From 1e673907a92e7fdac1c140ea0bb62871c1e61a67 Mon Sep 17 00:00:00 2001 From: Kent Wang Date: Tue, 27 Aug 2019 09:28:18 +0800 Subject: [PATCH 1/2] Fix system module timezone parsing --- CHANGELOG.next.asciidoc | 1 + filebeat/module/system/auth/ingest/pipeline.json | 9 +++++++-- filebeat/module/system/syslog/ingest/pipeline.json | 11 +++++++++-- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0c453ad319e8..dbbe46e5eee4 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -28,6 +28,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add read_buffer configuration option. {pull}11739[11739] - `convert_timezone` option is removed and locale is always added to the event so timezone is used when parsing the timestamp, this behaviour can be overriden with processors. {pull}12410[12410] - Fix a race condition in the TCP input when close the client socket. {pull}13038[13038] +- Fix timezone parsing of module ingest pipelines. {pull}13308[13308] *Heartbeat* diff --git a/filebeat/module/system/auth/ingest/pipeline.json b/filebeat/module/system/auth/ingest/pipeline.json index 396d81d4254d..debb3d064c24 100644 --- a/filebeat/module/system/auth/ingest/pipeline.json +++ b/filebeat/module/system/auth/ingest/pipeline.json @@ -54,8 +54,13 @@ { "date": { "if": "ctx.event.timezone != null", - "field": "@timestamp", - "formats": ["ISO8601"], + "field": "system.auth.timestamp", + "target_field": "@timestamp", + "formats": [ + "MMM d HH:mm:ss", + "MMM dd HH:mm:ss", + "ISO8601" + ], "timezone": "{{ event.timezone }}", "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] } diff --git a/filebeat/module/system/syslog/ingest/pipeline.json b/filebeat/module/system/syslog/ingest/pipeline.json index 8167ce64b233..1bf54bc08e10 100644 --- a/filebeat/module/system/syslog/ingest/pipeline.json +++ b/filebeat/module/system/syslog/ingest/pipeline.json @@ -34,6 +34,7 @@ "formats": [ "MMM d HH:mm:ss", "MMM dd HH:mm:ss", + "MMM d HH:mm:ss", "ISO8601" ], "ignore_failure": true @@ -42,8 +43,14 @@ { "date": { "if": "ctx.event.timezone != null", - "field": "@timestamp", - "formats": ["ISO8601"], + "field": "system.syslog.timestamp", + "target_field": "@timestamp", + "formats": [ + "MMM d HH:mm:ss", + "MMM dd HH:mm:ss", + "MMM d HH:mm:ss", + "ISO8601" + ], "timezone": "{{ event.timezone }}", "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] } From 04a32384cc7a1ae5570c6145a2f2105dce232615 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 27 Aug 2019 13:07:14 +0200 Subject: [PATCH 2/2] Fix changelog --- CHANGELOG.next.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index dbbe46e5eee4..0ea6cfd0d631 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -28,7 +28,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add read_buffer configuration option. {pull}11739[11739] - `convert_timezone` option is removed and locale is always added to the event so timezone is used when parsing the timestamp, this behaviour can be overriden with processors. {pull}12410[12410] - Fix a race condition in the TCP input when close the client socket. {pull}13038[13038] -- Fix timezone parsing of module ingest pipelines. {pull}13308[13308] *Heartbeat* @@ -133,6 +132,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix multiline pattern in Postgres which was too permissive {issue}12078[12078] {pull}13069[13069] - Allow path variables to be used in files loaded from modules.d. {issue}13184[13184] - Fix incorrect references to index patterns in AWS and CoreDNS dashboards. {pull}13303[13303] +- Fix timezone parsing of system module ingest pipelines. {pull}13308[13308] *Heartbeat*