From 6a7dbd6016e8009761f55f4d7be89d98f506b435 Mon Sep 17 00:00:00 2001 From: Blake Rouse Date: Mon, 10 Feb 2020 09:50:57 -0500 Subject: [PATCH] [Journalbeat] Improve parsing of syslog.pid in journalbeat to strip the username when present (#16116) * Improve parsing of syslog.pid in journalbeat to strip the username in pid when present. * Add entry to changelog with pull ID. * Improve the comment on the username strip. --- CHANGELOG.next.asciidoc | 2 ++ journalbeat/reader/journal.go | 12 +++++++-- journalbeat/reader/journal_test.go | 39 ++++++++++++++++++++++++++++++ 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b9e8da68ee4..d74a98e25c2 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -24,6 +24,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Journalbeat* +- Improve parsing of syslog.pid in journalbeat to strip the username when present {pull}16116[16116] + *Metricbeat* diff --git a/journalbeat/reader/journal.go b/journalbeat/reader/journal.go index 463f5090981..a2c9d0e8ce1 100644 --- a/journalbeat/reader/journal.go +++ b/journalbeat/reader/journal.go @@ -288,8 +288,16 @@ func (r *Reader) convertNamedField(fc fieldConversion, value string) interface{} if fc.isInteger { v, err := strconv.ParseInt(value, 10, 64) if err != nil { - r.logger.Debugf("Failed to convert field: %s \"%v\" to int: %v", fc.name, value, err) - return value + // On some versions of systemd the 'syslog.pid' can contain the username + // appended to the end of the pid. In most cases this does not occur + // but in the cases that it does, this tries to strip ',\w*' from the + // value and then perform the conversion. + s := strings.Split(value, ",") + v, err = strconv.ParseInt(s[0], 10, 64) + if err != nil { + r.logger.Debugf("Failed to convert field: %s \"%v\" to int: %v", fc.name, value, err) + return value + } } return v } diff --git a/journalbeat/reader/journal_test.go b/journalbeat/reader/journal_test.go index 76ff33ecea2..8ce288e05d7 100644 --- a/journalbeat/reader/journal_test.go +++ b/journalbeat/reader/journal_test.go @@ -57,6 +57,45 @@ func TestToEvent(t *testing.T) { }, }, }, + // 'syslog.pid' field without user append + ToEventTestCase{ + entry: sdjournal.JournalEntry{ + Fields: map[string]string{ + sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "123456", + }, + }, + expectedFields: common.MapStr{ + "syslog": common.MapStr{ + "pid": int64(123456), + }, + }, + }, + // 'syslog.pid' field with user append + ToEventTestCase{ + entry: sdjournal.JournalEntry{ + Fields: map[string]string{ + sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "123456,root", + }, + }, + expectedFields: common.MapStr{ + "syslog": common.MapStr{ + "pid": int64(123456), + }, + }, + }, + // 'syslog.pid' field empty + ToEventTestCase{ + entry: sdjournal.JournalEntry{ + Fields: map[string]string{ + sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "", + }, + }, + expectedFields: common.MapStr{ + "syslog": common.MapStr{ + "pid": "", + }, + }, + }, // custom field ToEventTestCase{ entry: sdjournal.JournalEntry{