, "message": "2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s).", "process.name": "GoogleSoftwareUpdateAgent", @@ -77,7 +77,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.flags": [ "multiline" ], @@ -97,7 +97,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 2833, "message": "2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.Chrome\")'", "process.name": "GoogleSoftwareUpdateAgent", @@ -114,7 +114,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 3377, "message": "2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.GoogleDrive\")'", "process.name": "GoogleSoftwareUpdateAgent", @@ -131,7 +131,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.flags": [ "multiline" ], @@ -151,7 +151,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 5675, "message": "2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", @@ -168,7 +168,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6055, "message": "2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414", "process.name": "GoogleSoftwareUpdateAgent", @@ -185,7 +185,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6436, "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper.", "process.name": "GoogleSoftwareUpdateAgent", @@ -202,7 +202,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6719, "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input.", "process.name": "GoogleSoftwareUpdateAgent", @@ -219,7 +219,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 6943, "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle.", "process.name": "GoogleSoftwareUpdateAgent", @@ -236,7 +236,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7166, "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", @@ -253,7 +253,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7543, "message": "2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin.", "process.name": "ksfetch", @@ -270,7 +270,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 7722, "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }", "process.name": "ksfetch", @@ -287,7 +287,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8050, "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", "process.name": "ksfetch", @@ -304,7 +304,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8251, "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL ( { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", "process.name": "ksfetch", @@ -321,7 +321,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8631, "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles...", "process.name": "ksfetch", @@ -338,7 +338,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8787, "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0", "process.name": "ksfetch", @@ -355,7 +355,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 8993, "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching.", "process.name": "ksfetch", @@ -372,7 +372,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9136, "message": "2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting.", "process.name": "ksfetch", @@ -389,7 +389,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.flags": [ "multiline" ], @@ -409,7 +409,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 9540, "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", @@ -426,7 +426,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.flags": [ "multiline" ], @@ -446,7 +446,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11060, "message": "2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation.", "process.name": "GoogleSoftwareUpdateAgent", @@ -463,7 +463,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11357, "message": "2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}", "process.name": "GoogleSoftwareUpdateAgent", @@ -480,7 +480,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11599, "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch.", "process.name": "GoogleSoftwareUpdateAgent", @@ -497,7 +497,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 11823, "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply.", "process.name": "GoogleSoftwareUpdateAgent", @@ -514,7 +514,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 12055, "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply.", "process.name": "GoogleSoftwareUpdateAgent", @@ -531,7 +531,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 12281, "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0", "process.name": "GoogleSoftwareUpdateAgent", @@ -548,7 +548,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 12522, "message": "2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete.", "process.name": "GoogleSoftwareUpdateAgent", @@ -565,7 +565,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.flags": [ "multiline" ], @@ -585,7 +585,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 13788, "message": "2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to { URL: https://tools.google.com/service/update2 }", "process.name": "GoogleSoftwareUpdateAgent", @@ -602,7 +602,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.flags": [ "multiline" ], @@ -622,7 +622,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 14537, "message": "2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread", "process.name": "GoogleSoftwareUpdateAgent", @@ -639,7 +639,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 14773, "message": "2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check.", "process.name": "GoogleSoftwareUpdateAgent", @@ -656,7 +656,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 14975, "message": "objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -673,7 +673,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 15238, "message": "objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -690,7 +690,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 15501, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21498])", @@ -706,7 +706,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 15716, "message": "objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -723,7 +723,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 15979, "message": "objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -740,7 +740,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16242, "message": "ASL Sender Statistics", "process.name": "syslogd", @@ -757,7 +757,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16312, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21556])", @@ -773,7 +773,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16527, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", @@ -789,7 +789,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16689, "message": "objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -806,7 +806,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 16952, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21581])", @@ -822,7 +822,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 17167, "message": "objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -839,7 +839,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 17430, "message": "objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -856,7 +856,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 17693, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21586])", @@ -872,7 +872,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 17908, "message": "objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -889,7 +889,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 18171, "message": "ASL Sender Statistics", "process.name": "syslogd", @@ -906,7 +906,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 18241, "message": "objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -923,7 +923,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 18504, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21589])", @@ -939,7 +939,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 18719, "message": "objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -956,7 +956,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 18982, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", @@ -972,7 +972,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 19144, "message": "objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -989,7 +989,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 19407, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21946])", @@ -1005,7 +1005,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 19622, "message": "objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1022,7 +1022,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 19885, "message": "ASL Sender