diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 68d0f9291af..269a69546ca 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -119,6 +119,7 @@ https://github.com/elastic/beats/compare/v7.11.2...v7.12.0[View commits] - Upgrade okta to ECS 1.8.0 and move js processor to ingest pipeline {issue}23118[23118] {pull}23929[23929] - Update zoom module to ECS 1.8. {pull}23904[23904] {issue}23118[23118] - Add fileset to ingest PostgreSQL CSV logs. {pull}23334[23334] +- Add beta support for RFC 5424 to the Syslog input. {pull}23954[23954] *Heartbeat* diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index dd459a2cfac..eeef0af16ca 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -467,10 +467,10 @@ filebeat.inputs: #ssl.client_authentication: "required" #------------------------------ Syslog input -------------------------------- -# Experimental: Config options for the Syslog input # Accept RFC3164 formatted syslog event via UDP. #- type: syslog #enabled: false + #format: rfc3164 #protocol.udp: # The host and port to receive the new event #host: "localhost:9000" @@ -478,9 +478,11 @@ filebeat.inputs: # Maximum size of the message received over UDP #max_message_size: 10KiB -# Accept RFC3164 formatted syslog event via TCP. +# Accept RFC5424 formatted syslog event via TCP. +# RFC5424 support is in beta. #- type: syslog #enabled: false + #format: rfc5424 #protocol.tcp: # The host and port to receive the new event diff --git a/filebeat/docs/inputs/input-syslog.asciidoc b/filebeat/docs/inputs/input-syslog.asciidoc index f9a24c04b81..1553d89e396 100644 --- a/filebeat/docs/inputs/input-syslog.asciidoc +++ b/filebeat/docs/inputs/input-syslog.asciidoc @@ -7,8 +7,7 @@ Syslog ++++ -Use the `syslog` input to read events over TCP, UDP, or a Unix stream socket, this input will parse BSD (rfc3164) -event and some variant. +The `syslog` input reads Syslog events as specified by RFC 3164 and RFC 5424, over TCP, UDP, or a Unix stream socket. RFC 5424 support is currently in beta. Example configurations: @@ -16,6 +15,7 @@ Example configurations: ---- {beatname_lc}.inputs: - type: syslog + format: rfc3164 protocol.udp: host: "localhost:9000" ---- @@ -24,6 +24,7 @@ Example configurations: ---- {beatname_lc}.inputs: - type: syslog + format: rfc5424 protocol.tcp: host: "localhost:9000" ---- @@ -32,15 +33,20 @@ Example configurations: ---- {beatname_lc}.inputs: - type: syslog + format: auto protocol.unix: path: "/path/to/syslog.sock" ---- ==== Configuration options -The `syslog` input supports protocol specific configuration options plus the +The `syslog` input configuration includes format, protocol specific options, and the <<{beatname_lc}-input-{type}-common-options>> described later. +===== `format` + +The syslog variant to use, `rfc3164` or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `rfc3164`. The `rfc5424` and `auto` options are currently in beta. + ===== Protocol `udp`: include::../inputs/input-common-udp-options.asciidoc[] diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index ff4f3759049..15a92c8e91c 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -874,10 +874,10 @@ filebeat.inputs: #ssl.client_authentication: "required" #------------------------------ Syslog input -------------------------------- -# Experimental: Config options for the Syslog input # Accept RFC3164 formatted syslog event via UDP. #- type: syslog #enabled: false + #format: rfc3164 #protocol.udp: # The host and port to receive the new event #host: "localhost:9000" @@ -885,9 +885,11 @@ filebeat.inputs: # Maximum size of the message received over UDP #max_message_size: 10KiB -# Accept RFC3164 formatted syslog event via TCP. +# Accept RFC5424 formatted syslog event via TCP. +# RFC5424 support is in beta. #- type: syslog #enabled: false + #format: rfc5424 #protocol.tcp: # The host and port to receive the new event diff --git a/filebeat/input/syslog/input.go b/filebeat/input/syslog/input.go index ee8f9ab1e30..0a15bec9196 100644 --- a/filebeat/input/syslog/input.go +++ b/filebeat/input/syslog/input.go @@ -111,8 +111,6 @@ func NewInput( outlet channel.Connector, context input.Context, ) (input.Input, error) { - cfgwarn.Experimental("Syslog input type is used") - log := logp.NewLogger("syslog") out, err := outlet.Connect(cfg) @@ -125,6 +123,10 @@ func NewInput( return nil, err } + if config.Format != syslogFormatRFC3164 { + cfgwarn.Beta("Syslog RFC 5424 format is enabled") + } + forwarder := harvester.NewForwarder(out) cb := GetCbByConfig(config, forwarder, log) server, err := factory(cb, config.Protocol) diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 5a5b0d7c603..614f19ce1a4 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2721,10 +2721,10 @@ filebeat.inputs: #ssl.client_authentication: "required" #------------------------------ Syslog input -------------------------------- -# Experimental: Config options for the Syslog input # Accept RFC3164 formatted syslog event via UDP. #- type: syslog #enabled: false + #format: rfc3164 #protocol.udp: # The host and port to receive the new event #host: "localhost:9000" @@ -2732,9 +2732,11 @@ filebeat.inputs: # Maximum size of the message received over UDP #max_message_size: 10KiB -# Accept RFC3164 formatted syslog event via TCP. +# Accept RFC5424 formatted syslog event via TCP. +# RFC5424 support is in beta. #- type: syslog #enabled: false + #format: rfc5424 #protocol.tcp: # The host and port to receive the new event