Adding Cisco support for the Syslog parser (elastic#10760)

* Adding Cisco support for the Syslog parser Add support for the "sequence" number in the log format send by Cisco switch devices. Fixes: elastic#10654
ph · Feb 18, 2019 · dd92b6f · dd92b6f
1 parent c8b2f1c
commit dd92b6f
Show file tree

Hide file tree

Showing 11 changed files with 1,711 additions and 840 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -81,7 +81,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - The `elasticsearch/deprecation` fileset now indexes the `component` field under `elasticsearch` instead of `elasticsearch.server`. {pull}10445[10445]
 - Remove field `kafka.log.trace.full` from kafka.log fielset. {pull}10398[10398]
 - Change field `kafka.log.class` for kafka.log fileset from text to keyword. {pull}10398[10398]
-- Address add_kubernetes_metadata processor issue where old source field is 
+- Address add_kubernetes_metadata processor issue where old source field is
   still used for matcher. {issue}10505[10505] {pull}10506[10506]
 - Change type of haproxy.source from text to keyword. {pull}10506[10506]
 - Rename `event.type` to `suricata.eve.event_type` in Suricata module because event.type is reserved for future use by ECS. {pull}10575[10575]
@@ -185,6 +185,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix bad bytes count in `docker` input when filtering by stream. {pull}10211[10211]
 - Fixed data types for roles and indices fields in `elasticsearch/audit` fileset {pull}10307[10307]
 - Ensure `source.address` is always populated by the nginx module (ECS). {pull}10418[10418]
+- Add support for Cisco syslog format used by their switch. {pull}10760[10760]
 - Cover empty request data, url and version in Apache2 module{pull}10730[10730]
 - Fix registry entries not being cleaned due to race conditions. {pull}10747[10747]
 - Improve detection of file deletion on Windows. {pull}10747[10747]

diff --git a/filebeat/_meta/fields.common.yml b/filebeat/_meta/fields.common.yml
@@ -35,6 +35,12 @@
         The input type from which the event was generated. This field is set to the value specified
         for the `type` option in the input section of the Filebeat config file.
 
+    - name: event.sequence
+      type: long
+      required: false
+      description: >
+        The sequence number of this event.
+
     - name: syslog.facility
       type: long
       required: false

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -6585,6 +6585,18 @@ required: True
 The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file.
 
 
+--
+
+*`event.sequence`*::
++
+--
+type: long
+
+required: False
+
+The sequence number of this event.
+
+
 --
 
 *`syslog.facility`*::

diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go
diff --git a/filebeat/input/syslog/event.go b/filebeat/input/syslog/event.go
@@ -71,6 +71,7 @@ type event struct {
 	nanosecond int
 	year       int
 	loc        *time.Location
+	sequence   int
 }
 
 // newEvent() return a new event.
@@ -84,6 +85,7 @@ func newEvent() *event {
 		minute:   -1,
 		second:   -1,
 		year:     time.Now().Year(),
+		sequence: -1,
 	}
 }
 
@@ -269,6 +271,17 @@ func (s *event) HasPid() bool {
 	return s.pid > 0
 }
 
+// SetSequence set the sequence number for this event.
+func (s *event) SetSequence(b []byte) {
+	s.sequence = bytesToInt(b)
+}
+
+// Sequence returns the sequence number of the event when defined,
+// otherwise return -1.
+func (s *event) Sequence() int {
+	return s.sequence
+}
+
 // SetNanoSecond sets the nanosecond.
 func (s *event) SetNanosecond(b []byte) {
 	// We assume that we receive a byte array representing a nanosecond, this might not be

diff --git a/filebeat/input/syslog/input.go b/filebeat/input/syslog/input.go
@@ -37,6 +37,7 @@ import (
 
 // Parser is generated from a ragel state machine using the following command:
 //go:generate ragel -Z -G2 parser.rl -o parser.go
+//go:generate go fmt parser.go
 
 // Severity and Facility are derived from the priority, theses are the human readable terms
 // defined in https://tools.ietf.org/html/rfc3164#section-4.1.1.
@@ -250,6 +251,10 @@ func createEvent(ev *event, metadata inputsource.NetworkMetadata, timezone *time
 	f["event"] = event
 	f["process"] = process
 
+	if ev.Sequence() != -1 {
+		f["event.sequence"] = ev.Sequence()
+	}
+
 	return &beat.Event{
 		Timestamp: ev.Timestamp(timezone),
 		Meta: common.MapStr{

diff --git a/filebeat/input/syslog/input_test.go b/filebeat/input/syslog/input_test.go
@@ -174,6 +174,32 @@ func TestProgram(t *testing.T) {
 	})
 }
 
+func TestSequence(t *testing.T) {
+	t.Run("is set", func(t *testing.T) {
+		e := newEvent()
+		e.SetMessage([]byte("hello world"))
+		e.SetProgram([]byte("sudo"))
+		e.SetSequence([]byte("123"))
+		m := dummyMetadata()
+		event := createEvent(e, m, time.Local, logp.NewLogger("syslog"))
+		v, err := event.GetValue("event.sequence")
+		if !assert.NoError(t, err) {
+			return
+		}
+		assert.Equal(t, v, 123)
+	})
+
+	t.Run("is not set", func(t *testing.T) {
+		e := newEvent()
+		e.SetMessage([]byte("hello world"))
+		m := dummyMetadata()
+		event := createEvent(e, m, time.Local, logp.NewLogger("syslog"))
+
+		_, err := event.GetValue("event.sequence")
+		assert.Error(t, err)
+	})
+}
+
 func dummyMetadata() inputsource.NetworkMetadata {
 	ip := "127.0.0.1"
 	parsedIP := net.ParseIP(ip)