-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
changed input from syslog to tcp/udp due to unsupported RFC #18447
Conversation
Pinging @elastic/siem (Team:SIEM) |
💔 Tests FailedExpand to view the summary
Build stats
Test stats 🧪
Test errorsExpand to view the tests failures
--------------------- >> end captured stdout << ---------------------- Steps errorsExpand to view the steps failures
Log outputExpand to view the last 100 lines of log output
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you manually check the udp input with a netcat message?
|
||
The interface to listen to UDP based syslog traffic. Defaults to localhost. | ||
The protocol to use, can be either the value `tcp` or `udp`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about mentioning file
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you manually check the udp input with a netcat message?
I tested with both TCP and UDP. TCP works with the same amount of messages and 0 error.messages filled, UDP also works but I see a few GROK missmatch messages (with the same logs). This seems to be because it sends the whole 300 messages at the same time, and all messages that gets through gets parsed correctly, while the other few gets a grok error message.
Any idea here? Testing seems fine, and If I tested with a smaller set of logs it should still work fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did some new testing, UDP is also fine.
@@ -1,14 +1,14 @@ | |||
module_version: 1.0 | |||
|
|||
var: | |||
- name: syslog_host | |||
- name: host |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you might still want to call this variables syslog_host
and syslog_port
to stay aligned with the rest of the modules. The underlying protocol is still syslog (more or less), right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All review comments have been addressed and CI failure is unrelated.
…w-oss * upstream/master: (27 commits) Disable host fields for "cloud", panw, cef modules (elastic#18223) [docs] Rename monitoring collection from legacy internal collection to legacy collection (elastic#18504) Introduce auto detection of format (elastic#18095) Add additional fields to address issue elastic#18465 for googlecloud audit log (elastic#18472) Fix libbeat import path in seccomp policy template (elastic#18418) Address Okta input issue elastic#18530 (elastic#18534) [Ingest Manager] Avoid Chown on windows (elastic#18512) Fix Cisco ASA/FTD msgs that use a host name as NAT address (elastic#18376) [CI] Optimise stash/unstash performance (elastic#18473) Libbeat: Remove global loggers from libbeat/metric and libbeat/cloudid (elastic#18500) Fix PANW bad mapping of client/source and server/dest packets and bytes (elastic#18525) Add a file lock to the data directory on startup to prevent multiple agents. (elastic#18483) Followup to 12606 (elastic#18316) changed input from syslog to tcp/udp due to unsupported RFC (elastic#18447) Improve ECS field mappings in Sysmon module. (elastic#18381) [Elastic Agent] Cleaner output of inspect command (elastic#18405) [Elastic Agent] Pick up version from libbeat (elastic#18350) Update communitybeats.asciidoc (elastic#18470) [Metricbeat] Change visualization interval from 15m to >=15m (elastic#18466) docs: Fix typo in kerberos docs (elastic#18503) ...
…18528) Changes beat input in docs and configuration file due to unsupported RFC syslog pattern. (cherry picked from commit 140cc11) Co-authored-by: Marius Iversen <[email protected]>
…18527) Changes beat input in docs and configuration file due to unsupported RFC syslog pattern. (cherry picked from commit 140cc11) Co-authored-by: Marius Iversen <[email protected]>
What does this PR do?
Changes beat input in docs and configuration file due to unsupported RFC syslog pattern.
Why is it important?
Module needs this fix to work properly.
Checklist
Added the changes, updated the documentation, ran nosetests and confirmed by testing with netcat to simulate the syslog input.
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.