Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix grok pattern in filebeat module system/auth without hostname #4224

Merged
merged 1 commit into from May 5, 2017

Conversation

@ruflin
Copy link
Collaborator

commented May 5, 2017

Some log lines like Feb 9 21:20:08 sshd[8317]: last message repeated 2 times do not contain a hostname. This change in the grok pattern makes the hostname optional.

  • Make system module tests more verbose on error
Fix grok pattern in filebeat module system/auth without hostname
Some log lines like `Feb  9 21:20:08  sshd[8317]: last message repeated 2 times` do not contain a hostname. This change in the grok pattern makes the hostname optional.

* Make system module tests more verbose on error
@@ -15,7 +15,7 @@
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sudo(?:\\[%{POSINT:system.auth.pid}\\])?: \\s*%{DATA:system.auth.user} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} groupadd(?:\\[%{POSINT:system.auth.pid}\\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} useradd(?:\\[%{POSINT:system.auth.pid}\\])?: new user: name=%{DATA:system.auth.useradd.name}, UID=%{NUMBER:system.auth.useradd.uid}, GID=%{NUMBER:system.auth.useradd.gid}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} %{DATA:system.auth.program}(?:\\[%{POSINT:system.auth.pid}\\])?: %{GREEDYMULTILINE:system.auth.message}"
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname}? %{DATA:system.auth.program}(?:\\[%{POSINT:system.auth.pid}\\])?: %{GREEDYMULTILINE:system.auth.message}"

This comment has been minimized.

Copy link
@tsg

tsg May 5, 2017

Collaborator

I usually do it like ( %{SYSLOGHOST:system.auth.hostname})? otherwise it might require two spaces? That might not be the case, though, if the tests are passing.

This comment has been minimized.

Copy link
@ruflin

ruflin May 5, 2017

Author Collaborator

Seems like tests passed. Should I still do the change?

@tsg tsg merged commit 598672b into elastic:master May 5, 2017

3 of 4 checks passed

continuous-integration/appveyor/pr Waiting for AppVeyor build to complete
Details
CLA Commit author has signed the CLA
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
default Build finished.
Details

@ruflin ruflin deleted the ruflin:grok-pattern-fix branch May 5, 2017

ruflin added a commit to ruflin/beats that referenced this pull request May 5, 2017
Fix grok pattern in filebeat module system/auth without hostname (ela…
…stic#4224)

Some log lines like `Feb  9 21:20:08  sshd[8317]: last message repeated 2 times` do not contain a hostname. This change in the grok pattern makes the hostname optional.

* Make system module tests more verbose on error
(cherry picked from commit 598672b)
ruflin added a commit to ruflin/beats that referenced this pull request May 5, 2017
Fix grok pattern in filebeat module system/auth without hostname (ela…
…stic#4224)

Some log lines like `Feb  9 21:20:08  sshd[8317]: last message repeated 2 times` do not contain a hostname. This change in the grok pattern makes the hostname optional.

* Make system module tests more verbose on error
(cherry picked from commit 598672b)
tsg added a commit that referenced this pull request May 8, 2017
Fix grok pattern in filebeat module system/auth without hostname (#4224
…) (#4228)

Some log lines like `Feb  9 21:20:08  sshd[8317]: last message repeated 2 times` do not contain a hostname. This change in the grok pattern makes the hostname optional.

* Make system module tests more verbose on error
(cherry picked from commit 598672b)

@tsg tsg removed the needs_backport label May 8, 2017

ramon-garcia added a commit to ramon-garcia/beats that referenced this pull request Dec 5, 2017
Fix grok pattern in filebeat module system/auth without hostname (ela…
…stic#4224)

Some log lines like `Feb  9 21:20:08  sshd[8317]: last message repeated 2 times` do not contain a hostname. This change in the grok pattern makes the hostname optional.

* Make system module tests more verbose on error
athom added a commit to athom/beats that referenced this pull request Jan 25, 2018
Fix grok pattern in filebeat module system/auth without hostname (ela…
…stic#4224)

Some log lines like `Feb  9 21:20:08  sshd[8317]: last message repeated 2 times` do not contain a hostname. This change in the grok pattern makes the hostname optional.

* Make system module tests more verbose on error
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.