ECS compatibility

Question

ECS compatibility

willemdh opened this issue 5 years ago · 1 comments

ECS will provide fields for syslog priority / severity facility soon, see elastic/ecs#525

It would be nice if this plugin could be updated, so the correct ECS fields are used. Currently we need to rename the fields like this:

    syslog_pri { } 
    mutate {
        rename => { "syslog_pri" => "log.priority" }
        rename => { "syslog_facility" => "log.facility.name" }
        rename => { "syslog_facility_code" => "log.facility.code" }
        rename => { "syslog_severity" => "log.level" }
        rename => { "syslog_severity_code" => "log.severity" }
    }

Thanks for looking into this!

Answer 1 · 2019-10-21T09:00:48.000Z

Just a small update, considering there is now a dedicated syslog under log..:

syslog_pri {
    syslog_pri_field_name => 'log.syslog.priority'
} 
mutate {
    rename => { "syslog_facility" => "log.syslog.facility.name" }
    rename => { "syslog_facility_code" => "log.syslog.facility.code" }
    rename => { "syslog_severity" => "log.syslog.severity.name" }
    rename => { "syslog_severity_code" => "log.syslog.severity.code" }
}

To prevent issue with existing filters, the new ECS names could for example only be grokked when syslog_pri_field_name => 'log.syslog.priority' is defined.