Skip to content

Commit 292cef3

Browse files
authored
#6629 - Update aruba to handle optional syslog priority and prod_id format variations (#15985)
* Update aruba to handle optional syslog priority and format variations in procid fields - parsed the priority field introduced within some CX switches - extracted prod_id into it's own pattern_definition for readability Test Cases: - validated that for <xxx>1 that the priority field is being parsed out. Note the "count" value after the angle bracket is not being parsed to a field - validated that all pipeline test pass
1 parent 6a23ff4 commit 292cef3

File tree

7 files changed

+101
-2
lines changed

7 files changed

+101
-2
lines changed

packages/hpe_aruba_cx/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "0.3.0"
3+
changes:
4+
- description: Handle optional syslog priority and format variations in procid fields.
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/15985
27
- version: "0.2.0"
38
changes:
49
- description: Preserve event.original on pipeline error.

packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
2024-08-01T13:12:03.990790-04:00 6300-DIST-RDL hpe-sysmond[3512]: Event|6303|LOG_INFO|CDTR|1|Current system memory usage for module 1/1 is 29%
3232
2024-08-01T16:33:25.911904-04:00 6300-DIST-RDL hpe-restd[1254]: Event|7708|LOG_INFO|UKWN|1|Certificate www.elastic.co verified and accepted
3333
2024-08-01T16:33:25.735166-04:00 6300-DIST-RDL tpmd[610]: Event|13601|LOG_INFO|||TPM_Sign requested by hpe-restd was successful
34+
<190>1 2024-10-07T10:32:00.994423+00:00 TBD-TW-02 tpmd 1234 - - Event|13601|LOG_INFO|||TPM_Sign requested by abc-defgh was successful
3435
2024-07-31T15:40:13.958990-05:00 8360-Primaire lldpd[2864192]: Event|104|LOG_INFO|AMM|1/1|LLDP neighbor ab:cd:ef:12:34:56 added on 1/1/15
3536
2024-01-03T04:46:00.827699-05:00 8360-Primaire lldpd[822946]: Event|104|LOG_INFO|AMM|1/1|LLDP neighbor ab:cd:ef:12:34:56 added on mgmt
3637
2024-06-04T15:03:13.738207-05:00 8360-Primaire lldpd[2864192]: Event|105|LOG_INFO|AMM|1/1|LLDP neighbor ab:cd:ef:12:34:56 updated on 1/1/17
@@ -159,6 +160,7 @@
159160
2024-05-23T18:18:55.337381-05:00 8360-Primaire hpe-vsxd[791]: Event|7012|LOG_INFO|AMM|1/1|VSX 50 state local down, remote up
160161
2024-06-19T10:49:25.794800-05:00 8360-Primaire hpe-vsxd[791]: Event|7034|LOG_INFO|AMM|1/1|Netdev 12a345678901234 configured with ipv4 address 127.0.0.1
161162
2024-08-01T15:15:35.145388-05:00 8360-Primaire hpe-restd[1956]: Event|7708|LOG_INFO|AMM|1/1|Certificate devices-v2.arubanetworks.com verified and accepted
163+
<190>1 2024-10-07T10:35:19.998679+00:00 TBD-TW-02 abc-defgh 1234 - - Event|7708|LOG_INFO|||Certificate subdomain.arubanetworks.com verified and accepted
162164
2024-05-11T05:59:01.013908-05:00 8360-Primaire cdpd[715]: Event|8903|LOG_INFO|AMM|1/1|CDP neighbor ab:cd:ef:12:34:56 is added on 1/1/46
163165
2024-05-11T05:59:56.149609-05:00 8360-Primaire cdpd[715]: Event|8904|LOG_INFO|AMM|1/1|CDP neighbor ab:cd:ef:12:34:56 is updated on 1/1/46
164166
2024-05-11T05:04:25.672834-05:00 8360-Primaire cdpd[715]: Event|8905|LOG_INFO|AMM|1/1|CDP neighbor ab:cd:ef:12:34:56 is deleted on 1/1/46

packages/hpe_aruba_cx/data_stream/log/_dev/test/pipeline/test-aruba-cx.log-expected.json

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1578,6 +1578,49 @@
15781578
"preserve_original_event"
15791579
]
15801580
},
1581+
{
1582+
"@timestamp": "2024-10-07T10:32:00.994423+00:00",
1583+
"aruba": {
1584+
"event_type": "Event",
1585+
"hardware": {
1586+
"device": "TBD-TW-02"
1587+
},
1588+
"sequence": ""
1589+
},
1590+
"ecs": {
1591+
"version": "8.11.0"
1592+
},
1593+
"event": {
1594+
"category": [
1595+
"network",
1596+
"configuration"
1597+
],
1598+
"code": "13601",
1599+
"kind": [
1600+
"event"
1601+
],
1602+
"original": "<190>1 2024-10-07T10:32:00.994423+00:00 TBD-TW-02 tpmd 1234 - - Event|13601|LOG_INFO|||TPM_Sign requested by abc-defgh was successful",
1603+
"outcome": "success",
1604+
"type": [
1605+
"info"
1606+
]
1607+
},
1608+
"log": {
1609+
"level": "LOG_INFO",
1610+
"syslog": {
1611+
"appname": "tpmd",
1612+
"priority": 190,
1613+
"procid": "1234"
1614+
}
1615+
},
1616+
"message": "TPM_Sign requested by abc-defgh was successful",
1617+
"process": {
1618+
"name": "abc-defgh"
1619+
},
1620+
"tags": [
1621+
"preserve_original_event"
1622+
]
1623+
},
15811624
{
15821625
"@timestamp": "2024-07-31T15:40:13.958990-05:00",
15831626
"aruba": {
@@ -7787,6 +7830,50 @@
77877830
"preserve_original_event"
77887831
]
77897832
},
7833+
{
7834+
"@timestamp": "2024-10-07T10:35:19.998679+00:00",
7835+
"aruba": {
7836+
"cm": {
7837+
"cert_name": "subdomain.arubanetworks.com"
7838+
},
7839+
"event_type": "Event",
7840+
"hardware": {
7841+
"device": "TBD-TW-02"
7842+
},
7843+
"sequence": ""
7844+
},
7845+
"ecs": {
7846+
"version": "8.11.0"
7847+
},
7848+
"event": {
7849+
"category": [
7850+
"network",
7851+
"configuration"
7852+
],
7853+
"code": "7708",
7854+
"kind": [
7855+
"event"
7856+
],
7857+
"original": "<190>1 2024-10-07T10:35:19.998679+00:00 TBD-TW-02 abc-defgh 1234 - - Event|7708|LOG_INFO|||Certificate subdomain.arubanetworks.com verified and accepted",
7858+
"outcome": "success",
7859+
"type": [
7860+
"info",
7861+
"access"
7862+
]
7863+
},
7864+
"log": {
7865+
"level": "LOG_INFO",
7866+
"syslog": {
7867+
"appname": "abc-defgh",
7868+
"priority": 190,
7869+
"procid": "1234"
7870+
}
7871+
},
7872+
"message": "Certificate subdomain.arubanetworks.com verified and accepted",
7873+
"tags": [
7874+
"preserve_original_event"
7875+
]
7876+
},
77907877
{
77917878
"@timestamp": "2024-05-11T05:59:01.013908-05:00",
77927879
"aruba": {

packages/hpe_aruba_cx/data_stream/log/elasticsearch/ingest_pipeline/default.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,10 @@ processors:
3636
patterns:
3737
- "%{SYSLOG_HEADER}%{GREEDYDATA:message}"
3838
pattern_definitions:
39-
SYSLOG_HEADER: "%{TIMESTAMP_ISO8601:@timestamp}\\s+%{USER:aruba.hardware.device}\\s+%{DATA:log.syslog.appname}\\[%{POSINT:log.syslog.procid}\\]:\\s+%{WORD:aruba.event_type}\\|(?:%{OPTIONAL_HEADER})?"
39+
SYSLOG_HEADER: "%{OPTIONAL_PRIORITY}%{TIMESTAMP_ISO8601:@timestamp}\\s+%{USER:aruba.hardware.device}\\s+%{DATA:log.syslog.appname}%{PROC_ID}\\s+%{WORD:aruba.event_type}\\|(?:%{OPTIONAL_HEADER})?"
40+
PROC_ID: "(\\[%{POSINT:log.syslog.procid}\\]:|\\s+%{POSINT:log.syslog.procid}\\s+- -)"
4041
OPTIONAL_HEADER: "%{POSINT:event.code}\\|%{USER:log.level}\\|(?:%{USER:aruba.component.category})?\\|(?:%{DATA:aruba.sequence})?\\|"
42+
OPTIONAL_PRIORITY: "(?:<%{NONNEGINT:log.syslog.priority:long}>(?:%{NONNEGINT})?\\s+)?"
4143
- grok:
4244
field: aruba.sequence
4345
if: ctx.aruba?.sequence != null && ctx.aruba.sequence.contains("/")

packages/hpe_aruba_cx/data_stream/log/fields/ecs.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,8 @@
6868
name: log.origin.file.name
6969
- external: ecs
7070
name: log.syslog.appname
71+
- external: ecs
72+
name: log.syslog.priority
7173
- external: ecs
7274
name: log.syslog.procid
7375
- external: ecs

packages/hpe_aruba_cx/docs/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2456,6 +2456,7 @@ The `log` dataset collects the HPE Aruba CX logs.
24562456
| log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword |
24572457
| log.source.address | Source address from which the log event was read / sent from. | keyword |
24582458
| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword |
2459+
| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
24592460
| log.syslog.procid | The process name or ID that originated the Syslog message, if available. | keyword |
24602461
| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword |
24612462
| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |

packages/hpe_aruba_cx/manifest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
format_version: 3.2.1
22
name: hpe_aruba_cx
33
title: "HPE Aruba CX"
4-
version: 0.2.0
4+
version: 0.3.0
55
description: "Collect logs from HPE Aruba CX with Elastic Agent"
66
type: integration
77
categories:

0 commit comments

Comments
 (0)