[Automatic Import] Introduce support for structured logs #191749
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bhapas
changed the title
bhapas
force-pushed
the
kv_graph_impl
branch
from
6b5f8e5 to
594e219
Compare
bhapas
added
backport:skip
|
Pinging @elastic/security-scalability (Team:Security-Scalability) |
|
@elasticmachine merge upstream |
semd
reviewed
Sep 9, 2024
x-pack/plugins/integration_assistant/common/api/categorization/categorization_route.ts
Outdated
Show resolved
Hide resolved
semd
reviewed
Sep 9, 2024
.../create_integration/create_integration_assistant/steps/data_stream_step/generation_modal.tsx
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
kgeller
reviewed
Sep 9, 2024
x-pack/plugins/integration_assistant/server/graphs/kv/prompts.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/integration_assistant/server/graphs/kv/prompts.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/integration_assistant/server/graphs/kv/prompts.ts
Outdated
Show resolved
Hide resolved
Comment on lines
+26
to
+30
| - If the syslog samples have structured body then classify it as "log_type: structured". | ||
| - If the syslog samples have unstructured body then classify it as "log_type: unstructured". | ||
| - If the syslog samples follow a csv format then classify it as "log_type: csv". | ||
| - If the samples are identified as "csv" and there is a csv header then set "header: true" , else set "header: false". | ||
| - If you do not find the log format in any of the above categories then classify it as "log_type: unsupported". |
There was a problem hiding this comment.
do we need to add/update any documentation around what we do and do not support?
There was a problem hiding this comment.
Yeah. The documentation update is a followup task for the additional log formats being introduced. I think we should make a public doc somewhere and link it to UI.. This is a change we wait for UX to get along.
@ebeahan WDYT?
x-pack/plugins/integration_assistant/server/graphs/log_type_detection/graph.ts
Outdated
Show resolved
Hide resolved
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @bhapas |
kgeller
approved these changes
Sep 10, 2024
kgeller
added
backport:prev-minor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
bhapas
added a commit
to bhapas/kibana
that referenced
this pull request
Sep 11, 2024
) ## Summary This PR introduces `KVGraph` that is used to support `structured` log samples. Examples of structured log samples would be: ``` <134>1 1639132850.430422377 AP1 events type=disassociation radio='1' vap='1' client_mac='B0:A4:60:9B:3B:A6' channel='100' reason='1' instigator='2' duration='223.031691642' auth_neg_dur='0.005054229' last_auth_ago='223.020414600' is_wpa='1' full_conn='0.384002374' ip_resp='0.384002374' ip_src='10.197.39.50' http_resp='0.647356228' arp_resp='0.013562625' arp_src='10.197.39.50' dns_server='10.128.128.128' dns_req_rtt='0.023370084' dns_resp='0.263616104' dhcp_lease_completed='0.009196083' dhcp_server='10.128.128.128' dhcp_server_mac='E0:CB:BC:31:23:60' dhcp_resp='0.009196083' aid='977866432' ``` Currently the tests prove that it works best with the log samples adhering to `RFC5424` and `RFC3164`. The Graph shall be improved to work with `Custom Formats` going forward. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 08f70b7) # Conflicts: # x-pack/plugins/integration_assistant/common/api/ecs/ecs_route.ts
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
bhapas
added a commit
that referenced
this pull request
Sep 11, 2024
