With 4.3.0 we're introducing a new set of pattern definitions compliant with Elastic Common Schema (ECS), on numerous places patterns are capturing names prescribed by the schema or use custom namespaces that do not conflict with ECS ones.
Changes are backwards compatible as much as possible and also include improvements to some of the existing patterns.
Besides fields having new names, values for numeric (integer or floating point) types are usually converted to their
numeric representation to ease further event processing (e.g. http.response.status_code
is now stored as an integer).
NOTE: to leverage the new ECS pattern set in Logstash a grok filter upgrade to version >= 4.4.0 is required.
-
aws
- in ECS mode we dropped the (incomplete) attempt to capture
rawrequest
fromS3_REQUEST_LINE
S3_ACCESS_LOG
will handle up-to-date S3 access-log formats (6 'new' field captures at the end) Host Id -> Signature Version -> Cipher Suite -> Authentication Type -> Host Header -> TLS versionELB_ACCESS_LOG
will handle optional (-
) in legacy mode- null values such as
-
or-1
time values (e.g.ELB_ACCESS_LOG
'srequest_processing_time
) are not captured in ECS mode
- in ECS mode we dropped the (incomplete) attempt to capture
-
bacula
- Fix: improve matching of
BACULA_HOST
asHOSTNAME
- Fix: legacy
BACULA_
patterns to handle (optional) spaces - Fix: handle
BACULA_LOG
'Job Id: X' prefix as optional - Fix: legacy matching of BACULA fatal error lines
- Fix: improve matching of
-
bind
BIND9
's legacyquerytype
was further split into multiple fields as:dns.question.type
andbind.log.question.flags
BIND9
patterns (legacy as well) were adjusted to handle Bind9 >= 9.11 compatibilityBIND9_QUERYLOGBASE
was introduced for potential re-use
-
bro
BRO_
patterns are stricter in ECS mode - won't mistakenly match newer BRO/Zeek formats- place holders such as
(empty)
tags and-
null values won't be captured - each
BRO_
pattern has a newerZEEK_
variant that supports latest Zeek 3.x versions e.g.ZEEK_HTTP
as a replacement forBRO_HTTP
(in ECS mode only), there's a new file zeek where all of theZEEK_XXX
pattern variants live
-
exim
- introduced
EXIM
(EXIM_MESSAGE_ARRIVAL
) to match message arrival log lines - in ECS mode!
- introduced
-
firewalls
- introduced
IPTABLES
pattern which is re-used withinSHOREWALL
andSFW2
SHOREWALL
now supports IPv6 addresses (in ECS mode - dueIPTABLES
pattern)timestamp
fields will be captured forSHOREWALL
andSFW2
in legacy mode as wellSHOREWALL
became less strict in containing thekernel:
sub-stringNETSCREENSESSIONLOG
properly handles optionalsession_id=... reason=...
suffixinterval
andxlate_type
(legacy) CISCO fields are not captured in ECS mode
- introduced
-
core (grok-patterns)
SYSLOGFACILITY
type casts facility code and priority in ECS modeSYSLOGTIMESTAMP
will be captured (fromSYSLOGBASE
) astimestamp
- Fix: e-mail address's local part to match according to RFC (#273)
-
haproxy
- several ECS-ified fields will be type-casted to integer in ECS mode e.g. haproxy.bytes_read
- fields containing null value (
-
) are no longer captured (e.g. in legacy modecaptured_request_cookie
gets captured even if"-"
)
-
httpd
- optional fields (e.g.
http.request.referrer
oruser_agent
) are only captured when not null (-
) source.port
(clientport
in legacy mode) is considered optional- dropped raw data (
rawrequest
legacy field) in ECS mode - Fix: HTTPD_ERRORLOG should match when module missing (#299)
- optional fields (e.g.
-
java
JAVASTACKTRACEPART
's matched line number will be converted to an integerCATALINALOG
matching was updated to handle Tomcat 7/8/9 logging formatTOMCATLOG
handles the default Tomcat 7/8/9 logging format- old (custom) legacy TOMCAT format is handled by the added
TOMCATLEGACY_LOG
TOMCATLOG
andTOMCAT_DATESTAMP
still match the legacy format, however this might change at a later point - if you rely on the old format useTOMCATLEGACY_
patterns
-
junos
- integer fields (e.g.
juniper.srx.elapsed_time
) are captured as integer values
- integer fields (e.g.
-
linux-syslog
SYSLOG5424LINE
captures (overwrites) themessage
field instead of using a custom field name- regardless of the format used, in ECS mode, timestamps are always captured as
timestamp
- fields such as
log.syslog.facility.code
andprocess.pid
are converted to integers
-
mcollective
- mcollective-patterns file was removed, it's all one mcollective in ECS mode
MCOLLECTIVE
'sprocess.pid
(pid
previously) is not type-casted to an integer
-
nagios
- numeric fields such as
nagios.log.attempt
are converted to integer values in ECS mode
- numeric fields such as
-
rails
- request duration times from
RAILS3
log will be converted to floating point values
- request duration times from
-
squid
SQUID3
'sduration
http.responsestatus_code
andbytes
are type-casted to intSQUID3
pattern won't capture null ('-')user.name
orsquid.response.content_type
- Fix: allow to parse SQUID log with status 0 (#298)
- Fix: handle optional server address (#298)
-
Fix: Java stack trace's JAVAFILE to better match generated names
-
Fix: match Information/INFORMATION in LOGLEVEL #274
-
Fix: NAGIOS TIMEPERIOD unknown (from/to) field matching #275
-
Fix: HTTPD access log parse failure on missing response #282
-
Fix: UNIXPATH to avoid DoS on long paths with unmatching chars #292
For longer paths, a non matching character towards the end of the path would cause the RegExp engine a long time to abort. With this change we're also explicit about not supporting relative paths (using the
PATH
pattern), these won't be properly matched. -
Feat: allow UNIXPATH to match non-ascii chars #291
- Fix some documentation issues
- Added SYSLOG5424LINE and test ipv4/ipv6/hostname as syslog5424_host rfc5424
- Accordig to rcf5424 IP address should be accepted
- HTTPDATE is used by patterns/aws
- HTTPD (formerly APACHE) deserves its own pattern and test files. See #45
- httpd: sync names between httpd20 and httpd24
- Adding maven version to the list of default Grok patterns
- Added Redis Monitor Log format
- Remove extra space in ASA-6-106015 rule
- fix COMMONAPACHELOG specs
- Added SuSEfirewall2 pattern
- switch USER to HTTPDUSER for "auth" field (match email addresses)
- bind9 pattern
- Pattern for squid3 native format
- Parse Cisco ASA-5-304001
- use underscores instead of hyphens in field names
- fix timestamp expect
- fix cs_protocol pattern name
- fix cs_protocol and cs_uri_query names
- added cloudfront spec test
- add pattern for cloudfront access log
- Java Patterns: JAVASTACKTRACEPART was duplicate
- Relax constraint on logstash-core-plugin-api to >= 1.60 <= 2.99
- Republish all the gems under jruby.
- Update the plugin to the version 2.0 of the plugin api, this change is required for Logstash 5.0 compatibility. See elastic/logstash#5141
- Specs fixes, see logstash-plugins#137
- Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
- New dependency requirements for logstash-core for the 5.0 release
- Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully, instead of using Thread.raise on the plugins' threads. Ref: elastic/logstash#3895
- Dependency on logstash-core update to 2.0
- Added grok patterns for nagios notifications
- Added commong exim patterns
- Allow optional space between sysloghost and colon, fixes elastic/logstash#2101 for Cisco ASA devises.
- Make progname optional (not always provided) for the syslog base patern.
- Improve pattern matching performance for IPV4 patterns.
- Fixes: UNIXPATH pattern does not combine well with comma delimination, logstash-plugins#13
- Add new valid characters for URI's in HTML5 patterns.
- Make IPORHOST pattern match first an IP and then a HOST as the name implies.
- Added patterns for ASA-4-106100, ASA-4-106102, ASA-4-106103 CISCO firewalls.
- Update CISCOFW106023 rule to match values from FWSM
- Add basic apache httpd error log format
- Support TIMESTAMP_ISO8601 in HAProxy patterns, useful for rsyslog and other systems that can be configured to use this format. Fixes logstash-plugins#80
- Updated the AWS S3 patterns
- Added patterns for rails 3
- Added patterns for haproxy
- Added patterns for bro http.log
- Added shorewall patterns
- Added patterns for S3 and ELB access logs amazon services
- add some missing Cisco ASA firewall system log patterns
- fix cisco firewall policy_id regex for policies with '-' in the name
- Added Catalina and Tomcat patterns
- Added German month names