From ab6c45b51e9d9d92039d4cce4e2a747f75dcf259 Mon Sep 17 00:00:00 2001 From: Fae Charlton Date: Tue, 13 Apr 2021 12:17:47 -0400 Subject: [PATCH 1/4] Update documentation / changelog / beta warnings for the syslog input --- CHANGELOG.asciidoc | 1 + .../_meta/config/filebeat.inputs.reference.yml.tmpl | 6 ++++-- filebeat/docs/inputs/input-syslog.asciidoc | 12 +++++++++--- filebeat/input/syslog/input.go | 6 ++++-- 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 68d0f9291afd..269a69546ca7 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -119,6 +119,7 @@ https://github.com/elastic/beats/compare/v7.11.2...v7.12.0[View commits] - Upgrade okta to ECS 1.8.0 and move js processor to ingest pipeline {issue}23118[23118] {pull}23929[23929] - Update zoom module to ECS 1.8. {pull}23904[23904] {issue}23118[23118] - Add fileset to ingest PostgreSQL CSV logs. {pull}23334[23334] +- Add beta support for RFC 5424 to the Syslog input. {pull}23954[23954] *Heartbeat* diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index dd459a2cfacc..eeef0af16ca7 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -467,10 +467,10 @@ filebeat.inputs: #ssl.client_authentication: "required" #------------------------------ Syslog input -------------------------------- -# Experimental: Config options for the Syslog input # Accept RFC3164 formatted syslog event via UDP. #- type: syslog #enabled: false + #format: rfc3164 #protocol.udp: # The host and port to receive the new event #host: "localhost:9000" @@ -478,9 +478,11 @@ filebeat.inputs: # Maximum size of the message received over UDP #max_message_size: 10KiB -# Accept RFC3164 formatted syslog event via TCP. +# Accept RFC5424 formatted syslog event via TCP. +# RFC5424 support is in beta. #- type: syslog #enabled: false + #format: rfc5424 #protocol.tcp: # The host and port to receive the new event diff --git a/filebeat/docs/inputs/input-syslog.asciidoc b/filebeat/docs/inputs/input-syslog.asciidoc index f9a24c04b818..c430c6aa2357 100644 --- a/filebeat/docs/inputs/input-syslog.asciidoc +++ b/filebeat/docs/inputs/input-syslog.asciidoc @@ -7,8 +7,7 @@ Syslog ++++ -Use the `syslog` input to read events over TCP, UDP, or a Unix stream socket, this input will parse BSD (rfc3164) -event and some variant. +The `syslog` input reads Syslog events as specified by RFC 3164 and RFC 5424, over TCP, UDP, or a Unix stream socket. RFC 5424 support is currently in beta. Example configurations: @@ -16,6 +15,7 @@ Example configurations: ---- {beatname_lc}.inputs: - type: syslog + format: rfc3164 protocol.udp: host: "localhost:9000" ---- @@ -24,6 +24,7 @@ Example configurations: ---- {beatname_lc}.inputs: - type: syslog + format: rfc5424 protocol.tcp: host: "localhost:9000" ---- @@ -32,15 +33,20 @@ Example configurations: ---- {beatname_lc}.inputs: - type: syslog + format: auto protocol.unix: path: "/path/to/syslog.sock" ---- ==== Configuration options -The `syslog` input supports protocol specific configuration options plus the +The `syslog` input configuration includes format, protocol specific options, and the <<{beatname_lc}-input-{type}-common-options>> described later. +===== `format` + +Which syslog variant to use: `rfc3164`, `rfc5424`, or `auto` to attempt to detect the variant automatically from the log entries. The default is `rfc3164`. `rfc5424` and `auto` options are currently in beta. + ===== Protocol `udp`: include::../inputs/input-common-udp-options.asciidoc[] diff --git a/filebeat/input/syslog/input.go b/filebeat/input/syslog/input.go index ee8f9ab1e30b..0a15bec91968 100644 --- a/filebeat/input/syslog/input.go +++ b/filebeat/input/syslog/input.go @@ -111,8 +111,6 @@ func NewInput( outlet channel.Connector, context input.Context, ) (input.Input, error) { - cfgwarn.Experimental("Syslog input type is used") - log := logp.NewLogger("syslog") out, err := outlet.Connect(cfg) @@ -125,6 +123,10 @@ func NewInput( return nil, err } + if config.Format != syslogFormatRFC3164 { + cfgwarn.Beta("Syslog RFC 5424 format is enabled") + } + forwarder := harvester.NewForwarder(out) cb := GetCbByConfig(config, forwarder, log) server, err := factory(cb, config.Protocol) From 464e54e523a1cb988968f9ec3630ed9588c8b984 Mon Sep 17 00:00:00 2001 From: Fae Charlton Date: Tue, 13 Apr 2021 13:08:23 -0400 Subject: [PATCH 2/4] mage update --- filebeat/filebeat.reference.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 38ecc9fb0b59..970f58146c12 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -874,10 +874,10 @@ filebeat.inputs: #ssl.client_authentication: "required" #------------------------------ Syslog input -------------------------------- -# Experimental: Config options for the Syslog input # Accept RFC3164 formatted syslog event via UDP. #- type: syslog #enabled: false + #format: rfc3164 #protocol.udp: # The host and port to receive the new event #host: "localhost:9000" @@ -885,9 +885,11 @@ filebeat.inputs: # Maximum size of the message received over UDP #max_message_size: 10KiB -# Accept RFC3164 formatted syslog event via TCP. +# Accept RFC5424 formatted syslog event via TCP. +# RFC5424 support is in beta. #- type: syslog #enabled: false + #format: rfc5424 #protocol.tcp: # The host and port to receive the new event From cb6cd76623c038d6c220471842199dcfe8c2295f Mon Sep 17 00:00:00 2001 From: Fae Charlton Date: Tue, 13 Apr 2021 15:03:38 -0400 Subject: [PATCH 3/4] edits based on pr review --- filebeat/docs/inputs/input-syslog.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/docs/inputs/input-syslog.asciidoc b/filebeat/docs/inputs/input-syslog.asciidoc index c430c6aa2357..1553d89e3969 100644 --- a/filebeat/docs/inputs/input-syslog.asciidoc +++ b/filebeat/docs/inputs/input-syslog.asciidoc @@ -45,7 +45,7 @@ The `syslog` input configuration includes format, protocol specific options, and ===== `format` -Which syslog variant to use: `rfc3164`, `rfc5424`, or `auto` to attempt to detect the variant automatically from the log entries. The default is `rfc3164`. `rfc5424` and `auto` options are currently in beta. +The syslog variant to use, `rfc3164` or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `rfc3164`. The `rfc5424` and `auto` options are currently in beta. ===== Protocol `udp`: From 60785c05e87a5e4521ec455bdfb8ae7fe1f95b82 Mon Sep 17 00:00:00 2001 From: Fae Charlton Date: Wed, 14 Apr 2021 10:16:11 -0400 Subject: [PATCH 4/4] mage update again --- x-pack/filebeat/filebeat.reference.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 0773814bb2d2..6035c6f00060 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2725,10 +2725,10 @@ filebeat.inputs: #ssl.client_authentication: "required" #------------------------------ Syslog input -------------------------------- -# Experimental: Config options for the Syslog input # Accept RFC3164 formatted syslog event via UDP. #- type: syslog #enabled: false + #format: rfc3164 #protocol.udp: # The host and port to receive the new event #host: "localhost:9000" @@ -2736,9 +2736,11 @@ filebeat.inputs: # Maximum size of the message received over UDP #max_message_size: 10KiB -# Accept RFC3164 formatted syslog event via TCP. +# Accept RFC5424 formatted syslog event via TCP. +# RFC5424 support is in beta. #- type: syslog #enabled: false + #format: rfc5424 #protocol.tcp: # The host and port to receive the new event