Page MenuHomePhabricator
Create Task
Maniphest T315500

Eliminate field collisions between syslog_cee and ECS-formatted logs
Open, Needs TriagePublic
Actions

Description

While implementing T257861, it was discovered that the host.name field was not being populated because tcpircbot does not gather that information. This issue has been worked around elsewhere for other producers.

The syslog_cee template injects timestamp, logsource, host, program, severity, and facility fields as string values.

For ECS-formatted logs:

  1. the host field is an object.
  2. timestamp often collides with the software-generated timestamp.
  3. logsource, severity, facility are not ECS fields.

These conflicts have existed since we enabled @cee logs in rsyslog and became problematic at the adoption of ECS.

One possible solution is to namespace the rsyslog fields in the template. To preserve dashboards, this would require us to move the fields into the right place in logstash.

Questions to answer:

  1. What fields are auto-added by the input plugin? The answer may well be "none" in kafka.
  2. Any other fields added by rsyslog?

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+26 -0logstash: use rsyslog-namespaced fields
operations/puppetproduction+10 -0rsyslog: add rsyslog-namespaced fields to syslog_cee
operations/puppetproduction+227 -27logstash: add support for rsyslog-namespaced fields
Customize query in gerrit

Related Objects

Event Timeline

colewhite created this task.Aug 17 2022, 11:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 17 2022, 11:19 PM
colewhite updated the task description. (Show Details)Aug 17 2022, 11:24 PM
gerritbot added a comment.Aug 17 2022, 11:50 PM

Change 824314 had a related patch set uploaded (by Cwhite; author: Cwhite):

[operations/puppet@production] logstash: add support for rsyslog-namespaced fields

https://gerrit.wikimedia.org/r/824314

gerritbot added a project: Patch-For-Review.Aug 17 2022, 11:50 PM

Change 824315 had a related patch set uploaded (by Cwhite; author: Cwhite):

[operations/puppet@production] rsyslog: add rsyslog-namespaced fields to syslog_cee

https://gerrit.wikimedia.org/r/824315

gerritbot added a comment.Aug 17 2022, 11:50 PM

Change 824316 had a related patch set uploaded (by Cwhite; author: Cwhite):

[operations/puppet@production] logstash: use rsyslog-namespaced fields

https://gerrit.wikimedia.org/r/824316

gerritbot added a comment.Sep 12 2022, 7:24 PM

Change 824314 merged by Cwhite:

[operations/puppet@production] logstash: add support for rsyslog-namespaced fields

https://gerrit.wikimedia.org/r/824314

gerritbot added a comment.Sep 12 2022, 8:42 PM

Change 824315 merged by Cwhite:

[operations/puppet@production] rsyslog: add rsyslog-namespaced fields to syslog_cee

https://gerrit.wikimedia.org/r/824315

gerritbot added a comment.Sep 14 2022, 9:11 PM

Change 824316 merged by Cwhite:

[operations/puppet@production] logstash: use rsyslog-namespaced fields

https://gerrit.wikimedia.org/r/824316

Maintenance_bot removed a project: Patch-For-Review.Sep 14 2022, 9:30 PM
colewhite moved this task from Inbox to Prioritized on the Observability-Logging board.Sep 21 2022, 10:54 AM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL