Page MenuHomePhabricator

Logstash doesn't parse ulogd source and destination ports
Closed, ResolvedPublic

Description

I started to make a dashboard for the hosts firewall logs (ulogd), but noticed that the source and destination ports are not being parsed, while all the others are.

I'm wondering if it's a bug or an incomplete parser configuration.

https://logstash.wikimedia.org/app/kibana#/dashboard/AW5v7YTUarkxubcmAwPB

Details

Related Gerrit Patches:
operations/puppet : productionlogstash: parse DPT and SPT from ulogd events

Event Timeline

ayounsi triaged this task as Lowest priority.Nov 15 2019, 4:57 PM
ayounsi created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 15 2019, 4:57 PM

Change 551270 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] logstash: parse DPT and SPT from ulogd events

https://gerrit.wikimedia.org/r/551270

https://gerrit.wikimedia.org/r/551270 should do the trick for source/dest ports. I don't recall why these weren't parsed out in the first place. While we're at it would any of the other parts the ulogd/iptables events be useful as fields?

Not that I can think of for now. Thanks!

Change 551270 merged by Herron:
[operations/puppet@production] logstash: parse DPT and SPT from ulogd events

https://gerrit.wikimedia.org/r/551270

fgiunchedi closed this task as Resolved.Nov 25 2019, 1:47 PM
fgiunchedi claimed this task.

Looks like this is all done, resolving