The current implementation of the parser only support RFC3164, some newer system uses RFC5424. It's just a matter of adding new state machines to the Ragel parser and add new tests for it.
We have to investigate if we can detect it on the fly OR we make it a user configurable settings.
Lets make sure we add integration test for this all list with one major producer.
ph
All 9 comments
Is anyone working on this?
anandsinghkunwar
on 10 Sep 2018
ph
on 13 Sep 2018
We're an Elastic customer and are interested in RFC-5424 support as well. Any idea if this will get worked on soon?
seanmil
on 3 Dec 2018
If it helps, while troubleshooting an ERROR [syslog] syslog/input.go:132 can't parse event as syslog rfc3164 error for the cisco module; I found that using the workaround mentioned in this discussion comment allows Filebeat to parse Cisco ASA logs.
For clarification, the module/cisco/asa/config/input.yml file is modified from this:
{{ if eq .input "syslog" }}
type: syslog
protocol.udp:
host: "{{.syslog_host}}:{{.syslog_port}}"
To this:
{{ if eq .input "syslog" }}
type: udp
host: "{{.syslog_host}}:{{.syslog_port}}"
rwaight
on 30 Jul 2019
It looks like https://github.com/elastic/beats/pull/15467 may have stalled out. @faec, is this still something you are looking into addressing?
andrewkroh
on 6 Apr 2020
It's not stalled in the sense of being blocked, but it is a back-burner task for me (it was never an explicit release goal, just something I hoped to fit in between my other work). If someone has spare capacity I'm happy to hand it off / help get started, otherwise I'll pick it up again when time and triage allows.
faec
on 6 Apr 2020
hi, RFC5424 is really important in large scale datasets/datalake. Any file if you are working, I can also help to make this rolled out sooner.
Just looking into @faec code, it seems complex. Is it better to have this written as a pattern file? Something like what logstash have https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns
For example,
pattern_name: RFC5424_non_structured
payload:
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
pattern:
<%{NUMBER:syslog_priority}>%{NUMBER:syslog_version} %{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{SYSLOGPROG:syslog_prog} %{NOTSPACE:syslog_procid} %{NOTSPACE:syslog_msgid} %{NOTSPACE:syslog_structured_msg} %{GREEDYDATA:syslog_non_structured_msg}
getkub
on 23 Jul 2020
The Checkpoint log exporter sends the logs in RfC5424 format by default which is why this is required for the Checkpoint module to work.
Currently it fails with can't parse event as syslog rfc3164.
Please prioritize this, we're also a paying Elastic customer, thanks!
abraxxa
on 9 Oct 2020
Hi, I would like to find out if this issue still need?
I would be happy to re-open the pr #20246 if this is still a desired feature.
20246 pr add RFC-5424 support. (Previously the pr was automatically closed by bot because it hadn't been reviewed for too long)
- The code style is very similar to the rfc3164 format impl, using Ragel.
- Have unit test, Full coverage the example in rfc5424 spec docs
WPH95
on 25 Dec 2020
Related issues
ycombinator
路
3Comments
adriansr
路
3Comments
tsg
路
4Comments
nicpenning
路
3Comments
jsoriano
路
3Comments
Most helpful comment
It's not stalled in the sense of being blocked, but it is a back-burner task for me (it was never an explicit release goal, just something I hoped to fit in between my other work). If someone has spare capacity I'm happy to hand it off / help get started, otherwise I'll pick it up again when time and triage allows.