diff --git a/packages/hpe_aruba_cx/changelog.yml b/packages/hpe_aruba_cx/changelog.yml index ab5ac51b14e..151f0059f04 100644 --- a/packages/hpe_aruba_cx/changelog.yml +++ b/packages/hpe_aruba_cx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.0" + changes: + - description: Handle optional syslog priority and format variations in procid fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/15985 - version: "0.2.0" changes: - description: Preserve event.original on pipeline error. diff --git a/packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log b/packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log index 47f49b305f8..fe1d08a6d83 100644 --- a/packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log +++ b/packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log @@ -31,6 +31,7 @@ 2024-08-01T13:12:03.990790-04:00 6300-DIST-RDL hpe-sysmond[3512]: Event|6303|LOG_INFO|CDTR|1|Current system memory usage for module 1/1 is 29% 2024-08-01T16:33:25.911904-04:00 6300-DIST-RDL hpe-restd[1254]: Event|7708|LOG_INFO|UKWN|1|Certificate www.elastic.co verified and accepted 2024-08-01T16:33:25.735166-04:00 6300-DIST-RDL tpmd[610]: Event|13601|LOG_INFO|||TPM_Sign requested by hpe-restd was successful +<190>1 2024-10-07T10:32:00.994423+00:00 TBD-TW-02 tpmd 1234 - - Event|13601|LOG_INFO|||TPM_Sign requested by abc-defgh was successful 2024-07-31T15:40:13.958990-05:00 8360-Primaire lldpd[2864192]: Event|104|LOG_INFO|AMM|1/1|LLDP neighbor ab:cd:ef:12:34:56 added on 1/1/15 2024-01-03T04:46:00.827699-05:00 8360-Primaire lldpd[822946]: Event|104|LOG_INFO|AMM|1/1|LLDP neighbor ab:cd:ef:12:34:56 added on mgmt 2024-06-04T15:03:13.738207-05:00 8360-Primaire lldpd[2864192]: Event|105|LOG_INFO|AMM|1/1|LLDP neighbor ab:cd:ef:12:34:56 updated on 1/1/17 @@ -159,6 +160,7 @@ 2024-05-23T18:18:55.337381-05:00 8360-Primaire hpe-vsxd[791]: Event|7012|LOG_INFO|AMM|1/1|VSX 50 state local down, remote up 2024-06-19T10:49:25.794800-05:00 8360-Primaire hpe-vsxd[791]: Event|7034|LOG_INFO|AMM|1/1|Netdev 12a345678901234 configured with ipv4 address 127.0.0.1 2024-08-01T15:15:35.145388-05:00 8360-Primaire hpe-restd[1956]: Event|7708|LOG_INFO|AMM|1/1|Certificate devices-v2.arubanetworks.com verified and accepted +<190>1 2024-10-07T10:35:19.998679+00:00 TBD-TW-02 abc-defgh 1234 - - Event|7708|LOG_INFO|||Certificate subdomain.arubanetworks.com verified and accepted 2024-05-11T05:59:01.013908-05:00 8360-Primaire cdpd[715]: Event|8903|LOG_INFO|AMM|1/1|CDP neighbor ab:cd:ef:12:34:56 is added on 1/1/46 2024-05-11T05:59:56.149609-05:00 8360-Primaire cdpd[715]: Event|8904|LOG_INFO|AMM|1/1|CDP neighbor ab:cd:ef:12:34:56 is updated on 1/1/46 2024-05-11T05:04:25.672834-05:00 8360-Primaire cdpd[715]: Event|8905|LOG_INFO|AMM|1/1|CDP neighbor ab:cd:ef:12:34:56 is deleted on 1/1/46 diff --git a/packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log-expected.json b/packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log-expected.json index b4f48ab493e..0124206286f 100644 --- a/packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log-expected.json +++ b/packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log-expected.json @@ -1578,6 +1578,49 @@ "preserve_original_event" ] }, + { + "@timestamp": "2024-10-07T10:32:00.994423+00:00", + "aruba": { + "event_type": "Event", + "hardware": { + "device": "TBD-TW-02" + }, + "sequence": "" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network", + "configuration" + ], + "code": "13601", + "kind": [ + "event" + ], + "original": "<190>1 2024-10-07T10:32:00.994423+00:00 TBD-TW-02 tpmd 1234 - - Event|13601|LOG_INFO|||TPM_Sign requested by abc-defgh was successful", + "outcome": "success", + "type": [ + "info" + ] + }, + "log": { + "level": "LOG_INFO", + "syslog": { + "appname": "tpmd", + "priority": 190, + "procid": "1234" + } + }, + "message": "TPM_Sign requested by abc-defgh was successful", + "process": { + "name": "abc-defgh" + }, + "tags": [ + "preserve_original_event" + ] + }, { "@timestamp": "2024-07-31T15:40:13.958990-05:00", "aruba": { @@ -7787,6 +7830,50 @@ "preserve_original_event" ] }, + { + "@timestamp": "2024-10-07T10:35:19.998679+00:00", + "aruba": { + "cm": { + "cert_name": "subdomain.arubanetworks.com" + }, + "event_type": "Event", + "hardware": { + "device": "TBD-TW-02" + }, + "sequence": "" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network", + "configuration" + ], + "code": "7708", + "kind": [ + "event" + ], + "original": "<190>1 2024-10-07T10:35:19.998679+00:00 TBD-TW-02 abc-defgh 1234 - - Event|7708|LOG_INFO|||Certificate subdomain.arubanetworks.com verified and accepted", + "outcome": "success", + "type": [ + "info", + "access" + ] + }, + "log": { + "level": "LOG_INFO", + "syslog": { + "appname": "abc-defgh", + "priority": 190, + "procid": "1234" + } + }, + "message": "Certificate subdomain.arubanetworks.com verified and accepted", + "tags": [ + "preserve_original_event" + ] + }, { "@timestamp": "2024-05-11T05:59:01.013908-05:00", "aruba": { diff --git a/packages/hpe_aruba_cx/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/hpe_aruba_cx/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 33751200292..c80831a4724 100644 --- a/packages/hpe_aruba_cx/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/hpe_aruba_cx/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -36,8 +36,10 @@ processors: patterns: - "%{SYSLOG_HEADER}%{GREEDYDATA:message}" pattern_definitions: - SYSLOG_HEADER: "%{TIMESTAMP_ISO8601:@timestamp}\\s+%{USER:aruba.hardware.device}\\s+%{DATA:log.syslog.appname}\\[%{POSINT:log.syslog.procid}\\]:\\s+%{WORD:aruba.event_type}\\|(?:%{OPTIONAL_HEADER})?" + SYSLOG_HEADER: "%{OPTIONAL_PRIORITY}%{TIMESTAMP_ISO8601:@timestamp}\\s+%{USER:aruba.hardware.device}\\s+%{DATA:log.syslog.appname}%{PROC_ID}\\s+%{WORD:aruba.event_type}\\|(?:%{OPTIONAL_HEADER})?" + PROC_ID: "(\\[%{POSINT:log.syslog.procid}\\]:|\\s+%{POSINT:log.syslog.procid}\\s+- -)" OPTIONAL_HEADER: "%{POSINT:event.code}\\|%{USER:log.level}\\|(?:%{USER:aruba.component.category})?\\|(?:%{DATA:aruba.sequence})?\\|" + OPTIONAL_PRIORITY: "(?:<%{NONNEGINT:log.syslog.priority:long}>(?:%{NONNEGINT})?\\s+)?" - grok: field: aruba.sequence if: ctx.aruba?.sequence != null && ctx.aruba.sequence.contains("/") diff --git a/packages/hpe_aruba_cx/data_stream/log/fields/ecs.yml b/packages/hpe_aruba_cx/data_stream/log/fields/ecs.yml index d913bc10860..fb5dfdf2f7e 100644 --- a/packages/hpe_aruba_cx/data_stream/log/fields/ecs.yml +++ b/packages/hpe_aruba_cx/data_stream/log/fields/ecs.yml @@ -68,6 +68,8 @@ name: log.origin.file.name - external: ecs name: log.syslog.appname +- external: ecs + name: log.syslog.priority - external: ecs name: log.syslog.procid - external: ecs diff --git a/packages/hpe_aruba_cx/docs/README.md b/packages/hpe_aruba_cx/docs/README.md index 3555b0a9d57..dc36f4e4d25 100644 --- a/packages/hpe_aruba_cx/docs/README.md +++ b/packages/hpe_aruba_cx/docs/README.md @@ -2456,6 +2456,7 @@ The `log` dataset collects the HPE Aruba CX logs. | log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword | | log.source.address | Source address from which the log event was read / sent from. | keyword | | log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | | log.syslog.procid | The process name or ID that originated the Syslog message, if available. | keyword | | log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | diff --git a/packages/hpe_aruba_cx/manifest.yml b/packages/hpe_aruba_cx/manifest.yml index 35c42b76eaf..5353154342c 100644 --- a/packages/hpe_aruba_cx/manifest.yml +++ b/packages/hpe_aruba_cx/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.2.1 name: hpe_aruba_cx title: "HPE Aruba CX" -version: 0.2.0 +version: 0.3.0 description: "Collect logs from HPE Aruba CX with Elastic Agent" type: integration categories: