Skip to content

Commit

Permalink
Copy log.syslog.appname to process.name (#10646)
Browse files Browse the repository at this point in the history 
* Copy log.syslog.appname to process.name

Before the syslog processor was added to the default filebeat yaml configuration, process.name was
set by a Grok ingest pipeline. However, when the syslog processor was added a condition was also added to
the Grok ingest pipeline, `if: ctx.log?.syslog == null`. This condition always evaluates to false when
the data is supplied by the syslog processor, and therefore `process.name` is not extraced from the syslog
message. This commit copies the process name from `log.syslog.appname` to `process.name` before an pipeline
processors which use it are executed. With this change, `process.name`, `event.category`, and `event.type`
are now populated when data arrives from the syslog processor.
  • Loading branch information
@nicholasberlin
nicholasberlin authored Jul 30, 2024
1 parent 70dba98 commit 8107f32
Show file tree
Hide file tree
Showing 6 changed files with 356 additions and 2 deletions.
2 changes: 1 addition & 1 deletion .github/CODEOWNERS
View file
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,7 @@
/packages/sysmon_linux @elastic/sec-linux-platform
/packages/system @elastic/obs-infraobs-integrations
/packages/system/changelog.yml @elastic/obs-infraobs-integrations @elastic/sec-linux-platform @elastic/sec-windows-platform
/packages/system/data_stream/auth @elastic/sec-windows-platform
/packages/system/data_stream/auth @elastic/sec-linux-platform
/packages/system/data_stream/security @elastic/sec-windows-platform
/packages/system/data_stream/application @elastic/sec-windows-platform
/packages/system/data_stream/core @elastic/obs-infraobs-integrations
Expand Down
5 changes: 5 additions & 0 deletions packages/system/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.60.1"
changes:
- description: Ensure process.name is populated from syslog messages
type: bugfix
link: https://github.com/elastic/integrations/pull/10646
- version: "1.60.0"
changes:
- description: Add caseless fields to process events.
Expand Down
144 changes: 144 additions & 0 deletions packages/system/data_stream/auth/_dev/test/pipeline/test-host-syslog-processor.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
{
"events": [
{
"event" : {
"original": "<165>1 2022-01-11T22:14:15.003Z mymachine.example.com eventslog 1024 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"] this is the message"
},
"@timestamp": "2022-01-11T22:14:15.003Z",
"log": {
"syslog": {
"priority": 165,
"facility": {
"code": 20,
"name": "local4"
},
"severity": {
"code": 5,
"name": "Notice"
},
"hostname": "mymachine.example.com",
"appname": "eventslog",
"procid": "1024",
"msgid": "ID47",
"version": "1",
"structured_data": {
"exampleSDID@32473": {
"iut": "3",
"eventSource": "Application",
"eventID": "1011"
},
"examplePriority@32473": {
"class": "high"
}
}
}
},
"message": "this is the message"
},
{
"@timestamp": "2022-01-11T22:14:15.003Z",
"event" : {
"original": "<165>1 2022-01-11T22:14:15.003Z mymachine.example.com groupadd 1024 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"] this is the message"
},
"log": {
"syslog": {
"priority": 165,
"facility": {
"code": 20,
"name": "local4"
},
"severity": {
"code": 5,
"name": "Notice"
},
"hostname": "mymachine.example.com",
"appname": "groupdel",
"procid": "1024",
"msgid": "ID47",
"version": "1",
"structured_data": {
"exampleSDID@32473": {
"iut": "3",
"eventSource": "Application",
"eventID": "1011"
},
"examplePriority@32473": {
"class": "high"
}
}
}
},
"message": "this is the message"
},
{
"@timestamp": "2022-01-11T22:14:15.003Z",
"event" : {
"original": "<165>1 2022-01-11T22:14:15.003Z mymachine.example.com useradd 1024 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"] this is the message"
},
"log": {
"syslog": {
"priority": 165,
"facility": {
"code": 20,
"name": "local4"
},
"severity": {
"code": 5,
"name": "Notice"
},
"hostname": "mymachine.example.com",
"appname": "useradd",
"procid": "1024",
"msgid": "ID47",
"version": "1",
"structured_data": {
"exampleSDID@32473": {
"iut": "3",
"eventSource": "Application",
"eventID": "1011"
},
"examplePriority@32473": {
"class": "high"
}
}
}
},
"message": "this is the message"
},
{
"@timestamp": "2022-01-11T22:14:15.003Z",
"event" : {
"original": "<165>1 2022-01-11T22:14:15.003Z mymachine.example.com usermod 1024 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][examplePriority@32473 class=\"high\"] this is the message"
},
"log": {
"syslog": {
"priority": 165,
"facility": {
"code": 20,
"name": "local4"
},
"severity": {
"code": 5,
"name": "Notice"
},
"hostname": "mymachine.example.com",
"appname": "usermod",
"procid": "1024",
"msgid": "ID47",
"version": "1",
"structured_data": {
"exampleSDID@32473": {
"iut": "3",
"eventSource": "Application",
"eventID": "1011"
},
"examplePriority@32473": {
"class": "high"
}
}
}
},
"message": "this is the message"
}
]
}
199 changes: 199 additions & 0 deletions .../system/data_stream/auth/_dev/test/pipeline/test-host-syslog-processor.json-expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,199 @@
{
"expected": [
{
"@timestamp": "2022-01-11T22:14:15.003Z",
"ecs": {
"version": "8.11.0"
},
"event": {
"kind": "event"
},
"log": {
"syslog": {
"priority": 30,
"appname": "eventslog",
"facility": {
"code": 20,
"name": "local4"
},
"hostname": "mymachine.example.com",
"msgid": "ID47",
"priority": 165,
"procid": "1024",
"severity": {
"code": 5,
"name": "Notice"
},
"structured_data": {
"examplePriority@32473": {
"class": "high"
},
"exampleSDID@32473": {
"eventID": "1011",
"eventSource": "Application",
"iut": "3"
}
},
"version": "1"
}
},
"message": "this is the message",
"process": {
"name": "eventslog"
}
},
{
"@timestamp": "2022-01-11T22:14:15.003Z",
"ecs": {
"version": "8.11.0"
},
"event": {
"kind": "event",
"category": [
"iam"
],
"kind": "event",
"outcome": "success",
"type": [
"group",
"deletion"
]
},
"log": {
"syslog": {
"priority": 30,
"appname": "groupdel",
"facility": {
"code": 20,
"name": "local4"
},
"hostname": "mymachine.example.com",
"msgid": "ID47",
"priority": 165,
"procid": "1024",
"severity": {
"code": 5,
"name": "Notice"
},
"structured_data": {
"examplePriority@32473": {
"class": "high"
},
"exampleSDID@32473": {
"eventID": "1011",
"eventSource": "Application",
"iut": "3"
}
},
"version": "1"
}
},
"message": "this is the message",
"process": {
"name": "groupdel"
}
},
{
"@timestamp": "2022-01-11T22:14:15.003Z",
"ecs": {
"version": "8.11.0"
},
"event": {
"kind": "event",
"category": [
"iam"
],
"kind": "event",
"outcome": "success",
"type": [
"user",
"creation"
]
},
"log": {
"syslog": {
"priority": 30,
"appname": "useradd",
"facility": {
"code": 20,
"name": "local4"
},
"hostname": "mymachine.example.com",
"msgid": "ID47",
"priority": 165,
"procid": "1024",
"severity": {
"code": 5,
"name": "Notice"
},
"structured_data": {
"examplePriority@32473": {
"class": "high"
},
"exampleSDID@32473": {
"eventID": "1011",
"eventSource": "Application",
"iut": "3"
}
},
"version": "1"
}
},
"message": "this is the message",
"process": {
"name": "useradd"
}
},
{
"@timestamp": "2022-01-11T22:14:15.003Z",
"ecs": {
"version": "8.11.0"
},
"event": {
"kind": "event",
"category": [
"iam"
],
"kind": "event",
"outcome": "success",
"type": [
"user",
"change"
]
},
"log": {
"syslog": {
"priority": 30,
"appname": "usermod",
"facility": {
"code": 20,
"name": "local4"
},
"hostname": "mymachine.example.com",
"msgid": "ID47",
"priority": 165,
"procid": "1024",
"severity": {
"code": 5,
"name": "Notice"
},
"structured_data": {
"examplePriority@32473": {
"class": "high"
},
"exampleSDID@32473": {
"eventID": "1011",
"eventSource": "Application",
"iut": "3"
}
},
"version": "1"
}
},
"message": "this is the message",
"process": {
"name": "usermod"
}
}
]
}
6 changes: 6 additions & 0 deletions packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,12 @@ processors:
ctx.event.action = "ssh_login";
ctx.event.outcome = "failure";
}
- set:
tag: set_process_name-log_syslog_appname
field: process.name
copy_from: log.syslog.appname
override: false
ignore_empty_value: true
- append:
tag: append_category-iam
field: event.category
Expand Down
2 changes: 1 addition & 1 deletion packages/system/manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.2
name: system
title: System
version: "1.60.0"
version: "1.60.1"
description: Collect system logs and metrics from your servers with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit 8107f32

Please sign in to comment.