Skip to content

Commit

Permalink
[filebeat] Update documentation / changelog / beta warnings for the s…
Browse files Browse the repository at this point in the history
…yslog input (#25047) (#25142)

(cherry picked from commit 36af608)

Co-authored-by: Fae Charlton <[email protected]>
  • Loading branch information
mergify[bot] and faec authored Apr 20, 2021
1 parent 8f6b4ad commit b81eb07
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 11 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ https://github.com/elastic/beats/compare/v7.11.2...v7.12.0[View commits]
- Upgrade okta to ECS 1.8.0 and move js processor to ingest pipeline {issue}23118[23118] {pull}23929[23929]
- Update zoom module to ECS 1.8. {pull}23904[23904] {issue}23118[23118]
- Add fileset to ingest PostgreSQL CSV logs. {pull}23334[23334]
- Add beta support for RFC 5424 to the Syslog input. {pull}23954[23954]

*Heartbeat*

Expand Down
6 changes: 4 additions & 2 deletions filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -472,20 +472,22 @@ filebeat.inputs:
#ssl.client_authentication: "required"

#------------------------------ Syslog input --------------------------------
# Experimental: Config options for the Syslog input
# Accept RFC3164 formatted syslog event via UDP.
#- type: syslog
#enabled: false
#format: rfc3164
#protocol.udp:
# The host and port to receive the new event
#host: "localhost:9000"

# Maximum size of the message received over UDP
#max_message_size: 10KiB

# Accept RFC3164 formatted syslog event via TCP.
# Accept RFC5424 formatted syslog event via TCP.
# RFC5424 support is in beta.
#- type: syslog
#enabled: false
#format: rfc5424

#protocol.tcp:
# The host and port to receive the new event
Expand Down
12 changes: 9 additions & 3 deletions filebeat/docs/inputs/input-syslog.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@
<titleabbrev>Syslog</titleabbrev>
++++

Use the `syslog` input to read events over TCP, UDP, or a Unix stream socket, this input will parse BSD (rfc3164)
event and some variant.
The `syslog` input reads Syslog events as specified by RFC 3164 and RFC 5424, over TCP, UDP, or a Unix stream socket. RFC 5424 support is currently in beta.

Example configurations:

["source","yaml",subs="attributes"]
----
{beatname_lc}.inputs:
- type: syslog
format: rfc3164
protocol.udp:
host: "localhost:9000"
----
Expand All @@ -24,6 +24,7 @@ Example configurations:
----
{beatname_lc}.inputs:
- type: syslog
format: rfc5424
protocol.tcp:
host: "localhost:9000"
----
Expand All @@ -32,15 +33,20 @@ Example configurations:
----
{beatname_lc}.inputs:
- type: syslog
format: auto
protocol.unix:
path: "/path/to/syslog.sock"
----

==== Configuration options

The `syslog` input supports protocol specific configuration options plus the
The `syslog` input configuration includes format, protocol specific options, and the
<<{beatname_lc}-input-{type}-common-options>> described later.

===== `format`

The syslog variant to use, `rfc3164` or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `rfc3164`. The `rfc5424` and `auto` options are currently in beta.

===== Protocol `udp`:

include::../inputs/input-common-udp-options.asciidoc[]
Expand Down
6 changes: 4 additions & 2 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -879,20 +879,22 @@ filebeat.inputs:
#ssl.client_authentication: "required"

#------------------------------ Syslog input --------------------------------
# Experimental: Config options for the Syslog input
# Accept RFC3164 formatted syslog event via UDP.
#- type: syslog
#enabled: false
#format: rfc3164
#protocol.udp:
# The host and port to receive the new event
#host: "localhost:9000"

# Maximum size of the message received over UDP
#max_message_size: 10KiB

# Accept RFC3164 formatted syslog event via TCP.
# Accept RFC5424 formatted syslog event via TCP.
# RFC5424 support is in beta.
#- type: syslog
#enabled: false
#format: rfc5424

#protocol.tcp:
# The host and port to receive the new event
Expand Down
6 changes: 4 additions & 2 deletions filebeat/input/syslog/input.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,6 @@ func NewInput(
outlet channel.Connector,
context input.Context,
) (input.Input, error) {
cfgwarn.Experimental("Syslog input type is used")

log := logp.NewLogger("syslog")

out, err := outlet.Connect(cfg)
Expand All @@ -125,6 +123,10 @@ func NewInput(
return nil, err
}

if config.Format != syslogFormatRFC3164 {
cfgwarn.Beta("Syslog RFC 5424 format is enabled")
}

forwarder := harvester.NewForwarder(out)
cb := GetCbByConfig(config, forwarder, log)
server, err := factory(cb, config.Protocol)
Expand Down
6 changes: 4 additions & 2 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2867,20 +2867,22 @@ filebeat.inputs:
#ssl.client_authentication: "required"

#------------------------------ Syslog input --------------------------------
# Experimental: Config options for the Syslog input
# Accept RFC3164 formatted syslog event via UDP.
#- type: syslog
#enabled: false
#format: rfc3164
#protocol.udp:
# The host and port to receive the new event
#host: "localhost:9000"

# Maximum size of the message received over UDP
#max_message_size: 10KiB

# Accept RFC3164 formatted syslog event via TCP.
# Accept RFC5424 formatted syslog event via TCP.
# RFC5424 support is in beta.
#- type: syslog
#enabled: false
#format: rfc5424

#protocol.tcp:
# The host and port to receive the new event
Expand Down

0 comments on commit b81eb07

Please sign in to comment.