#6629 - Update aruba to handle optional syslog priority and prod_id format variations (#15985)

* Update aruba to handle optional syslog priority and format variations in procid fields
- parsed the priority field introduced within some CX switches
- extracted prod_id into it's own pattern_definition for readability

Test Cases:
- validated that for <xxx>1 that the priority field is being parsed out. Note the "count" value after the angle bracket is not being parsed to a field
- validated that all pipeline test pass

Author: qcorporation

packages/hpe_aruba_cx/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.3.0"
+  changes:
+    - description: Handle optional syslog priority and format variations in procid fields.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15985
 - version: "0.2.0"
   changes:
     - description: Preserve event.original on pipeline error.

packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log

@@ -31,6 +31,7 @@
 2024-08-01T13:12:03.990790-04:00 6300-DIST-RDL hpe-sysmond[3512]: Event|6303|LOG_INFO|CDTR|1|Current system memory usage for module 1/1 is 29%
 2024-08-01T16:33:25.911904-04:00 6300-DIST-RDL hpe-restd[1254]: Event|7708|LOG_INFO|UKWN|1|Certificate www.elastic.co verified and accepted
 2024-08-01T16:33:25.735166-04:00 6300-DIST-RDL tpmd[610]: Event|13601|LOG_INFO|||TPM_Sign requested by hpe-restd was successful
+<190>1 2024-10-07T10:32:00.994423+00:00 TBD-TW-02 tpmd 1234 - - Event|13601|LOG_INFO|||TPM_Sign requested by abc-defgh was successful
 2024-07-31T15:40:13.958990-05:00 8360-Primaire lldpd[2864192]: Event|104|LOG_INFO|AMM|1/1|LLDP neighbor ab:cd:ef:12:34:56 added on 1/1/15
 2024-01-03T04:46:00.827699-05:00 8360-Primaire lldpd[822946]: Event|104|LOG_INFO|AMM|1/1|LLDP neighbor ab:cd:ef:12:34:56 added on mgmt
 2024-06-04T15:03:13.738207-05:00 8360-Primaire lldpd[2864192]: Event|105|LOG_INFO|AMM|1/1|LLDP neighbor ab:cd:ef:12:34:56 updated on 1/1/17
@@ -159,6 +160,7 @@
 2024-05-23T18:18:55.337381-05:00 8360-Primaire hpe-vsxd[791]: Event|7012|LOG_INFO|AMM|1/1|VSX 50 state local down, remote up
 2024-06-19T10:49:25.794800-05:00 8360-Primaire hpe-vsxd[791]: Event|7034|LOG_INFO|AMM|1/1|Netdev 12a345678901234 configured with ipv4 address 127.0.0.1
 2024-08-01T15:15:35.145388-05:00 8360-Primaire hpe-restd[1956]: Event|7708|LOG_INFO|AMM|1/1|Certificate devices-v2.arubanetworks.com verified and accepted
+<190>1 2024-10-07T10:35:19.998679+00:00 TBD-TW-02 abc-defgh 1234 - - Event|7708|LOG_INFO|||Certificate subdomain.arubanetworks.com verified and accepted
 2024-05-11T05:59:01.013908-05:00 8360-Primaire cdpd[715]: Event|8903|LOG_INFO|AMM|1/1|CDP neighbor ab:cd:ef:12:34:56 is added on 1/1/46
 2024-05-11T05:59:56.149609-05:00 8360-Primaire cdpd[715]: Event|8904|LOG_INFO|AMM|1/1|CDP neighbor ab:cd:ef:12:34:56 is updated on 1/1/46
 2024-05-11T05:04:25.672834-05:00 8360-Primaire cdpd[715]: Event|8905|LOG_INFO|AMM|1/1|CDP neighbor ab:cd:ef:12:34:56 is deleted on 1/1/46

packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log-expected.json

@@ -1578,6 +1578,49 @@
                 "preserve_original_event"
             ]
         },
+        {
+            "@timestamp": "2024-10-07T10:32:00.994423+00:00",
+            "aruba": {
+                "event_type": "Event",
+                "hardware": {
+                    "device": "TBD-TW-02"
+                },
+                "sequence": ""
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "network",
+                    "configuration"
+                ],
+                "code": "13601",
+                "kind": [
+                    "event"
+                ],
+                "original": "<190>1 2024-10-07T10:32:00.994423+00:00 TBD-TW-02 tpmd 1234 - - Event|13601|LOG_INFO|||TPM_Sign requested by abc-defgh was successful",
+                "outcome": "success",
+                "type": [
+                    "info"
+                ]
+            },
+            "log": {
+                "level": "LOG_INFO",
+                "syslog": {
+                    "appname": "tpmd",
+                    "priority": 190,
+                    "procid": "1234"
+                }
+            },
+            "message": "TPM_Sign requested by abc-defgh was successful",
+            "process": {
+                "name": "abc-defgh"
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
         {
             "@timestamp": "2024-07-31T15:40:13.958990-05:00",
             "aruba": {
@@ -7787,6 +7830,50 @@
                 "preserve_original_event"
             ]
         },
+        {
+            "@timestamp": "2024-10-07T10:35:19.998679+00:00",
+            "aruba": {
+                "cm": {
+                    "cert_name": "subdomain.arubanetworks.com"
+                },
+                "event_type": "Event",
+                "hardware": {
+                    "device": "TBD-TW-02"
+                },
+                "sequence": ""
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "network",
+                    "configuration"
+                ],
+                "code": "7708",
+                "kind": [
+                    "event"
+                ],
+                "original": "<190>1 2024-10-07T10:35:19.998679+00:00 TBD-TW-02 abc-defgh 1234 - - Event|7708|LOG_INFO|||Certificate subdomain.arubanetworks.com verified and accepted",
+                "outcome": "success",
+                "type": [
+                    "info",
+                    "access"
+                ]
+            },
+            "log": {
+                "level": "LOG_INFO",
+                "syslog": {
+                    "appname": "abc-defgh",
+                    "priority": 190,
+                    "procid": "1234"
+                }
+            },
+            "message": "Certificate subdomain.arubanetworks.com verified and accepted",
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
         {
             "@timestamp": "2024-05-11T05:59:01.013908-05:00",
             "aruba": {

packages/hpe_aruba_cx/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -36,8 +36,10 @@ processors:
       patterns:
         - "%{SYSLOG_HEADER}%{GREEDYDATA:message}"
       pattern_definitions:
-        SYSLOG_HEADER: "%{TIMESTAMP_ISO8601:@timestamp}\\s+%{USER:aruba.hardware.device}\\s+%{DATA:log.syslog.appname}\\[%{POSINT:log.syslog.procid}\\]:\\s+%{WORD:aruba.event_type}\\|(?:%{OPTIONAL_HEADER})?"
+        SYSLOG_HEADER: "%{OPTIONAL_PRIORITY}%{TIMESTAMP_ISO8601:@timestamp}\\s+%{USER:aruba.hardware.device}\\s+%{DATA:log.syslog.appname}%{PROC_ID}\\s+%{WORD:aruba.event_type}\\|(?:%{OPTIONAL_HEADER})?"
+        PROC_ID: "(\\[%{POSINT:log.syslog.procid}\\]:|\\s+%{POSINT:log.syslog.procid}\\s+- -)"
         OPTIONAL_HEADER: "%{POSINT:event.code}\\|%{USER:log.level}\\|(?:%{USER:aruba.component.category})?\\|(?:%{DATA:aruba.sequence})?\\|"
+        OPTIONAL_PRIORITY: "(?:<%{NONNEGINT:log.syslog.priority:long}>(?:%{NONNEGINT})?\\s+)?"
   - grok:
       field: aruba.sequence
       if: ctx.aruba?.sequence != null && ctx.aruba.sequence.contains("/")

packages/hpe_aruba_cx/data_stream/log/fields/ecs.yml

@@ -68,6 +68,8 @@
   name: log.origin.file.name
 - external: ecs
   name: log.syslog.appname
+- external: ecs
+  name: log.syslog.priority
 - external: ecs
   name: log.syslog.procid
 - external: ecs

packages/hpe_aruba_cx/docs/README.md

@@ -2456,6 +2456,7 @@ The `log` dataset collects the HPE Aruba CX logs.
 | log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword |
 | log.source.address | Source address from which the log event was read / sent from. | keyword |
 | log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
 | log.syslog.procid | The process name or ID that originated the Syslog message, if available. | keyword |
 | log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword |
 | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |

packages/hpe_aruba_cx/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.2.1
 name: hpe_aruba_cx
 title: "HPE Aruba CX"
-version: 0.2.0
+version: 0.3.0
 description: "Collect logs from HPE Aruba CX with Elastic Agent"
 type: integration
 categories: