Change Details

The `syslog_cee` template injects `timestamp`, `logsource`, `host`, `program`, `severity`, and `facility` fields as string values. For ECS-formatted logs: # the `host` field is an object. # `timestamp` often collides with the software-generated timestamp. # `logsource`, `severity`, `facility` are not ECS fields. These conflicts have existed since we enabled `@cee` logs in rsyslog and became problematic at the adoption of ECS. One possible solution is to namespace the rsyslog fields in the template. To preserve dashboards, this would require us to move the fields into the right place in logstash. Questions to answer: # What fields are [[ https://github.com/logstash-plugins/logstash-input-file/issues/128 | auto-added by the input plugin? ]] The answer may well be "none" in [[ https://github.com/logstash-plugins/logstash-integration-kafka/issues/17#issuecomment-891709220 | kafka ]]. # Any other fields added by rsyslog?

While implementing T257861, it was discovered that the `host.name` field was not being populated because tcpircbot does not gather that information. This issue has been [[ https://gerrit.wikimedia.org/r/c/operations/puppet/+/713323/2/modules/profile/files/logstash/filters/15-filter_openstack_migration.conf#5 | worked around elsewhere for other producers. ]] The `syslog_cee` template injects `timestamp`, `logsource`, `host`, `program`, `severity`, and `facility` fields as string values. For ECS-formatted logs: # the `host` field is an object. # `timestamp` often collides with the software-generated timestamp. # `logsource`, `severity`, `facility` are not ECS fields. These conflicts have existed since we enabled `@cee` logs in rsyslog and became problematic at the adoption of ECS. One possible solution is to namespace the rsyslog fields in the template. To preserve dashboards, this would require us to move the fields into the right place in logstash. Questions to answer: # What fields are [[ https://github.com/logstash-plugins/logstash-input-file/issues/128 | auto-added by the input plugin? ]] The answer may well be "none" in [[ https://github.com/logstash-plugins/logstash-integration-kafka/issues/17#issuecomment-891709220 | kafka ]]. # Any other fields added by rsyslog?

While implementing T257861, it was discovered that the `host.name` field was not being populated because tcpircbot does not gather that information. This issue has been [[ https://gerrit.wikimedia.org/r/c/operations/puppet/+/713323/2/modules/profile/files/logstash/filters/15-filter_openstack_migration.conf#5 | worked around elsewhere for other producers. ]] The `syslog_cee` template injects `timestamp`, `logsource`, `host`, `program`, `severity`, and `facility` fields as string values. For ECS-formatted logs: # the `host` field is an object. # `timestamp` often collides with the software-generated timestamp. # `logsource`, `severity`, `facility` are not ECS fields. These conflicts have existed since we enabled `@cee` logs in rsyslog and became problematic at the adoption of ECS. One possible solution is to namespace the rsyslog fields in the template. To preserve dashboards, this would require us to move the fields into the right place in logstash. Questions to answer: # What fields are [[ https://github.com/logstash-plugins/logstash-input-file/issues/128 | auto-added by the input plugin? ]] The answer may well be "none" in [[ https://github.com/logstash-plugins/logstash-integration-kafka/issues/17#issuecomment-891709220 | kafka ]]. # Any other fields added by rsyslog?