From 0c6236df276b70bf681ff6baddb83ad7d11f404e Mon Sep 17 00:00:00 2001 From: Blake Rouse Date: Wed, 5 Feb 2020 16:37:22 -0500 Subject: [PATCH 1/3] Improve parsing of syslog.pid in journalbeat to strip the username in pid when present. --- journalbeat/reader/journal.go | 10 ++++++-- journalbeat/reader/journal_test.go | 39 ++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/journalbeat/reader/journal.go b/journalbeat/reader/journal.go index 463f5090981..91475437c8b 100644 --- a/journalbeat/reader/journal.go +++ b/journalbeat/reader/journal.go @@ -288,8 +288,14 @@ func (r *Reader) convertNamedField(fc fieldConversion, value string) interface{} if fc.isInteger { v, err := strconv.ParseInt(value, 10, 64) if err != nil { - r.logger.Debugf("Failed to convert field: %s \"%v\" to int: %v", fc.name, value, err) - return value + // Failed to convert to integer, try to strip ',\w*' from the + // end of of the value and try again. + s := strings.Split(value, ",") + v, err = strconv.ParseInt(s[0], 10, 64) + if err != nil { + r.logger.Debugf("Failed to convert field: %s \"%v\" to int: %v", fc.name, value, err) + return value + } } return v } diff --git a/journalbeat/reader/journal_test.go b/journalbeat/reader/journal_test.go index 76ff33ecea2..8ce288e05d7 100644 --- a/journalbeat/reader/journal_test.go +++ b/journalbeat/reader/journal_test.go @@ -57,6 +57,45 @@ func TestToEvent(t *testing.T) { }, }, }, + // 'syslog.pid' field without user append + ToEventTestCase{ + entry: sdjournal.JournalEntry{ + Fields: map[string]string{ + sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "123456", + }, + }, + expectedFields: common.MapStr{ + "syslog": common.MapStr{ + "pid": int64(123456), + }, + }, + }, + // 'syslog.pid' field with user append + ToEventTestCase{ + entry: sdjournal.JournalEntry{ + Fields: map[string]string{ + sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "123456,root", + }, + }, + expectedFields: common.MapStr{ + "syslog": common.MapStr{ + "pid": int64(123456), + }, + }, + }, + // 'syslog.pid' field empty + ToEventTestCase{ + entry: sdjournal.JournalEntry{ + Fields: map[string]string{ + sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "", + }, + }, + expectedFields: common.MapStr{ + "syslog": common.MapStr{ + "pid": "", + }, + }, + }, // custom field ToEventTestCase{ entry: sdjournal.JournalEntry{ From bc04201aeb8dfcd905f469b387768d30ec8aa767 Mon Sep 17 00:00:00 2001 From: Blake Rouse Date: Wed, 5 Feb 2020 17:08:09 -0500 Subject: [PATCH 2/3] Add entry to changelog with pull ID. --- CHANGELOG.next.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 31cba771a2f..dbd234fb942 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -24,6 +24,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Journalbeat* +- Improve parsing of syslog.pid in journalbeat to strip the username when present {pull}16116[16116] + *Metricbeat* From ead30bdc05e1670c091bb8abc67a2d6d26396c54 Mon Sep 17 00:00:00 2001 From: Blake Rouse Date: Fri, 7 Feb 2020 11:20:53 -0500 Subject: [PATCH 3/3] Improve the comment on the username strip. --- journalbeat/reader/journal.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/journalbeat/reader/journal.go b/journalbeat/reader/journal.go index 91475437c8b..a2c9d0e8ce1 100644 --- a/journalbeat/reader/journal.go +++ b/journalbeat/reader/journal.go @@ -288,8 +288,10 @@ func (r *Reader) convertNamedField(fc fieldConversion, value string) interface{} if fc.isInteger { v, err := strconv.ParseInt(value, 10, 64) if err != nil { - // Failed to convert to integer, try to strip ',\w*' from the - // end of of the value and try again. + // On some versions of systemd the 'syslog.pid' can contain the username + // appended to the end of the pid. In most cases this does not occur + // but in the cases that it does, this tries to strip ',\w*' from the + // value and then perform the conversion. s := strings.Split(value, ",") v, err = strconv.ParseInt(s[0], 10, 64) if err != nil {