Skip to content

Commit

Permalink
Cherry-pick #10760 to 6.8: (#15980)
Browse files Browse the repository at this point in the history
Adding Cisco support for the Syslog parser

* Adding Cisco support for the Syslog parser

Add support for the "sequence" number in the log format send by Cisco switch devices.

Fixes: #10654, #15979

(cherry picked from commit dd92b6f)

Co-authored-by: Pier-Hugues Pellerin <[email protected]>
  • Loading branch information
ph authored Mar 5, 2020
1 parent 05ee592 commit ecd273d
Show file tree
Hide file tree
Showing 11 changed files with 1,651 additions and 820 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ https://github.com/elastic/beats/compare/v6.8.0...6.8.1[Check the HEAD diff]

*Filebeat*

- Add support for Cisco syslog format used by their switch. {pull}10760[10760]

*Heartbeat*

Expand Down
6 changes: 6 additions & 0 deletions filebeat/_meta/fields.common.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,12 @@
description: >
The Filebeat dataset that generated this event.
- name: event.sequence
type: long
required: false
description: >
The sequence number of this event.
- name: syslog.facility
type: long
required: false
Expand Down
12 changes: 12 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3299,6 +3299,18 @@ The Filebeat fileset that generated this event.
The Filebeat dataset that generated this event.
--
*`event.sequence`*::
+
--
type: long
required: False
The sequence number of this event.
--
*`syslog.facility`*::
Expand Down
2 changes: 1 addition & 1 deletion filebeat/include/fields.go

Large diffs are not rendered by default.

13 changes: 13 additions & 0 deletions filebeat/input/syslog/event.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ type event struct {
nanosecond int
year int
loc *time.Location
sequence int
}

// newEvent() return a new event.
Expand All @@ -84,6 +85,7 @@ func newEvent() *event {
minute: -1,
second: -1,
year: time.Now().Year(),
sequence: -1,
}
}

Expand Down Expand Up @@ -269,6 +271,17 @@ func (s *event) HasPid() bool {
return s.pid > 0
}

// SetSequence set the sequence number for this event.
func (s *event) SetSequence(b []byte) {
s.sequence = bytesToInt(b)
}

// Sequence returns the sequence number of the event when defined,
// otherwise return -1.
func (s *event) Sequence() int {
return s.sequence
}

// SetNanoSecond sets the nanosecond.
func (s *event) SetNanosecond(b []byte) {
// We assume that we receive a byte array representing a nanosecond, this might not be
Expand Down
5 changes: 5 additions & 0 deletions filebeat/input/syslog/input.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ import (

// Parser is generated from a ragel state machine using the following command:
//go:generate ragel -Z -G2 parser.rl -o parser.go
//go:generate go fmt parser.go

// Severity and Facility are derived from the priority, theses are the human readable terms
// defined in https://tools.ietf.org/html/rfc3164#section-4.1.1.
Expand Down Expand Up @@ -251,6 +252,10 @@ func createEvent(ev *event, metadata inputsource.NetworkMetadata, timezone *time
f["event"] = event
f["process"] = process

if ev.Sequence() != -1 {
f["event.sequence"] = ev.Sequence()
}

return &beat.Event{
Timestamp: ev.Timestamp(timezone),
Meta: common.MapStr{
Expand Down
26 changes: 26 additions & 0 deletions filebeat/input/syslog/input_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,32 @@ func TestProgram(t *testing.T) {
})
}

func TestSequence(t *testing.T) {
t.Run("is set", func(t *testing.T) {
e := newEvent()
e.SetMessage([]byte("hello world"))
e.SetProgram([]byte("sudo"))
e.SetSequence([]byte("123"))
m := dummyMetadata()
event := createEvent(e, m, time.Local, logp.NewLogger("syslog"))
v, err := event.GetValue("event.sequence")
if !assert.NoError(t, err) {
return
}
assert.Equal(t, v, 123)
})

t.Run("is not set", func(t *testing.T) {
e := newEvent()
e.SetMessage([]byte("hello world"))
m := dummyMetadata()
event := createEvent(e, m, time.Local, logp.NewLogger("syslog"))

_, err := event.GetValue("event.sequence")
assert.Error(t, err)
})
}

func dummyMetadata() inputsource.NetworkMetadata {
ip := "127.0.0.1"
parsedIP := net.ParseIP(ip)
Expand Down
Loading

0 comments on commit ecd273d

Please sign in to comment.