Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syslog PRI #36

Closed
willemdh opened this issue Jul 6, 2018 · 8 comments
Closed

syslog PRI #36

willemdh opened this issue Jul 6, 2018 · 8 comments

Comments

@willemdh
Copy link
Contributor

willemdh commented Jul 6, 2018

Is syslog program is meant for process.name, is there a field for the PRI syslog field (which I used to name syslog_pri). This allows for calculation of facility and severity:

https://gist.github.com/marvin/1017480
@praseodym
Copy link
Contributor

There is event.severity, but only as a long. I don't see a good way to map facility and severity labels from the syslog_pri filter.

@ruflin
Copy link
Member

ruflin commented Jul 9, 2018

It seems to me PRI is a syslog specific field and because of this should be long under a syslog prefix as you did. Either syslog_pri or syslog.pri. Is PRI also used by other services?

@willemdh
Copy link
Contributor Author

willemdh commented Jul 9, 2018
edited
Loading

Most syslog sources have a PRI field. Haven't seen PRI usage in non syslog data. A dedicated syslog object could also contain syslog.facility and syslog.severity.

Or syslog specific data, seeing as these are pure logs, could maybe better get mapped under log.* ?

log.pri
log.facility
log.level

Creating another 'root object' specific for syslog might be a little overkill?

@ruflin
Copy link
Member

ruflin commented Jul 9, 2018

I would prefer to not have service specific fields in the generic objects. I tempted to say at the moment because of it would belong under syslog.pri but not sure if it should be part of ECS. At the same time syslog is very popular.

@ph
Copy link
Contributor

ph commented Jul 23, 2018

Since severity and facility are actually extracted from the priority I think they should be prefixed by a syslog and for reference this is what the current Filebeat syslog input does.

https://github.com/elastic/beats/blob/master/filebeat/input/syslog/input.go#L240

@willemdh
Copy link
Contributor Author

A dedicated syslog object is ok for me. So is this mapping what we need?

"syslog": {
  "properties": {
    "pri": {
      "type": "long"
    },
    "severity": {
      "ignore_above": 1024,
      "type": "keyword"
    },
    "facility": {
      "ignore_above": 1024,
      "type": "keyword"
    }
  }
}

@ruflin
Copy link
Member

ruflin commented Jul 26, 2018

I'm working on extending our use cases here: #55 This would allow us to have a fields.yml for syslog in the use cases and then decide later if it makes sense in ECS directly or not but have it there for others to share (and comment).

@webmat webmat mentioned this issue Sep 18, 2018
Closed
26 tasks
@webmat webmat mentioned this issue Oct 26, 2018
Closed
@ruflin ruflin mentioned this issue Oct 31, 2018
Closed
22 tasks
@willemdh willemdh mentioned this issue Jan 15, 2019
Closed
@willemdh willemdh mentioned this issue Aug 23, 2019
Merged
@willemdh
Copy link
Contributor Author

This will soon be resolved, see #525
Thanks all!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ph @praseodym @ruflin @willemdh