) (#192539) # Backport This will backport the following commits from `main` to `8.15`: - [[Automatic Import] Introduce support for structured logs (#191749)](#191749) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Bharat Pasupula","email":"123897612+bhapas@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-09-10T16:36:04Z","message":"[Automatic Import] Introduce support for structured logs (#191749)\n\n## Summary\r\n\r\nThis PR introduces `KVGraph` that is used to support `structured` log\r\nsamples.\r\n\r\nExamples of structured log samples would be:\r\n\r\n```\r\n<134>1 1639132850.430422377 AP1 events type=disassociation radio='1' vap='1' client_mac='B0:A4:60:9B:3B:A6' channel='100' reason='1' instigator='2' duration='223.031691642' auth_neg_dur='0.005054229' last_auth_ago='223.020414600' is_wpa='1' full_conn='0.384002374' ip_resp='0.384002374' ip_src='10.197.39.50' http_resp='0.647356228' arp_resp='0.013562625' arp_src='10.197.39.50' dns_server='10.128.128.128' dns_req_rtt='0.023370084' dns_resp='0.263616104' dhcp_lease_completed='0.009196083' dhcp_server='10.128.128.128' dhcp_server_mac='E0:CB:BC:31:23:60' dhcp_resp='0.009196083' aid='977866432'\r\n```\r\n\r\nCurrently the tests prove that it works best with the log samples\r\nadhering to `RFC5424` and `RFC3164`. The Graph shall be improved to work\r\nwith `Custom Formats` going forward.\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"08f70b70371f68a5fc419298b02b76aa1e893a8b","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:feature","backport:prev-minor","v8.16.0","Team:Security-Scalability"],"number":191749,"url":"https://github.com/elastic/kibana/pull/191749","mergeCommit":{"message":"[Automatic Import] Introduce support for structured logs (#191749)\n\n## Summary\r\n\r\nThis PR introduces `KVGraph` that is used to support `structured` log\r\nsamples.\r\n\r\nExamples of structured log samples would be:\r\n\r\n```\r\n<134>1 1639132850.430422377 AP1 events type=disassociation radio='1' vap='1' client_mac='B0:A4:60:9B:3B:A6' channel='100' reason='1' instigator='2' duration='223.031691642' auth_neg_dur='0.005054229' last_auth_ago='223.020414600' is_wpa='1' full_conn='0.384002374' ip_resp='0.384002374' ip_src='10.197.39.50' http_resp='0.647356228' arp_resp='0.013562625' arp_src='10.197.39.50' dns_server='10.128.128.128' dns_req_rtt='0.023370084' dns_resp='0.263616104' dhcp_lease_completed='0.009196083' dhcp_server='10.128.128.128' dhcp_server_mac='E0:CB:BC:31:23:60' dhcp_resp='0.009196083' aid='977866432'\r\n```\r\n\r\nCurrently the tests prove that it works best with the log samples\r\nadhering to `RFC5424` and `RFC3164`. The Graph shall be improved to work\r\nwith `Custom Formats` going forward.\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"08f70b70371f68a5fc419298b02b76aa1e893a8b"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.16.0","labelRegex":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/191749","number":191749,"mergeCommit":{"message":"[Automatic Import] Introduce support for structured logs (#191749)\n\n## Summary\r\n\r\nThis PR introduces `KVGraph` that is used to support `structured` log\r\nsamples.\r\n\r\nExamples of structured log samples would be:\r\n\r\n```\r\n<134>1 1639132850.430422377 AP1 events type=disassociation radio='1' vap='1' client_mac='B0:A4:60:9B:3B:A6' channel='100' reason='1' instigator='2' duration='223.031691642' auth_neg_dur='0.005054229' last_auth_ago='223.020414600' is_wpa='1' full_conn='0.384002374' ip_resp='0.384002374' ip_src='10.197.39.50' http_resp='0.647356228' arp_resp='0.013562625' arp_src='10.197.39.50' dns_server='10.128.128.128' dns_req_rtt='0.023370084' dns_resp='0.263616104' dhcp_lease_completed='0.009196083' dhcp_server='10.128.128.128' dhcp_server_mac='E0:CB:BC:31:23:60' dhcp_resp='0.009196083' aid='977866432'\r\n```\r\n\r\nCurrently the tests prove that it works best with the log samples\r\nadhering to `RFC5424` and `RFC3164`. The Graph shall be improved to work\r\nwith `Custom Formats` going forward.\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"08f70b70371f68a5fc419298b02b76aa1e893a8b"}}]}] BACKPORT-->
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release note
Adds a feature to implement support for syslogs with
structured message bodySummary
This PR introduces
KVGraphthat is used to supportstructuredlog samples.Examples of structured log samples would be:
Currently the tests prove that it works best with the log samples adhering to
RFC5424andRFC3164. The Graph shall be improved to work withCustom Formatsgoing forward.Checklist
For maintainers