elastic · faec · Apr 19, 2021 · Apr 13, 2021 · Apr 13, 2021 · Apr 13, 2021
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
@@ -119,6 +119,7 @@ https://github.com/elastic/beats/compare/v7.11.2...v7.12.0[View commits]
 - Upgrade okta to ECS 1.8.0 and move js processor to ingest pipeline {issue}23118[23118] {pull}23929[23929]
 - Update zoom module to ECS 1.8. {pull}23904[23904] {issue}23118[23118]
 - Add fileset to ingest PostgreSQL CSV logs. {pull}23334[23334]
+- Add beta support for RFC 5424 to the Syslog input. {pull}23954[23954]
 
 *Heartbeat*
 

diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl
@@ -467,20 +467,22 @@ filebeat.inputs:
   #ssl.client_authentication: "required"
 
 #------------------------------ Syslog input --------------------------------
-# Experimental: Config options for the Syslog input
 # Accept RFC3164 formatted syslog event via UDP.
 #- type: syslog
   #enabled: false
+  #format: rfc3164
   #protocol.udp:
     # The host and port to receive the new event
     #host: "localhost:9000"
 
     # Maximum size of the message received over UDP
     #max_message_size: 10KiB
 
-# Accept RFC3164 formatted syslog event via TCP.
+# Accept RFC5424 formatted syslog event via TCP.
+# RFC5424 support is in beta.
 #- type: syslog
   #enabled: false
+  #format: rfc5424
 
   #protocol.tcp:
     # The host and port to receive the new event

diff --git a/filebeat/docs/inputs/input-syslog.asciidoc b/filebeat/docs/inputs/input-syslog.asciidoc
@@ -7,15 +7,15 @@
 <titleabbrev>Syslog</titleabbrev>
 ++++
 
-Use the `syslog` input to read events over TCP, UDP, or a Unix stream socket, this input will parse BSD (rfc3164)
-event and some variant.
+The `syslog` input reads Syslog events as specified by RFC 3164 and RFC 5424, over TCP, UDP, or a Unix stream socket. RFC 5424 support is currently in beta.
 
 Example configurations:
 
 ["source","yaml",subs="attributes"]
 ----
 {beatname_lc}.inputs:
 - type: syslog
+  format: rfc3164
   protocol.udp:
     host: "localhost:9000"
 ----
@@ -24,6 +24,7 @@ Example configurations:
 ----
 {beatname_lc}.inputs:
 - type: syslog
+  format: rfc5424
   protocol.tcp:
     host: "localhost:9000"
 ----
@@ -32,15 +33,20 @@ Example configurations:
 ----
 {beatname_lc}.inputs:
 - type: syslog
+  format: auto
   protocol.unix:
     path: "/path/to/syslog.sock"
 ----
 
 ==== Configuration options
 
-The `syslog` input supports protocol specific configuration options plus the
+The `syslog` input configuration includes format, protocol specific options, and the
 <<{beatname_lc}-input-{type}-common-options>> described later.
 
+===== `format`
+
+The syslog variant to use, `rfc3164` or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `rfc3164`. The `rfc5424` and `auto` options are currently in beta.
+
 ===== Protocol `udp`:
 
 include::../inputs/input-common-udp-options.asciidoc[]

diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml
@@ -874,20 +874,22 @@ filebeat.inputs:
   #ssl.client_authentication: "required"
 
 #------------------------------ Syslog input --------------------------------
-# Experimental: Config options for the Syslog input
 # Accept RFC3164 formatted syslog event via UDP.
 #- type: syslog
   #enabled: false
+  #format: rfc3164
   #protocol.udp:
     # The host and port to receive the new event
     #host: "localhost:9000"
 
     # Maximum size of the message received over UDP
     #max_message_size: 10KiB
 
-# Accept RFC3164 formatted syslog event via TCP.
+# Accept RFC5424 formatted syslog event via TCP.
+# RFC5424 support is in beta.
 #- type: syslog
   #enabled: false
+  #format: rfc5424
 
   #protocol.tcp:
     # The host and port to receive the new event

diff --git a/filebeat/input/syslog/input.go b/filebeat/input/syslog/input.go
@@ -111,8 +111,6 @@ func NewInput(
 	outlet channel.Connector,
 	context input.Context,
 ) (input.Input, error) {
-	cfgwarn.Experimental("Syslog input type is used")
-
 	log := logp.NewLogger("syslog")
 
 	out, err := outlet.Connect(cfg)
@@ -125,6 +123,10 @@ func NewInput(
 		return nil, err
 	}
 
+	if config.Format != syslogFormatRFC3164 {
+		cfgwarn.Beta("Syslog RFC 5424 format is enabled")
+	}
+
 	forwarder := harvester.NewForwarder(out)
 	cb := GetCbByConfig(config, forwarder, log)
 	server, err := factory(cb, config.Protocol)

diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
@@ -2725,20 +2725,22 @@ filebeat.inputs:
   #ssl.client_authentication: "required"
 
 #------------------------------ Syslog input --------------------------------
-# Experimental: Config options for the Syslog input
 # Accept RFC3164 formatted syslog event via UDP.
 #- type: syslog
   #enabled: false
+  #format: rfc3164
   #protocol.udp:
     # The host and port to receive the new event
     #host: "localhost:9000"
 
     # Maximum size of the message received over UDP
     #max_message_size: 10KiB
 
-# Accept RFC3164 formatted syslog event via TCP.
+# Accept RFC5424 formatted syslog event via TCP.
+# RFC5424 support is in beta.
 #- type: syslog
   #enabled: false
+  #format: rfc5424
 
   #protocol.tcp:
     # The host and port to receive the new event