Statistics", "process.name": "syslogd", @@ -1039,7 +1039,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 19955, "message": "Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682", "process.name": "Slack Helper", @@ -1056,7 +1056,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 20078, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21966])", @@ -1072,7 +1072,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 20293, "message": "objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1089,7 +1089,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 20556, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21981])", @@ -1105,7 +1105,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 20771, "message": "objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1122,7 +1122,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 21034, "message": "objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1139,7 +1139,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 21297, "message": "ASL Sender Statistics", "process.name": "syslogd", @@ -1156,7 +1156,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 21367, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22226])", @@ -1172,7 +1172,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 21582, "message": "objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1189,7 +1189,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 21845, "message": "objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1206,7 +1206,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 22108, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22241])", @@ -1222,7 +1222,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 22323, "message": "objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1239,7 +1239,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 22586, "message": "objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1256,7 +1256,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 22849, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22254])", @@ -1272,7 +1272,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 23064, "message": "objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1289,7 +1289,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 23327, "message": "ASL Sender Statistics", "process.name": "syslogd", @@ -1306,7 +1306,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 23397, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", @@ -1322,7 +1322,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 23559, "message": "objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1339,7 +1339,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 23822, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22265])", @@ -1355,7 +1355,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 24037, "message": "Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b", "process.name": "Slack Helper", @@ -1372,7 +1372,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 24160, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22292])", @@ -1388,7 +1388,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 24375, "message": "Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2", "process.name": "Slack Helper", @@ -1405,7 +1405,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 24498, "message": "objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1422,7 +1422,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 24761, "message": "objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1439,7 +1439,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 25024, "message": "ASL Sender Statistics", "process.name": "syslogd", @@ -1456,7 +1456,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 25094, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22305])", @@ -1472,7 +1472,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 25309, "message": "objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1489,7 +1489,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 25572, "message": "2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: ", "process.name": "GoogleSoftwareUpdateAgent", @@ -1506,7 +1506,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 26456, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22324])", @@ -1522,7 +1522,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 26671, "message": "objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1539,7 +1539,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 26934, "message": "Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371", "process.name": "Slack Helper", @@ -1556,7 +1556,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 27057, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", @@ -1572,7 +1572,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 27219, "message": "Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702", "process.name": "Slack Helper", @@ -1589,7 +1589,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 27342, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22336])", @@ -1605,7 +1605,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 27557, "message": "objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1622,7 +1622,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 27820, "message": "ASL Sender Statistics", "process.name": "syslogd", @@ -1639,7 +1639,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 27890, "message": "objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1656,7 +1656,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 28153, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22348])", @@ -1672,7 +1672,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 28368, "message": "objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", @@ -1689,7 +1689,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", - "input.type": "system-logs", + "input.type": "log", "log.offset": 28631, "message": "objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", diff --git a/filebeat/module/system/syslog/test/debian-12.journal-expected.json b/filebeat/module/system/syslog/test/debian-12.journal-expected.json index aebf596762c..3e9b606be26 100644 --- a/filebeat/module/system/syslog/test/debian-12.journal-expected.json +++ b/filebeat/module/system/syslog/test/debian-12.journal-expected.json @@ -7,7 +7,7 @@ "fileset.name": "syslog", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 3, "log.syslog.priority": 6, "message": "Stopped target getty.target - Login Prompts.", @@ -32,7 +32,7 @@ "fileset.name": "syslog", "host.hostname": "vagrant-debian-12", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 0, "log.syslog.priority": 6, "message": "Console: switching to colour frame buffer device 160x50", @@ -50,7 +50,7 @@ "fileset.name": "syslog", "host.hostname": "bookworm", "host.id": "5e6dc8fe417f4ea383e2afaa731f5d8a", - "input.type": "system-logs", + "input.type": "journald", "log.syslog.facility.code": 0, "log.syslog.priority": 6, "message": "thermal_sys: Registered thermal governor 'power_allocator'", diff --git a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json index c07c51851de..4090efed2e7 100644 --- a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json @@ -6,7 +6,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "linux-sqrz", - "input.type": "system-logs", + "input.type": "log", "log.offset": 0, "message": "Stopped target Basic System.", "process.name": "systemd", @@ -23,7 +23,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "linux-sqrz", - "input.type": "system-logs", + "input.type": "log", "log.offset": 88, "message": "Stopped target Paths.", "process.name": "systemd", diff --git a/filebeat/module/system/syslog/test/tz-offset.log-expected.json b/filebeat/module/system/syslog/test/tz-offset.log-expected.json index eacba0d40ac..905d8cfd95d 100644 --- a/filebeat/module/system/syslog/test/tz-offset.log-expected.json +++ b/filebeat/module/system/syslog/test/tz-offset.log-expected.json @@ -7,7 +7,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "rmbkmonitor04", - "input.type": "system-logs", + "input.type": "log", "log.file.path": "tz-offset.log", "log.offset": 0, "message": "shutting down for system halt", @@ -26,7 +26,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "rmbkmonitor04", - "input.type": "system-logs", + "input.type": "log", "log.file.path": "tz-offset.log", "log.offset": 89, "message": "constraint_0_power_limit_uw exceeded.", @@ -44,7 +44,7 @@ "event.timezone": "-02:00", "fileset.name": "syslog", "host.hostname": "localhost", - "input.type": "system-logs", + "input.type": "log", "log.file.path": "tz-offset.log", "log.offset": 184, "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)",