Tag truncated events by max_bytes #7022
Assignees
Labels
Comments
ppf2
changed the title
ppf2
changed the title
kvch
added a commit
that referenced
this issue
Aug 30, 2018
…nfigured limit (#7991) A new field is added to store the flags of an event named "log.flags". If a message is truncated, "truncated" flag is added to the list. Example event with "truncated" flag: { "@timestamp": "2018-08-16T13:00:46.759Z", "@metadata": { "beat": "filebeat", "type": "doc", "version": "7.0.0-alpha1" }, "host": { "name": "sleipnir" }, "source": "/home/n/test.log", "offset": 33, "log": { "flags": [ "truncated" ], }, "message": "test line", "prospector": { "type": "log" }, "input": { "type": "log" }, "beat": { "hostname": "sleipnir", "version": "7.0.0-alpha1", "name": "sleipnir" } } Closes #7022
kvch
added a commit
to kvch/beats
that referenced
this issue
Aug 31, 2018
…nfigured limit (elastic#7991) A new field is added to store the flags of an event named "log.flags". If a message is truncated, "truncated" flag is added to the list. Example event with "truncated" flag: { "@timestamp": "2018-08-16T13:00:46.759Z", "@metadata": { "beat": "filebeat", "type": "doc", "version": "7.0.0-alpha1" }, "host": { "name": "sleipnir" }, "source": "/home/n/test.log", "offset": 33, "log": { "flags": [ "truncated" ], }, "message": "test line", "prospector": { "type": "log" }, "input": { "type": "log" }, "beat": { "hostname": "sleipnir", "version": "7.0.0-alpha1", "name": "sleipnir" } } Closes elastic#7022 (cherry picked from commit 0884236)
kvch
added a commit
that referenced
this issue
Sep 3, 2018
…ing line is longer than configured limit (#8165) * Add tag "truncated" to "log.flags" if incoming line is longer than configured limit (#7991) A new field is added to store the flags of an event named "log.flags". If a message is truncated, "truncated" flag is added to the list. Example event with "truncated" flag: { "@timestamp": "2018-08-16T13:00:46.759Z", "@metadata": { "beat": "filebeat", "type": "doc", "version": "7.0.0-alpha1" }, "host": { "name": "sleipnir" }, "source": "/home/n/test.log", "offset": 33, "log": { "flags": [ "truncated" ], }, "message": "test line", "prospector": { "type": "log" }, "input": { "type": "log" }, "beat": { "hostname": "sleipnir", "version": "7.0.0-alpha1", "name": "sleipnir" } } Closes #7022 (cherry picked from commit 0884236) * fix changelog && rebase
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While max_bytes is a useful feature to protect against unexpected large messages, it does its job silently today. There are no logging messages indicating a message being truncated, and the resulting published event also has no tagging indicating that the event has been truncated. If a user looks at the resulting event, they may think that the truncated version is really the original message. It will be helpful for us to add a tag to all the events that have been truncated via max_bytes so it is easier from an auditing point of view.
The text was updated successfully, but these errors were encountered: