diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 7a9b64a471..ba8366be8e 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -45,6 +45,7 @@ Thanks, you're awesome :-) --> #### Added * Add beta `container.*` metric fields. #1789 +* Add six new syslog fields to `log.syslog.*`. #1793 #### Improvements diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index fb840876d4..6db04a1ecb 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -5411,6 +5411,22 @@ type: object +| extended + +// =============================================================== + +| +[[field-log-syslog-appname]] +<> + +| The device or application that originated the Syslog message, if available. + +type: keyword + + + +example: `sshd` + | extended // =============================================================== @@ -5449,6 +5465,38 @@ example: `local7` // =============================================================== +| +[[field-log-syslog-hostname]] +<> + +| The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. + +type: keyword + + + +example: `example-host` + +| extended + +// =============================================================== + +| +[[field-log-syslog-msgid]] +<> + +| An identifier for the type of Syslog message, if available. Only applicable for RFC 5424 messages. + +type: keyword + + + +example: `ID47` + +| extended + +// =============================================================== + | [[field-log-syslog-priority]] <> @@ -5467,6 +5515,22 @@ example: `135` // =============================================================== +| +[[field-log-syslog-procid]] +<> + +| The process name or ID that originated the Syslog message, if available. + +type: keyword + + + +example: `12345` + +| extended + +// =============================================================== + | [[field-log-syslog-severity-code]] <> @@ -5503,6 +5567,38 @@ example: `Error` // =============================================================== +| +[[field-log-syslog-structured-data]] +<> + +| Structured data expressed in RFC 5424 messages, if available. These are key-value pairs formed from the structured data portion of the syslog message, as defined in RFC 5424 Section 6.3. + +type: flattened + + + + + +| extended + +// =============================================================== + +| +[[field-log-syslog-version]] +<> + +| The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. + +type: keyword + + + +example: `1` + +| extended + +// =============================================================== + |===== diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index eea43c0e14..df84da94b9 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -3837,6 +3837,14 @@ type: object description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + - name: syslog.appname + level: extended + type: keyword + ignore_above: 1024 + description: The device or application that originated the Syslog message, if + available. + example: sshd + default_field: false - name: syslog.facility.code level: extended type: long @@ -3852,6 +3860,25 @@ ignore_above: 1024 description: The Syslog text-based facility of the log event, if available. example: local7 + - name: syslog.hostname + level: extended + type: keyword + ignore_above: 1024 + description: The hostname, FQDN, or IP of the machine that originally sent the + Syslog message. This is sourced from the hostname field of the syslog header. + Depending on the environment, this value may be different from the host that + handled the event, especially if the host handling the events is acting as + a collector. + example: example-host + default_field: false + - name: syslog.msgid + level: extended + type: keyword + ignore_above: 1024 + description: An identifier for the type of Syslog message, if available. Only + applicable for RFC 5424 messages. + example: ID47 + default_field: false - name: syslog.priority level: extended type: long @@ -3861,6 +3888,13 @@ According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.' example: 135 + - name: syslog.procid + level: extended + type: keyword + ignore_above: 1024 + description: The process name or ID that originated the Syslog message, if available. + example: 12345 + default_field: false - name: syslog.severity.code level: extended type: long @@ -3882,6 +3916,21 @@ If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.' example: Error + - name: syslog.structured_data + level: extended + type: flattened + description: Structured data expressed in RFC 5424 messages, if available. These + are key-value pairs formed from the structured data portion of the syslog + message, as defined in RFC 5424 Section 6.3. + default_field: false + - name: syslog.version + level: extended + type: keyword + ignore_above: 1024 + description: The version of the Syslog protocol specification. Only applicable + for RFC 5424 messages. + example: 1 + default_field: false - name: network title: Network group: 2 diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 76e37f14a0..b76525df75 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -411,11 +411,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.2.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. 8.2.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. 8.2.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata +8.2.0-dev+exp,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. 8.2.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. 8.2.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +8.2.0-dev+exp,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. +8.2.0-dev+exp,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. 8.2.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +8.2.0-dev+exp,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. 8.2.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. 8.2.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +8.2.0-dev+exp,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages. +8.2.0-dev+exp,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. 8.2.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. 8.2.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. 8.2.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index e3ce27fbfd..f365ff250a 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -5453,6 +5453,17 @@ log.syslog: normalize: [] short: Syslog metadata type: object +log.syslog.appname: + dashed_name: log-syslog-appname + description: The device or application that originated the Syslog message, if available. + example: sshd + flat_name: log.syslog.appname + ignore_above: 1024 + level: extended + name: syslog.appname + normalize: [] + short: The device or application that originated the Syslog message. + type: keyword log.syslog.facility.code: dashed_name: log-syslog-facility-code description: 'The Syslog numeric facility of the log event, if available. @@ -5478,6 +5489,32 @@ log.syslog.facility.name: normalize: [] short: Syslog text-based facility of the event. type: keyword +log.syslog.hostname: + dashed_name: log-syslog-hostname + description: The hostname, FQDN, or IP of the machine that originally sent the Syslog + message. This is sourced from the hostname field of the syslog header. Depending + on the environment, this value may be different from the host that handled the + event, especially if the host handling the events is acting as a collector. + example: example-host + flat_name: log.syslog.hostname + ignore_above: 1024 + level: extended + name: syslog.hostname + normalize: [] + short: The host that originated the Syslog message. + type: keyword +log.syslog.msgid: + dashed_name: log-syslog-msgid + description: An identifier for the type of Syslog message, if available. Only applicable + for RFC 5424 messages. + example: ID47 + flat_name: log.syslog.msgid + ignore_above: 1024 + level: extended + name: syslog.msgid + normalize: [] + short: An identifier for the type of Syslog message. + type: keyword log.syslog.priority: dashed_name: log-syslog-priority description: 'Syslog numeric priority of the event, if available. @@ -5492,6 +5529,17 @@ log.syslog.priority: normalize: [] short: Syslog priority of the event. type: long +log.syslog.procid: + dashed_name: log-syslog-procid + description: The process name or ID that originated the Syslog message, if available. + example: 12345 + flat_name: log.syslog.procid + ignore_above: 1024 + level: extended + name: syslog.procid + normalize: [] + short: The process name or ID that originated the Syslog message. + type: keyword log.syslog.severity.code: dashed_name: log-syslog-severity-code description: 'The Syslog numeric severity of the log event, if available. @@ -5523,6 +5571,29 @@ log.syslog.severity.name: normalize: [] short: Syslog text-based severity of the event. type: keyword +log.syslog.structured_data: + dashed_name: log-syslog-structured-data + description: Structured data expressed in RFC 5424 messages, if available. These + are key-value pairs formed from the structured data portion of the syslog message, + as defined in RFC 5424 Section 6.3. + flat_name: log.syslog.structured_data + level: extended + name: syslog.structured_data + normalize: [] + short: Structured data expressed in RFC 5424 messages. + type: flattened +log.syslog.version: + dashed_name: log-syslog-version + description: The version of the Syslog protocol specification. Only applicable for + RFC 5424 messages. + example: 1 + flat_name: log.syslog.version + ignore_above: 1024 + level: extended + name: syslog.version + normalize: [] + short: Syslog protocol version. + type: keyword message: dashed_name: message description: 'For log events the message field contains the log message, optimized diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index b1b08c5e5b..f61dd50ee3 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -6784,6 +6784,18 @@ log: normalize: [] short: Syslog metadata type: object + log.syslog.appname: + dashed_name: log-syslog-appname + description: The device or application that originated the Syslog message, if + available. + example: sshd + flat_name: log.syslog.appname + ignore_above: 1024 + level: extended + name: syslog.appname + normalize: [] + short: The device or application that originated the Syslog message. + type: keyword log.syslog.facility.code: dashed_name: log-syslog-facility-code description: 'The Syslog numeric facility of the log event, if available. @@ -6809,6 +6821,33 @@ log: normalize: [] short: Syslog text-based facility of the event. type: keyword + log.syslog.hostname: + dashed_name: log-syslog-hostname + description: The hostname, FQDN, or IP of the machine that originally sent the + Syslog message. This is sourced from the hostname field of the syslog header. + Depending on the environment, this value may be different from the host that + handled the event, especially if the host handling the events is acting as + a collector. + example: example-host + flat_name: log.syslog.hostname + ignore_above: 1024 + level: extended + name: syslog.hostname + normalize: [] + short: The host that originated the Syslog message. + type: keyword + log.syslog.msgid: + dashed_name: log-syslog-msgid + description: An identifier for the type of Syslog message, if available. Only + applicable for RFC 5424 messages. + example: ID47 + flat_name: log.syslog.msgid + ignore_above: 1024 + level: extended + name: syslog.msgid + normalize: [] + short: An identifier for the type of Syslog message. + type: keyword log.syslog.priority: dashed_name: log-syslog-priority description: 'Syslog numeric priority of the event, if available. @@ -6823,6 +6862,17 @@ log: normalize: [] short: Syslog priority of the event. type: long + log.syslog.procid: + dashed_name: log-syslog-procid + description: The process name or ID that originated the Syslog message, if available. + example: 12345 + flat_name: log.syslog.procid + ignore_above: 1024 + level: extended + name: syslog.procid + normalize: [] + short: The process name or ID that originated the Syslog message. + type: keyword log.syslog.severity.code: dashed_name: log-syslog-severity-code description: 'The Syslog numeric severity of the log event, if available. @@ -6854,6 +6904,29 @@ log: normalize: [] short: Syslog text-based severity of the event. type: keyword + log.syslog.structured_data: + dashed_name: log-syslog-structured-data + description: Structured data expressed in RFC 5424 messages, if available. These + are key-value pairs formed from the structured data portion of the syslog + message, as defined in RFC 5424 Section 6.3. + flat_name: log.syslog.structured_data + level: extended + name: syslog.structured_data + normalize: [] + short: Structured data expressed in RFC 5424 messages. + type: flattened + log.syslog.version: + dashed_name: log-syslog-version + description: The version of the Syslog protocol specification. Only applicable + for RFC 5424 messages. + example: 1 + flat_name: log.syslog.version + ignore_above: 1024 + level: extended + name: syslog.version + normalize: [] + short: Syslog protocol version. + type: keyword group: 2 name: log prefix: log. diff --git a/experimental/generated/elasticsearch/composable/component/log.json b/experimental/generated/elasticsearch/composable/component/log.json index 5c0b616c6d..bcc7bfe349 100644 --- a/experimental/generated/elasticsearch/composable/component/log.json +++ b/experimental/generated/elasticsearch/composable/component/log.json @@ -45,6 +45,10 @@ }, "syslog": { "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, "facility": { "properties": { "code": { @@ -56,9 +60,21 @@ } } }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, "priority": { "type": "long" }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, "severity": { "properties": { "code": { @@ -69,6 +85,13 @@ "type": "keyword" } } + }, + "structured_data": { + "type": "flattened" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } }, "type": "object" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index d84c23733d..0f21b29a71 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -1976,6 +1976,10 @@ }, "syslog": { "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, "facility": { "properties": { "code": { @@ -1987,9 +1991,21 @@ } } }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, "priority": { "type": "long" }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, "severity": { "properties": { "code": { @@ -2000,6 +2016,13 @@ "type": "keyword" } } + }, + "structured_data": { + "type": "flattened" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } }, "type": "object" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 350bd536ab..f5d6081416 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3787,6 +3787,14 @@ type: object description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + - name: syslog.appname + level: extended + type: keyword + ignore_above: 1024 + description: The device or application that originated the Syslog message, if + available. + example: sshd + default_field: false - name: syslog.facility.code level: extended type: long @@ -3802,6 +3810,25 @@ ignore_above: 1024 description: The Syslog text-based facility of the log event, if available. example: local7 + - name: syslog.hostname + level: extended + type: keyword + ignore_above: 1024 + description: The hostname, FQDN, or IP of the machine that originally sent the + Syslog message. This is sourced from the hostname field of the syslog header. + Depending on the environment, this value may be different from the host that + handled the event, especially if the host handling the events is acting as + a collector. + example: example-host + default_field: false + - name: syslog.msgid + level: extended + type: keyword + ignore_above: 1024 + description: An identifier for the type of Syslog message, if available. Only + applicable for RFC 5424 messages. + example: ID47 + default_field: false - name: syslog.priority level: extended type: long @@ -3811,6 +3838,13 @@ According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.' example: 135 + - name: syslog.procid + level: extended + type: keyword + ignore_above: 1024 + description: The process name or ID that originated the Syslog message, if available. + example: 12345 + default_field: false - name: syslog.severity.code level: extended type: long @@ -3832,6 +3866,21 @@ If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.' example: Error + - name: syslog.structured_data + level: extended + type: flattened + description: Structured data expressed in RFC 5424 messages, if available. These + are key-value pairs formed from the structured data portion of the syslog + message, as defined in RFC 5424 Section 6.3. + default_field: false + - name: syslog.version + level: extended + type: keyword + ignore_above: 1024 + description: The version of the Syslog protocol specification. Only applicable + for RFC 5424 messages. + example: 1 + default_field: false - name: network title: Network group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 803cdf4147..60eabbf5f9 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -404,11 +404,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.2.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. 8.2.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. 8.2.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata +8.2.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. 8.2.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. 8.2.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +8.2.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. +8.2.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. 8.2.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +8.2.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. 8.2.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. 8.2.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +8.2.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages. +8.2.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. 8.2.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. 8.2.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. 8.2.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index af311f0deb..d1a081aa06 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -5384,6 +5384,17 @@ log.syslog: normalize: [] short: Syslog metadata type: object +log.syslog.appname: + dashed_name: log-syslog-appname + description: The device or application that originated the Syslog message, if available. + example: sshd + flat_name: log.syslog.appname + ignore_above: 1024 + level: extended + name: syslog.appname + normalize: [] + short: The device or application that originated the Syslog message. + type: keyword log.syslog.facility.code: dashed_name: log-syslog-facility-code description: 'The Syslog numeric facility of the log event, if available. @@ -5409,6 +5420,32 @@ log.syslog.facility.name: normalize: [] short: Syslog text-based facility of the event. type: keyword +log.syslog.hostname: + dashed_name: log-syslog-hostname + description: The hostname, FQDN, or IP of the machine that originally sent the Syslog + message. This is sourced from the hostname field of the syslog header. Depending + on the environment, this value may be different from the host that handled the + event, especially if the host handling the events is acting as a collector. + example: example-host + flat_name: log.syslog.hostname + ignore_above: 1024 + level: extended + name: syslog.hostname + normalize: [] + short: The host that originated the Syslog message. + type: keyword +log.syslog.msgid: + dashed_name: log-syslog-msgid + description: An identifier for the type of Syslog message, if available. Only applicable + for RFC 5424 messages. + example: ID47 + flat_name: log.syslog.msgid + ignore_above: 1024 + level: extended + name: syslog.msgid + normalize: [] + short: An identifier for the type of Syslog message. + type: keyword log.syslog.priority: dashed_name: log-syslog-priority description: 'Syslog numeric priority of the event, if available. @@ -5423,6 +5460,17 @@ log.syslog.priority: normalize: [] short: Syslog priority of the event. type: long +log.syslog.procid: + dashed_name: log-syslog-procid + description: The process name or ID that originated the Syslog message, if available. + example: 12345 + flat_name: log.syslog.procid + ignore_above: 1024 + level: extended + name: syslog.procid + normalize: [] + short: The process name or ID that originated the Syslog message. + type: keyword log.syslog.severity.code: dashed_name: log-syslog-severity-code description: 'The Syslog numeric severity of the log event, if available. @@ -5454,6 +5502,29 @@ log.syslog.severity.name: normalize: [] short: Syslog text-based severity of the event. type: keyword +log.syslog.structured_data: + dashed_name: log-syslog-structured-data + description: Structured data expressed in RFC 5424 messages, if available. These + are key-value pairs formed from the structured data portion of the syslog message, + as defined in RFC 5424 Section 6.3. + flat_name: log.syslog.structured_data + level: extended + name: syslog.structured_data + normalize: [] + short: Structured data expressed in RFC 5424 messages. + type: flattened +log.syslog.version: + dashed_name: log-syslog-version + description: The version of the Syslog protocol specification. Only applicable for + RFC 5424 messages. + example: 1 + flat_name: log.syslog.version + ignore_above: 1024 + level: extended + name: syslog.version + normalize: [] + short: Syslog protocol version. + type: keyword message: dashed_name: message description: 'For log events the message field contains the log message, optimized diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index f51c2c045d..91c50c9997 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -6704,6 +6704,18 @@ log: normalize: [] short: Syslog metadata type: object + log.syslog.appname: + dashed_name: log-syslog-appname + description: The device or application that originated the Syslog message, if + available. + example: sshd + flat_name: log.syslog.appname + ignore_above: 1024 + level: extended + name: syslog.appname + normalize: [] + short: The device or application that originated the Syslog message. + type: keyword log.syslog.facility.code: dashed_name: log-syslog-facility-code description: 'The Syslog numeric facility of the log event, if available. @@ -6729,6 +6741,33 @@ log: normalize: [] short: Syslog text-based facility of the event. type: keyword + log.syslog.hostname: + dashed_name: log-syslog-hostname + description: The hostname, FQDN, or IP of the machine that originally sent the + Syslog message. This is sourced from the hostname field of the syslog header. + Depending on the environment, this value may be different from the host that + handled the event, especially if the host handling the events is acting as + a collector. + example: example-host + flat_name: log.syslog.hostname + ignore_above: 1024 + level: extended + name: syslog.hostname + normalize: [] + short: The host that originated the Syslog message. + type: keyword + log.syslog.msgid: + dashed_name: log-syslog-msgid + description: An identifier for the type of Syslog message, if available. Only + applicable for RFC 5424 messages. + example: ID47 + flat_name: log.syslog.msgid + ignore_above: 1024 + level: extended + name: syslog.msgid + normalize: [] + short: An identifier for the type of Syslog message. + type: keyword log.syslog.priority: dashed_name: log-syslog-priority description: 'Syslog numeric priority of the event, if available. @@ -6743,6 +6782,17 @@ log: normalize: [] short: Syslog priority of the event. type: long + log.syslog.procid: + dashed_name: log-syslog-procid + description: The process name or ID that originated the Syslog message, if available. + example: 12345 + flat_name: log.syslog.procid + ignore_above: 1024 + level: extended + name: syslog.procid + normalize: [] + short: The process name or ID that originated the Syslog message. + type: keyword log.syslog.severity.code: dashed_name: log-syslog-severity-code description: 'The Syslog numeric severity of the log event, if available. @@ -6774,6 +6824,29 @@ log: normalize: [] short: Syslog text-based severity of the event. type: keyword + log.syslog.structured_data: + dashed_name: log-syslog-structured-data + description: Structured data expressed in RFC 5424 messages, if available. These + are key-value pairs formed from the structured data portion of the syslog + message, as defined in RFC 5424 Section 6.3. + flat_name: log.syslog.structured_data + level: extended + name: syslog.structured_data + normalize: [] + short: Structured data expressed in RFC 5424 messages. + type: flattened + log.syslog.version: + dashed_name: log-syslog-version + description: The version of the Syslog protocol specification. Only applicable + for RFC 5424 messages. + example: 1 + flat_name: log.syslog.version + ignore_above: 1024 + level: extended + name: syslog.version + normalize: [] + short: Syslog protocol version. + type: keyword group: 2 name: log prefix: log. diff --git a/generated/elasticsearch/composable/component/log.json b/generated/elasticsearch/composable/component/log.json index 7361c32011..dd83a4915e 100644 --- a/generated/elasticsearch/composable/component/log.json +++ b/generated/elasticsearch/composable/component/log.json @@ -45,6 +45,10 @@ }, "syslog": { "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, "facility": { "properties": { "code": { @@ -56,9 +60,21 @@ } } }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, "priority": { "type": "long" }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, "severity": { "properties": { "code": { @@ -69,6 +85,13 @@ "type": "keyword" } } + }, + "structured_data": { + "type": "flattened" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } }, "type": "object" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index a8eb3b9318..67daf0db51 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -1934,6 +1934,10 @@ }, "syslog": { "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, "facility": { "properties": { "code": { @@ -1945,9 +1949,21 @@ } } }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, "priority": { "type": "long" }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, "severity": { "properties": { "code": { @@ -1958,6 +1974,13 @@ "type": "keyword" } } + }, + "structured_data": { + "type": "flattened" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } }, "type": "object" diff --git a/schemas/log.yml b/schemas/log.yml index 66743520fc..2d90ef0a96 100644 --- a/schemas/log.yml +++ b/schemas/log.yml @@ -156,3 +156,56 @@ According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + + - name: syslog.version + level: extended + type: keyword + example: 1 + short: Syslog protocol version. + description: > + The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. + + - name: syslog.hostname + level: extended + type: keyword + example: example-host + short: The host that originated the Syslog message. + description: > + The hostname, FQDN, or IP of the machine that originally sent the Syslog + message. This is sourced from the hostname field of the syslog header. + Depending on the environment, this value may be different from the host + that handled the event, especially if the host handling the events is acting + as a collector. + + - name: syslog.appname + level: extended + type: keyword + example: sshd + short: The device or application that originated the Syslog message. + description: > + The device or application that originated the Syslog message, if available. + + - name: syslog.procid + level: extended + type: keyword + example: 12345 + short: The process name or ID that originated the Syslog message. + description: > + The process name or ID that originated the Syslog message, if available. + + - name: syslog.msgid + level: extended + type: keyword + example: ID47 + short: An identifier for the type of Syslog message. + description: > + An identifier for the type of Syslog message, if available. Only applicable for RFC 5424 messages. + + - name: syslog.structured_data + level: extended + type: flattened + short: Structured data expressed in RFC 5424 messages. + description: > + Structured data expressed in RFC 5424 messages, if available. These are + key-value pairs formed from the structured data portion of the syslog + message, as defined in RFC 5424 Section 6.3.