app/vlinsert/syslog: add an ability to override the default list of _msg fields for syslog ingestion protocol#1369
app/vlinsert/syslog: add an ability to override the default list of _msg fields for syslog ingestion protocol#1369vadimalekseev wants to merge 1 commit intomasterfrom
_msg fields for syslog ingestion protocol#1369Conversation
| var timeFields = []string{"timestamp"} | ||
| var msgFields = []string{"message"} | ||
|
|
||
| var defaultMsgFields = []string{"message", "cef.name"} |
There was a problem hiding this comment.
As I understand it, cef.extension.msg is an optional field with a more detailed description of the log entry, while cef.name is the event name and it's present in every CEF-formatted log entry.
There was a problem hiding this comment.
while cef.name is the event name and it's present in every CEF-formatted log entry.
I think we shouldn't invent our own rule, using CEF name as the default message field seems unexpected(?). AFAIK Elasticsearch, Logstash, NXLog, etc map CEF msg to message.
There was a problem hiding this comment.
So, which field do you suggest using as the default?
As I mentioned above, cef.extension.msg is an optional field with details, while cef.name is the same thing as cef.extension.msg, but without the details and it is present in every log:
nameis a string representing a human-readable and understandable description of the event.
msg- An arbitrary message giving more details about the event
So, if we pick the cef.extension.msg field as the default, users will probably have to change that flag, but we want to avoid this to simplify usage of VictoriaLogs.
I think relying on cef.name is a more universal solution for typical scenarios. If the user wants to change the _msg field, we provide the new flag for that.
There was a problem hiding this comment.
Yeah... I understand. My point is that using cef.name (kind of title) as the default is not a universal convention in other systems, so it may be unexpected.
So, which field do you suggest using as the default?
Probably message,cef.extension.msg (since they are "message").
Also a user may see some logs with a cef.name field if message there and some logs without it since cef.name become _msg. If they explicitly configure name, then they understand their own logs better.
About adding the flag, I have no strong concerns. Either adding it now or waiting until users ask for it is fine, since message field is already one of the most customizable fields across the project
There was a problem hiding this comment.
My point is that using cef.name (kind of title) as the default is not a universal convention in other systems, so it may be unexpected.
I see your point and agree. Just found that ELK-stack has common-schema convention: https://www.elastic.co/elasticsearch/common-schema
tldr: they rename similar fields to a universal format, like: src.ip, src_ip, source_ip -> source.ip. Or CEF's msg -> message. I think this is not the same as our _msg, since Elasticsearch does not have the concept of a _msg field the way it works in VictoriaLogs
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
vadimalekseev
force-pushed
the
syslog-msg-field
branch
from
eb90d75 to
4422d15
Compare
…_msg` fields for syslog ingestion protocol Updates #1362
vadimalekseev
force-pushed
the
syslog-msg-field
branch
from
4422d15 to
93a0aeb
Compare
2 participants
It might have been better not to add a new flag and to keep only
cef.nameandmessageas default_msgfields,But since the syslog format has structured fields that can include more detailed messages, like
cef.extension.msg, I think adding a flag to control that behavior would be a better idea. Plus, it lines up with how you can override the_msgfield list in other input methods.Updates #1362