Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding support for Octet counting in TCP input #23663

Closed
P1llus opened this issue Jan 25, 2021 · 2 comments · Fixed by #23724
Closed

Adding support for Octet counting in TCP input #23663

P1llus opened this issue Jan 25, 2021 · 2 comments · Fixed by #23724
Assignees
@leehinman
Labels
enhancement Filebeat Filebeat triage_needed

Comments

@P1llus
Copy link
Member

P1llus commented Jan 25, 2021

When ingesting syslog data with TCP it would be good for the input to also support Octet Counting, ref: https://tools.ietf.org/html/rfc6587

When syslog data is received using Octet Counting the event starts with the length of the message, allowing syslog to send multiple messages that are not separated by newlines.

This issue is to track adding support for splitting syslog messages that uses this feature.
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@martine-stratdat
Copy link

Octet counting has been part of remote syslog standards for a while. There are now services that wont support new lines because of the issues they cause so I think this is important.

@leehinman leehinman self-assigned this Jan 27, 2021
@leehinman leehinman mentioned this issue Jan 29, 2021
Merged
5 tasks
leehinman added a commit to leehinman/beats that referenced this issue Jan 29, 2021
@leehinman
[Filebeat] add RFC6587 framing support
1f52de4 
- Adds new config option "framing"
- supported options are "delimiter" & rfc6587
- delimiter is current option of newline or custom character(s)
  delimiter
- rfc6587 adds support for octet counting and non-transparent framing
  as described in RFC6587
- rfc6587 supports changing of framing on a frame by frame basis
- Default is "delimiter"

Closes elastic#23663
leehinman added a commit that referenced this issue Feb 1, 2021
@leehinman
[Filebeat] add RFC6587 framing support (#23724)
5cb370e 
- Adds new config option "framing"
- supported options are "delimiter" & rfc6587
- delimiter is current option of newline or custom character(s)
  delimiter
- rfc6587 adds support for octet counting and non-transparent framing
  as described in RFC6587
- rfc6587 supports changing of framing on a frame by frame basis
- Default is "delimiter"

Closes #23663
@leehinman leehinman mentioned this issue Feb 1, 2021
Merged
5 tasks
leehinman added a commit to leehinman/beats that referenced this issue Feb 1, 2021
@leehinman
[Filebeat] add RFC6587 framing support (elastic#23724)
5fb33c9 
- Adds new config option "framing"
- supported options are "delimiter" & rfc6587
- delimiter is current option of newline or custom character(s)
  delimiter
- rfc6587 adds support for octet counting and non-transparent framing
  as described in RFC6587
- rfc6587 supports changing of framing on a frame by frame basis
- Default is "delimiter"

Closes elastic#23663

(cherry picked from commit 5cb370e)
leehinman added a commit that referenced this issue Feb 1, 2021
@leehinman
[Filebeat] add RFC6587 framing support (#23724) (#23784)
dbd431c 
- Adds new config option "framing"
- supported options are "delimiter" & rfc6587
- delimiter is current option of newline or custom character(s)
  delimiter
- rfc6587 adds support for octet counting and non-transparent framing
  as described in RFC6587
- rfc6587 supports changing of framing on a frame by frame basis
- Default is "delimiter"

Closes #23663

(cherry picked from commit 5cb370e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leehinman leehinman

Labels
enhancement Filebeat Filebeat triage_needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] add RFC6587 framing support leehinman/beats
4 participants
@P1llus @elasticmachine @martine-stratdat @leehinman