[Journalbeat] Improve parsing of syslog.pid in journalbeat to strip t…

…he username when present (elastic#16116) * Improve parsing of syslog.pid in journalbeat to strip the username in pid when present. * Add entry to changelog with pull ID. * Improve the comment on the username strip.
blakerouse · Feb 10, 2020 · 6a7dbd6 · 6a7dbd6
1 parent 86434d6
commit 6a7dbd6
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -24,6 +24,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Journalbeat*
 
+- Improve parsing of syslog.pid in journalbeat to strip the username when present {pull}16116[16116]
+
 
 *Metricbeat*
 

diff --git a/journalbeat/reader/journal.go b/journalbeat/reader/journal.go
@@ -288,8 +288,16 @@ func (r *Reader) convertNamedField(fc fieldConversion, value string) interface{}
 	if fc.isInteger {
 		v, err := strconv.ParseInt(value, 10, 64)
 		if err != nil {
-			r.logger.Debugf("Failed to convert field: %s \"%v\" to int: %v", fc.name, value, err)
-			return value
+			// On some versions of systemd the 'syslog.pid' can contain the username
+			// appended to the end of the pid. In most cases this does not occur
+			// but in the cases that it does, this tries to strip ',\w*' from the
+			// value and then perform the conversion.
+			s := strings.Split(value, ",")
+			v, err = strconv.ParseInt(s[0], 10, 64)
+			if err != nil {
+				r.logger.Debugf("Failed to convert field: %s \"%v\" to int: %v", fc.name, value, err)
+				return value
+			}
 		}
 		return v
 	}

diff --git a/journalbeat/reader/journal_test.go b/journalbeat/reader/journal_test.go
@@ -57,6 +57,45 @@ func TestToEvent(t *testing.T) {
 				},
 			},
 		},
+		// 'syslog.pid' field without user append
+		ToEventTestCase{
+			entry: sdjournal.JournalEntry{
+				Fields: map[string]string{
+					sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "123456",
+				},
+			},
+			expectedFields: common.MapStr{
+				"syslog": common.MapStr{
+					"pid": int64(123456),
+				},
+			},
+		},
+		// 'syslog.pid' field with user append
+		ToEventTestCase{
+			entry: sdjournal.JournalEntry{
+				Fields: map[string]string{
+					sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "123456,root",
+				},
+			},
+			expectedFields: common.MapStr{
+				"syslog": common.MapStr{
+					"pid": int64(123456),
+				},
+			},
+		},
+		// 'syslog.pid' field empty
+		ToEventTestCase{
+			entry: sdjournal.JournalEntry{
+				Fields: map[string]string{
+					sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "",
+				},
+			},
+			expectedFields: common.MapStr{
+				"syslog": common.MapStr{
+					"pid": "",
+				},
+			},
+		},
 		// custom field
 		ToEventTestCase{
 			entry: sdjournal.JournalEntry{