From aa69325753ddfe02284ae8b00aaa9aced7302cae Mon Sep 17 00:00:00 2001 From: fgierlinger <2966031+fgierlinger@users.noreply.github.com> Date: Fri, 6 Oct 2023 20:27:24 +0200 Subject: [PATCH 1/3] docs: update description of log.syslog.severity.name and log.syslog.severity.code --- schemas/log.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/schemas/log.yml b/schemas/log.yml index 2d90ef0a96..5e609829f3 100644 --- a/schemas/log.yml +++ b/schemas/log.yml @@ -109,7 +109,8 @@ The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity - value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. + value than defined in RFC 5424 (0-7), your source's numeric severity should + go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. @@ -122,7 +123,9 @@ The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity - value (e.g. firewall, IDS), your source's text severity should go to `log.level`. + value than defined in RFC 5424 (Emergency, Alert, Critical, Error, + Warning, Notice, Informational, Debug), your source's text severity + should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. From 917351036224e76d13b210964a91fdaa881c33f0 Mon Sep 17 00:00:00 2001 From: fgierlinger <2966031+fgierlinger@users.noreply.github.com> Date: Fri, 6 Oct 2023 20:28:19 +0200 Subject: [PATCH 2/3] add artifacts --- docs/fields/field-details.asciidoc | 4 ++-- experimental/generated/beats/fields.ecs.yml | 9 +++++---- experimental/generated/ecs/ecs_flat.yml | 11 ++++++----- experimental/generated/ecs/ecs_nested.yml | 9 +++++---- generated/beats/fields.ecs.yml | 9 +++++---- generated/ecs/ecs_flat.yml | 11 ++++++----- generated/ecs/ecs_nested.yml | 9 +++++---- 7 files changed, 34 insertions(+), 28 deletions(-) diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index b71ae31f60..14e0af05b1 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -5894,7 +5894,7 @@ example: `12345` a| The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +If the event source publishing via Syslog provides a different numeric severity value than defined in RFC 5424 (0-7), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. type: long @@ -5912,7 +5912,7 @@ example: `3` a| The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. +If the event source publishing via Syslog provides a different severity value than defined in RFC 5424 (Emergency, Alert, Critical, Error, Warning, Notice, Informational, Debug), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 27ee873efa..568916ae4f 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -3957,9 +3957,9 @@ description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity - value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`. - If the event source does not specify a distinct severity, you can optionally - copy the Syslog severity to `event.severity`.' + value than defined in RFC 5424 (0-7), your source''s numeric severity should + go to `event.severity`. If the event source does not specify a distinct severity, + you can optionally copy the Syslog severity to `event.severity`.' example: 3 - name: syslog.severity.name level: extended @@ -3968,7 +3968,8 @@ description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value - (e.g. firewall, IDS), your source''s text severity should go to `log.level`. + than defined in RFC 5424 (Emergency, Alert, Critical, Error, Warning, Notice, + Informational, Debug), your source''s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.' example: Error diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 9b74b8e01a..6e5533358a 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -6490,9 +6490,9 @@ log.syslog.severity.code: description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity - value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`. - If the event source does not specify a distinct severity, you can optionally copy - the Syslog severity to `event.severity`.' + value than defined in RFC 5424 (0-7), your source''s numeric severity should go + to `event.severity`. If the event source does not specify a distinct severity, + you can optionally copy the Syslog severity to `event.severity`.' example: 3 flat_name: log.syslog.severity.code level: extended @@ -6505,8 +6505,9 @@ log.syslog.severity.name: description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value - (e.g. firewall, IDS), your source''s text severity should go to `log.level`. If - the event source does not specify a distinct severity, you can optionally copy + than defined in RFC 5424 (Emergency, Alert, Critical, Error, Warning, Notice, + Informational, Debug), your source''s text severity should go to `log.level`. + If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.' example: Error flat_name: log.syslog.severity.name diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 0eee0300d9..56404c15ab 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -7978,9 +7978,9 @@ log: description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity - value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`. - If the event source does not specify a distinct severity, you can optionally - copy the Syslog severity to `event.severity`.' + value than defined in RFC 5424 (0-7), your source''s numeric severity should + go to `event.severity`. If the event source does not specify a distinct severity, + you can optionally copy the Syslog severity to `event.severity`.' example: 3 flat_name: log.syslog.severity.code level: extended @@ -7993,7 +7993,8 @@ log: description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value - (e.g. firewall, IDS), your source''s text severity should go to `log.level`. + than defined in RFC 5424 (Emergency, Alert, Critical, Error, Warning, Notice, + Informational, Debug), your source''s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.' example: Error diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 0c45bd930d..a12c87189a 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3907,9 +3907,9 @@ description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity - value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`. - If the event source does not specify a distinct severity, you can optionally - copy the Syslog severity to `event.severity`.' + value than defined in RFC 5424 (0-7), your source''s numeric severity should + go to `event.severity`. If the event source does not specify a distinct severity, + you can optionally copy the Syslog severity to `event.severity`.' example: 3 - name: syslog.severity.name level: extended @@ -3918,7 +3918,8 @@ description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value - (e.g. firewall, IDS), your source''s text severity should go to `log.level`. + than defined in RFC 5424 (Emergency, Alert, Critical, Error, Warning, Notice, + Informational, Debug), your source''s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.' example: Error diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index e5f035baa7..8c7d65af81 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -6421,9 +6421,9 @@ log.syslog.severity.code: description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity - value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`. - If the event source does not specify a distinct severity, you can optionally copy - the Syslog severity to `event.severity`.' + value than defined in RFC 5424 (0-7), your source''s numeric severity should go + to `event.severity`. If the event source does not specify a distinct severity, + you can optionally copy the Syslog severity to `event.severity`.' example: 3 flat_name: log.syslog.severity.code level: extended @@ -6436,8 +6436,9 @@ log.syslog.severity.name: description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value - (e.g. firewall, IDS), your source''s text severity should go to `log.level`. If - the event source does not specify a distinct severity, you can optionally copy + than defined in RFC 5424 (Emergency, Alert, Critical, Error, Warning, Notice, + Informational, Debug), your source''s text severity should go to `log.level`. + If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.' example: Error flat_name: log.syslog.severity.name diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 048948d37f..b83c56c21d 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -7898,9 +7898,9 @@ log: description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity - value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`. - If the event source does not specify a distinct severity, you can optionally - copy the Syslog severity to `event.severity`.' + value than defined in RFC 5424 (0-7), your source''s numeric severity should + go to `event.severity`. If the event source does not specify a distinct severity, + you can optionally copy the Syslog severity to `event.severity`.' example: 3 flat_name: log.syslog.severity.code level: extended @@ -7913,7 +7913,8 @@ log: description: 'The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value - (e.g. firewall, IDS), your source''s text severity should go to `log.level`. + than defined in RFC 5424 (Emergency, Alert, Critical, Error, Warning, Notice, + Informational, Debug), your source''s text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`.' example: Error From 0b176b3a4cd8f1a1f3870c62cf55bfa9e8f5afae Mon Sep 17 00:00:00 2001 From: fgierlinger <2966031+fgierlinger@users.noreply.github.com> Date: Fri, 6 Oct 2023 21:38:27 +0200 Subject: [PATCH 3/3] docs: update CHANGELOG --- CHANGELOG.next.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 029229ee84..51be3944b3 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -18,6 +18,8 @@ Thanks, you're awesome :-) --> #### Improvements +Update description of `log.syslog.severity.name` and `log.syslog.severity.code` to list allowed values. #2291 + #### Deprecated ### Tooling and Artifact Changes