Parsing SSSD logs fails

Elastic Stack Beats
,
1

Hello,

there seems to be a bug with filebeat when collecting SSSD logs. If there's no process id, the field in the logfile gets filled with the domain stated in the launch options with --domain. Afaik, pid is type long tho, so I'm receiving the following error message:

Jul 27 13:10:26 server logstash[117166]: {"level":"WARN","loggerName":"logstash.outputs.elasticsearch","timeMillis":1658920226135,"thread":"[shipper_x]>worker10","logEvent":{"message":"Could not index event to Elasticsearch.","status":400,"action":["index",{"_index":"journald-%

{[index][lifespan]}"},{"event":{"created":"2022-07-27T10:57:27.828Z","kind":"event"},"log":{"syslog":{"priority":4,"facility":{"code":10}},"original":"Warning: user would have beode."},"ecs":{"version":"1.12.0"},"vxxxxx":{"meta":{"index":{"name":"journald","lifespan":"%{[index][lifespan]}

"}}},"journald":{"uid":0,"gid":0,"process":

{"capabilities":"3fffffffff","executable":"/usr/lib/sssd/sssd_be","command_line":"/usr/lib/sssd/sssd_be --domain STRING --uid 0 --gid 0 --logger=files","name":"sssd_be"}

,"pid":1294,"host":{"boot_id":"332d9803eb9cdc3ecfa"}},"agent":{"name":"d","id":"d","hostname":"lserver1","ephemeral_id":"e3cdb48d-39c9d7e5b857","type":"filebeat","version":"7.16.2"},"syslog":{"identifier":"sssd[be","pid":"STRING]","priority":4,"facility":10},"@version":"1","input":{"type":"journald"},"process":{"command_line":"/usr/lib/sssd/sssd_be --domain STRING --uid 0 --gid 0 --logger=files","args":["/usr/lib/sssd/sssd_be","--domain","STRING","--uid","0","--gid","0","--logger=files"],"args_count":8,"pid":1294},"user":{"id":"0","group":{"id":"0"}},"systemd":{"cgroup":"/system.slice/sssd.service","unit":"sssd.service","transport":"syslog","slice":"system.slice"},"tags"yyy,"@timestamp":"2022-07-27T10:57:26.720Z","message":"Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.","host":{"os":

{"family":"suse","name":"SLES","kernel":"4.12.14-122.124-default","type":"linux","platform":"sles","version":"12-SP5"}

,"architecture":"x86_64","mac":["00:50:56:a0:b5:ba"],"containerized":false,"id":"e8043y86095151d","name":"SERVER","hostname":"yyy","ip":["172.16.55.68","fe80::250:56ff:fea0:b5ba"]}}],"response":{"index":{"_index":"journald-%

{[index][lifespan]}

","_type":"_doc","_id":"Er5ZPyzY8D","status":400,"error":{"type":"mapper_parsing_exception","reason":"failed to parse field [syslog.pid] of type [long] in document with id 'Er5ZP4IBGD4Ztk-czY8D'. Preview of field's value: 'STRING]'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"STRING\""}}}}}}

Is there any way to fix this?

Thanks in advance

2

Hi,

I think the problem is on this part of the event, it looks like the syslog pid and identifiers are not being correctly parsed. Could you share the configuration of Filebeat used to get these logs?

3

Oh, it seems that this is an issue already reported: Filebeat journald input: entries with child process doesn't parse the syslog.pid and syslog.identifier as expected · Issue #31245 · elastic/beats · GitHub

4

Thanks for linking. Is there any change this is going to be fixxed soon or is there any workaround?

Thanks in advance

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.