Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.18](backport #42403) Update Journald fields to better match ECS #42563

Open
wants to merge 2 commits into
base: 8.18
Choose a base branch
from
Open

[8.18](backport #42403) Update Journald fields to better match ECS #42563

wants to merge 2 commits into from
+113 −65

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Jan 31, 2025

Proposed commit message

The fields produced by the Journald input are updated to better match ECS. Renamed fields:
Dropped fields: syslog.priority and syslog.facility while keeping their duplicated equivalent:
log.syslog.priority,log.syslog.facility.code. Renamed fields: syslog.identifier -> log.syslog.appname,
syslog.pid -> log.syslog.procid. container.id_truncated is dropped because the full container ID is
already present as container.id and container.log.tag is dropped because it is already present as
log.syslog.appname. The field container.partial is replaced by the tag partial_message if it was true,
otherwise no tag is added.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Because the fields produced by the Journald input are updated to better match ECS, once the user updates Filebeat/Elastic-Agent, the events generated will be slightly different.

Author's Checklist

  • Check if the updated fields are used by the Elastic-Agent system integration

How to test this PR locally

Run Filebeat with the journald input:

filebeat.inputs:
- type: journald
  id: my-journald-id

Verify the changes:

Renamed fields:

  • log.syslog.priority
  • log.syslog.facility.code
  • log.syslog.appname
  • log.syslog.procid

Removed fields:

  • container.id_truncated
  • container.log.tag

Instead of container.partial, now we set the tag partial_message

To validate that the tag partial_message is correctly added, extract filebeat/input/journald/testdata/ndjson-parser.journal.gz and ingest it with the input. There is a single event on this journal file and it contains CONTAINER_PARTIAL_MESSAGE=true.

Related issues

## Use cases
## Screenshots
## Logs

This is an automatic backport of pull request #42403 done by [Mergify](https://mergify.com).

@belimawr @mergify
Update Journald fields to better match ECS (#42403)
886aaea 
The fields produced by the Journald input are updated to better match ECS. Renamed fields:
Dropped fields: `syslog.priority` and `syslog.facility` while keeping their duplicated equivalent:
`log.syslog.priority`,`log.syslog.facility.code`. Renamed fields: `syslog.identifier` -> `log.syslog.appname`,
`syslog.pid` -> `log.syslog.procid`. `container.id_truncated` is dropped because the full container ID is
already present as `container.id` and `container.log.tag` is dropped because it is already present as
`log.syslog.appname`. The field `container.partial` is replaced by the tag `partial_message` if it was `true`,
otherwise no tag is added.

(cherry picked from commit f7f4a1f)
@mergify mergify bot added the backport label Jan 31, 2025
@mergify mergify bot requested a review from a team as a code owner January 31, 2025 21:21
@mergify mergify bot requested review from AndersonQ and VihasMakwana and removed request for a team January 31, 2025 21:21
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 31, 2025
@github-actions github-actions bot added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Jan 31, 2025
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 31, 2025
@mergify Mergify
Copy link
Contributor Author

mergify bot commented Feb 3, 2025

This pull request has not been merged yet. Could you please review and merge it @belimawr? 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@belimawr belimawr belimawr approved these changes

@AndersonQ AndersonQ Awaiting requested review from AndersonQ AndersonQ is a code owner automatically assigned from elastic/elastic-agent-data-plane

@VihasMakwana VihasMakwana Awaiting requested review from VihasMakwana VihasMakwana is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@belimawr belimawr

Labels
backport Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@elasticmachine @belimawr