Observation:
It is observed that filebeat is unable to parse the syslog message of format RFC-3164 properly when priority value is given as <0> in syslog message. For other priorities filebeat is working as expected.
For the above reason filebeat syslog input will never able to parse syslog of Emergency kernal messages.
This is a major bug of filebeat syslog input plugin
Verification Version:
6.4.1 and 6.6.x
Execution Steps:
1. Enable "syslog" type prospector using "tcp" protocol in "filebeat.yml"
filebeat.inputs:
- type: syslog
enabled: true
protocol.tcp:
host: "localhost:9000"
2. Start filebeat
# filebeat -e
3. Connect and send data using tcp client to filebeat
# nc localhost 9000
<0>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
Output observed in "syslog" field of parsed message:
...................
syslog:{}
...................
Expected value for "syslog" field of parsed message:
....................
"syslog": {
"priority": 0,
"severity_label": "Emergency",
"facility": 0,
"facility_label": "kernel"
},
....................
Important Note:
I have verified this in different filebeat versions as well as in currently stable 6.6.x version. It is not working.
I am able to identify some source code level mistake for the above scenario. I have locally fixed this issue in code and it is working fine.
So I am going to raise an issue in github as well as will upload the patch for the fix.
Kindly let me know for any suggestion.