From 60364b05113c1a19f839d16e0f5bd5663a0724f6 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Mon, 11 May 2026 13:22:40 -0500 Subject: [PATCH 1/9] add unix input custom integration --- packages/unix/_dev/build/build.yml | 3 + packages/unix/_dev/build/docs/README.md | 150 +++++++++++++++++ .../_dev/deploy/docker/docker-compose.yml | 20 +++ .../deploy/docker/sample_logs/test-unix.log | 1 + .../_dev/test/system/test-syslog-config.yml | 7 + .../_dev/test/system/test-unix-config.yml | 6 + packages/unix/agent/input/unix.yml.hbs | 84 ++++++++++ packages/unix/changelog.yml | 5 + packages/unix/docs/README.md | 150 +++++++++++++++++ .../unix/docs/knowledge_base/service_info.md | 97 +++++++++++ packages/unix/fields/base-fields.yml | 19 +++ packages/unix/fields/beats.yml | 6 + packages/unix/fields/ecs.yml | 33 ++++ packages/unix/img/icon.svg | 4 + packages/unix/kibana/tags.yml | 4 + packages/unix/manifest.yml | 158 ++++++++++++++++++ packages/unix/validation.yml | 3 + 17 files changed, 750 insertions(+) create mode 100644 packages/unix/_dev/build/build.yml create mode 100644 packages/unix/_dev/build/docs/README.md create mode 100644 packages/unix/_dev/deploy/docker/docker-compose.yml create mode 100644 packages/unix/_dev/deploy/docker/sample_logs/test-unix.log create mode 100644 packages/unix/_dev/test/system/test-syslog-config.yml create mode 100644 packages/unix/_dev/test/system/test-unix-config.yml create mode 100644 packages/unix/agent/input/unix.yml.hbs create mode 100644 packages/unix/changelog.yml create mode 100644 packages/unix/docs/README.md create mode 100644 packages/unix/docs/knowledge_base/service_info.md create mode 100644 packages/unix/fields/base-fields.yml create mode 100644 packages/unix/fields/beats.yml create mode 100644 packages/unix/fields/ecs.yml create mode 100644 packages/unix/img/icon.svg create mode 100644 packages/unix/kibana/tags.yml create mode 100644 packages/unix/manifest.yml create mode 100644 packages/unix/validation.yml diff --git a/packages/unix/_dev/build/build.yml b/packages/unix/_dev/build/build.yml new file mode 100644 index 00000000000..d8553567e9c --- /dev/null +++ b/packages/unix/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.17.0" diff --git a/packages/unix/_dev/build/docs/README.md b/packages/unix/_dev/build/docs/README.md new file mode 100644 index 00000000000..66e14d25d7a --- /dev/null +++ b/packages/unix/_dev/build/docs/README.md @@ -0,0 +1,150 @@ +# Custom Unix Logs Integration for Elastic + +> **Note**: This integration is currently in beta and subject to change. + +## Overview + +The Custom Unix Logs integration for Elastic enables you to collect data through a stream-oriented Unix domain socket. It's a flexible solution for ingesting logs from local processes and applications into the Elastic Stack. By using this integration, you can centralize your log data, making it easier to monitor, search, and analyze your environment's activity. + +### Compatibility + +The Custom Unix Logs integration is compatible with any process or application capable of writing to a Unix domain socket on the same host as the Elastic Agent. + +This integration supports the following standards: +- Syslog standards: Supports devices compliant with `RFC 3164` (BSD syslog) and `RFC 5424` (The Syslog Protocol). +- Framing standards: Supports `RFC 6587` for octet-counted framing, which is commonly used in high-reliability log transmission. + +### How it works + +This integration collects data by having an Elastic Agent listen on a Unix domain socket at a specified path. The agent creates the socket file and waits for local processes to connect and send data. When a process writes data to the socket, the Elastic Agent receives and processes it. + +Once received, the data is processed according to your configuration—whether it's raw text, syslog formatted, or uses specific framing. The Elastic Agent then forwards the logs to your Elastic deployment, where you can analyze them using Kibana. + +## What data does this integration collect? + +The Custom Unix Logs integration collects log messages of the following types: +- Raw streams: Any text-based data sent over the Unix domain socket, typically separated by newline characters or other delimiters. +- Syslog messages: Structured messages following RFC 3164 or RFC 5424, which include metadata such as facility, severity, and timestamps. + +This integration includes the following data stream: +- `unix.generic`: This is the default data stream. It captures the raw message payload in the `message` field. If you enable Syslog parsing, additional ECS fields are populated from the syslog header. + +### Supported use cases + +- Local application logging: Applications on the same host can write log events directly to the Unix socket, eliminating the need for network connectivity. +- System daemon log collection: Collect logs from system daemons that support Unix socket output. +- Syslog ingestion: Collect syslog-formatted messages from local processes using `logger` or other syslog-compatible tools. +- Secure local log aggregation: Since Unix domain sockets are filesystem objects, standard Unix file permissions (`group`, `mode`) can be used to control which processes can send data. + +## What do I need to use this integration? + +### Elastic prerequisites + +- Elastic Agent: A running Elastic Agent that's enrolled in a Fleet policy. +- The Elastic Agent must have write permission to the directory where the socket will be created. + +### Source prerequisites + +- The sending process must run on the same host as the Elastic Agent. +- The sending process must have permission to write to the Unix socket (controlled via the `group` and `mode` options). + +## How do I deploy this integration? + +### Agent-based deployment + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). You can install only one Elastic Agent per host. + +### Set up steps in Kibana + +You'll follow these steps to add and configure the integration in Kibana: + +1. Navigate to **Management > Integrations** in Kibana. +2. Search for **Custom Unix Logs** and select it. +3. Click **Add Custom Unix Logs**. +4. Configure the integration settings: + - **Socket Path**: The filesystem path where the Unix domain socket will be created (e.g. `/tmp/elastic-agent.sock`). + - **Socket Type**: The socket variety: `stream` or `datagram`. The default is `stream`. + - **Dataset Name**: The name of the dataset where logs will be written. The default is `unix.generic`. + - **Framing**: Specify how the Agent identifies the end of a log message. Options include `delimiter` (default) or `rfc6587`. + - **Line Delimiter**: The character used to split incoming data into separate log events. The default is `\n`. + - **Max Message Size**: The maximum allowed size for a single log message. The default is `20MiB`. + - **Syslog Parsing**: Enable this boolean if the incoming data is in standard Syslog format (RFC3164/5424). +5. Optionally configure advanced options: + - **Socket Group**: The group ownership for the created Unix socket. + - **Socket Mode**: File permissions for the socket as an octal string (e.g. `0660`). + - **Max Connections**: Maximum number of simultaneous connections. + - **Timeout**: Duration of inactivity before a connection is closed. +6. (Optional) Provide a **Custom Ingest Pipeline** name if you've already defined processing logic in Elasticsearch. +7. Click **Save and Continue** to deploy the configuration to your Agents. + +### Configure the sending application + +Once the Elastic Agent is running with this integration, configure your application to send data to the socket path you configured: + +For rsyslog: +``` +*.* unix-stream:/tmp/elastic-agent.sock +``` + +Using the `logger` command: +```bash +logger -u /tmp/elastic-agent.sock "This is a test message" +``` + +Using `socat`: +```bash +echo "Test log message" | socat - UNIX-CONNECT:/tmp/elastic-agent.sock +``` + +Using `nc` (if it supports Unix sockets): +```bash +echo "Test log message" | nc -U /tmp/elastic-agent.sock +``` + +### Validation + +After configuration, verify that data is flowing correctly: + +1. Send a test message to the socket: + ```bash + echo "Integration Validation Test Message $(date)" | socat - UNIX-CONNECT:/tmp/elastic-agent.sock + ``` + +2. Check for the data in Kibana: + 1. Navigate to **Analytics > Discover**. + 2. Select the `logs-*` data view. + 3. Enter this KQL filter: `data_stream.dataset : "unix.generic"` + 4. Verify that logs appear in the results and confirm these fields are populated: + - `event.dataset` (should be `unix.generic`) + - `message` (containing the test message) + - `input.type` (should indicate `unix`) + +## Troubleshooting + +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). + +### Common configuration issues + +- Socket creation failure: + - Verify that the Elastic Agent has write permission to the directory containing the socket path. + - Ensure no file already exists at the configured socket path. +- Permission denied when connecting: + - If client processes cannot connect to the socket, adjust the `group` and `mode` options to allow the appropriate users or groups access. +- Dataset naming restriction: + - If data isn't appearing, check your integration configuration for hyphens in the `Dataset Name`. Hyphens aren't supported in this field and will cause ingestion issues. +- Parsing failures: + - If data appears in Kibana but doesn't parse correctly, check the `error.message` field. This often happens if you've enabled `Syslog Parsing` but the incoming logs don't strictly adhere to RFC 3164 or RFC 5424. + +## Performance and scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference- +architectures) documentation. + +## Reference + +### Vendor documentation links + +- [Filebeat Unix Input](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-unix) +- [RFC 3164: The BSD Syslog Protocol](https://datatracker.ietf.org/doc/html/rfc3164) +- [RFC 5424: The Syslog Protocol](https://datatracker.ietf.org/doc/html/rfc5424) +- [RFC 6587: Transmission of Syslog Messages over TCP](https://datatracker.ietf.org/doc/html/rfc6587) diff --git a/packages/unix/_dev/deploy/docker/docker-compose.yml b/packages/unix/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..7c46703166f --- /dev/null +++ b/packages/unix/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,20 @@ +version: '2.3' +services: + test-unix: + image: alpine:latest + volumes: + - ./sample_logs:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/tmp + command: + - sh + - -c + - apk add --quiet socat && echo "Added socat" && until [ -S /tmp/test.sock ]; do sleep 1 && echo "Sleeping"; done; socat - UNIX-CONNECT:/tmp/test.sock < /sample_logs/test-unix.log && echo "socat done" + test-syslog: + image: alpine:latest + volumes: + - ./sample_logs:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/tmp + command: + - sh + - -c + - apk add --quiet socat && echo "Added socat" && until [ -S /tmp/test-syslog.sock ]; do sleep 1 && echo "Sleeping"; done; socat - UNIX-CONNECT:/tmp/test-syslog.sock < /sample_logs/test-unix.log && echo "socat done" diff --git a/packages/unix/_dev/deploy/docker/sample_logs/test-unix.log b/packages/unix/_dev/deploy/docker/sample_logs/test-unix.log new file mode 100644 index 00000000000..167c9626419 --- /dev/null +++ b/packages/unix/_dev/deploy/docker/sample_logs/test-unix.log @@ -0,0 +1 @@ +<134>1 2020-03-29T13:19:20Z testhostname testproductname 1930 - - some longer testmessage. - a {2:2}. diff --git a/packages/unix/_dev/test/system/test-syslog-config.yml b/packages/unix/_dev/test/system/test-syslog-config.yml new file mode 100644 index 00000000000..13cd4234e82 --- /dev/null +++ b/packages/unix/_dev/test/system/test-syslog-config.yml @@ -0,0 +1,7 @@ +service: test-syslog +service_notify_signal: SIGHUP +input: unix +vars: + data_stream.dataset: unix.generic + path: "{{{SERVICE_LOGS_DIR}}}/test-syslog.sock" + syslog: true diff --git a/packages/unix/_dev/test/system/test-unix-config.yml b/packages/unix/_dev/test/system/test-unix-config.yml new file mode 100644 index 00000000000..93e675099d5 --- /dev/null +++ b/packages/unix/_dev/test/system/test-unix-config.yml @@ -0,0 +1,6 @@ +service: test-unix +service_notify_signal: SIGHUP +input: unix +vars: + data_stream.dataset: unix.generic + path: "{{{SERVICE_LOGS_DIR}}}/test.sock" diff --git a/packages/unix/agent/input/unix.yml.hbs b/packages/unix/agent/input/unix.yml.hbs new file mode 100644 index 00000000000..507d92b63ad --- /dev/null +++ b/packages/unix/agent/input/unix.yml.hbs @@ -0,0 +1,84 @@ +{{#if use_logs_stream}} +index: logs.ecs +{{else}} +data_stream: + dataset: {{data_stream.dataset}} +{{/if}} +path: {{path}} +{{#if socket_type}} +socket_type: {{socket_type}} +{{/if}} +{{#if pipeline}} +pipeline: {{pipeline}} +{{/if}} +{{#if max_message_size}} +max_message_size: {{max_message_size}} +{{/if}} +{{#if framing}} +framing: {{framing}} +{{/if}} +{{#if line_delimiter}} +line_delimiter: {{line_delimiter}} +{{/if}} +{{#if max_connections}} +max_connections: {{max_connections}} +{{/if}} +{{#if timeout}} +timeout: {{timeout}} +{{/if}} +{{#if group}} +group: {{group}} +{{/if}} +{{#if mode}} +mode: {{mode}} +{{/if}} +{{#if keep_null}} +keep_null: {{keep_null}} +{{/if}} +{{#if tags}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{else if preserve_original_event}} +tags: + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{#if preserve_original_event}} +- copy_fields: + fields: + - from: message + to: event.original +{{/if}} +{{#if syslog}} +- syslog: + {{syslog_options}} +{{/if}} +{{processors}} +{{else if syslog}} +processors: +{{#if preserve_original_event}} +- copy_fields: + fields: + - from: message + to: event.original +{{/if}} +- syslog: + {{syslog_options}} +{{else if preserve_original_event}} +processors: +- copy_fields: + fields: + - from: message + to: event.original +{{/if}} + +{{custom}} diff --git a/packages/unix/changelog.yml b/packages/unix/changelog.yml new file mode 100644 index 00000000000..5cfedc71542 --- /dev/null +++ b/packages/unix/changelog.yml @@ -0,0 +1,5 @@ +- version: "1.0.0" + changes: + - description: Initial Release + type: enhancement + link: https://github.com/elastic/integrations/pull/9999 diff --git a/packages/unix/docs/README.md b/packages/unix/docs/README.md new file mode 100644 index 00000000000..66e14d25d7a --- /dev/null +++ b/packages/unix/docs/README.md @@ -0,0 +1,150 @@ +# Custom Unix Logs Integration for Elastic + +> **Note**: This integration is currently in beta and subject to change. + +## Overview + +The Custom Unix Logs integration for Elastic enables you to collect data through a stream-oriented Unix domain socket. It's a flexible solution for ingesting logs from local processes and applications into the Elastic Stack. By using this integration, you can centralize your log data, making it easier to monitor, search, and analyze your environment's activity. + +### Compatibility + +The Custom Unix Logs integration is compatible with any process or application capable of writing to a Unix domain socket on the same host as the Elastic Agent. + +This integration supports the following standards: +- Syslog standards: Supports devices compliant with `RFC 3164` (BSD syslog) and `RFC 5424` (The Syslog Protocol). +- Framing standards: Supports `RFC 6587` for octet-counted framing, which is commonly used in high-reliability log transmission. + +### How it works + +This integration collects data by having an Elastic Agent listen on a Unix domain socket at a specified path. The agent creates the socket file and waits for local processes to connect and send data. When a process writes data to the socket, the Elastic Agent receives and processes it. + +Once received, the data is processed according to your configuration—whether it's raw text, syslog formatted, or uses specific framing. The Elastic Agent then forwards the logs to your Elastic deployment, where you can analyze them using Kibana. + +## What data does this integration collect? + +The Custom Unix Logs integration collects log messages of the following types: +- Raw streams: Any text-based data sent over the Unix domain socket, typically separated by newline characters or other delimiters. +- Syslog messages: Structured messages following RFC 3164 or RFC 5424, which include metadata such as facility, severity, and timestamps. + +This integration includes the following data stream: +- `unix.generic`: This is the default data stream. It captures the raw message payload in the `message` field. If you enable Syslog parsing, additional ECS fields are populated from the syslog header. + +### Supported use cases + +- Local application logging: Applications on the same host can write log events directly to the Unix socket, eliminating the need for network connectivity. +- System daemon log collection: Collect logs from system daemons that support Unix socket output. +- Syslog ingestion: Collect syslog-formatted messages from local processes using `logger` or other syslog-compatible tools. +- Secure local log aggregation: Since Unix domain sockets are filesystem objects, standard Unix file permissions (`group`, `mode`) can be used to control which processes can send data. + +## What do I need to use this integration? + +### Elastic prerequisites + +- Elastic Agent: A running Elastic Agent that's enrolled in a Fleet policy. +- The Elastic Agent must have write permission to the directory where the socket will be created. + +### Source prerequisites + +- The sending process must run on the same host as the Elastic Agent. +- The sending process must have permission to write to the Unix socket (controlled via the `group` and `mode` options). + +## How do I deploy this integration? + +### Agent-based deployment + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). You can install only one Elastic Agent per host. + +### Set up steps in Kibana + +You'll follow these steps to add and configure the integration in Kibana: + +1. Navigate to **Management > Integrations** in Kibana. +2. Search for **Custom Unix Logs** and select it. +3. Click **Add Custom Unix Logs**. +4. Configure the integration settings: + - **Socket Path**: The filesystem path where the Unix domain socket will be created (e.g. `/tmp/elastic-agent.sock`). + - **Socket Type**: The socket variety: `stream` or `datagram`. The default is `stream`. + - **Dataset Name**: The name of the dataset where logs will be written. The default is `unix.generic`. + - **Framing**: Specify how the Agent identifies the end of a log message. Options include `delimiter` (default) or `rfc6587`. + - **Line Delimiter**: The character used to split incoming data into separate log events. The default is `\n`. + - **Max Message Size**: The maximum allowed size for a single log message. The default is `20MiB`. + - **Syslog Parsing**: Enable this boolean if the incoming data is in standard Syslog format (RFC3164/5424). +5. Optionally configure advanced options: + - **Socket Group**: The group ownership for the created Unix socket. + - **Socket Mode**: File permissions for the socket as an octal string (e.g. `0660`). + - **Max Connections**: Maximum number of simultaneous connections. + - **Timeout**: Duration of inactivity before a connection is closed. +6. (Optional) Provide a **Custom Ingest Pipeline** name if you've already defined processing logic in Elasticsearch. +7. Click **Save and Continue** to deploy the configuration to your Agents. + +### Configure the sending application + +Once the Elastic Agent is running with this integration, configure your application to send data to the socket path you configured: + +For rsyslog: +``` +*.* unix-stream:/tmp/elastic-agent.sock +``` + +Using the `logger` command: +```bash +logger -u /tmp/elastic-agent.sock "This is a test message" +``` + +Using `socat`: +```bash +echo "Test log message" | socat - UNIX-CONNECT:/tmp/elastic-agent.sock +``` + +Using `nc` (if it supports Unix sockets): +```bash +echo "Test log message" | nc -U /tmp/elastic-agent.sock +``` + +### Validation + +After configuration, verify that data is flowing correctly: + +1. Send a test message to the socket: + ```bash + echo "Integration Validation Test Message $(date)" | socat - UNIX-CONNECT:/tmp/elastic-agent.sock + ``` + +2. Check for the data in Kibana: + 1. Navigate to **Analytics > Discover**. + 2. Select the `logs-*` data view. + 3. Enter this KQL filter: `data_stream.dataset : "unix.generic"` + 4. Verify that logs appear in the results and confirm these fields are populated: + - `event.dataset` (should be `unix.generic`) + - `message` (containing the test message) + - `input.type` (should indicate `unix`) + +## Troubleshooting + +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). + +### Common configuration issues + +- Socket creation failure: + - Verify that the Elastic Agent has write permission to the directory containing the socket path. + - Ensure no file already exists at the configured socket path. +- Permission denied when connecting: + - If client processes cannot connect to the socket, adjust the `group` and `mode` options to allow the appropriate users or groups access. +- Dataset naming restriction: + - If data isn't appearing, check your integration configuration for hyphens in the `Dataset Name`. Hyphens aren't supported in this field and will cause ingestion issues. +- Parsing failures: + - If data appears in Kibana but doesn't parse correctly, check the `error.message` field. This often happens if you've enabled `Syslog Parsing` but the incoming logs don't strictly adhere to RFC 3164 or RFC 5424. + +## Performance and scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference- +architectures) documentation. + +## Reference + +### Vendor documentation links + +- [Filebeat Unix Input](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-unix) +- [RFC 3164: The BSD Syslog Protocol](https://datatracker.ietf.org/doc/html/rfc3164) +- [RFC 5424: The Syslog Protocol](https://datatracker.ietf.org/doc/html/rfc5424) +- [RFC 6587: Transmission of Syslog Messages over TCP](https://datatracker.ietf.org/doc/html/rfc6587) diff --git a/packages/unix/docs/knowledge_base/service_info.md b/packages/unix/docs/knowledge_base/service_info.md new file mode 100644 index 00000000000..174a2adf436 --- /dev/null +++ b/packages/unix/docs/knowledge_base/service_info.md @@ -0,0 +1,97 @@ +# Service Info + +The Custom Unix Logs integration allows the Elastic Agent to listen on a Unix domain socket, capturing raw log data or structured syslog messages from local processes on the same host. This integration is well-suited for applications and system daemons that support Unix socket output, providing a secure, low-overhead mechanism for local log collection without requiring network connectivity. + +## Common use cases + +- **Local Application Logging:** Applications on the same host can write log events directly to the Unix socket using standard POSIX socket APIs, eliminating network overhead. +- **System Daemon Log Collection:** Collect logs from system daemons (e.g., syslogd, journald, or custom daemons) that support Unix socket output. +- **Syslog Ingestion:** Collect syslog-formatted messages from local processes using `logger`, rsyslog's `unix-stream` action, or other syslog-compatible tools. +- **Secure Local Log Aggregation:** Since Unix domain sockets are filesystem objects, standard Unix file permissions (`group`, `mode`) restrict which processes can connect, providing access control without a network firewall. + +## Data types collected + +This integration can collect the following types of data: +- **Raw Streams:** Any text-based data sent over the Unix domain socket, typically separated by newline characters or other delimiters. +- **Syslog Messages:** Structured messages following RFC 3164 or RFC 5424, which include metadata such as facility, severity, and timestamps. + +The following data stream is available: +- **unix.generic (logs):** This is the default data stream. It captures the raw message payload in the `message` field. If Syslog parsing is enabled, additional ECS fields are populated from the syslog header. + +## Compatibility + +The **Custom Unix Logs** integration is compatible with any process or application running on the same host as the Elastic Agent that is capable of writing to a Unix domain socket. +- **Syslog Standards:** Supports processes using **RFC 3164** (BSD syslog) and **RFC 5424** (The Syslog Protocol). +- **Framing Standards:** Supports **RFC 6587** for octet-counted framing. +- **Socket Types:** Supports both `stream` and `datagram` Unix socket varieties. + +# Set Up Instructions + +## Elastic prerequisites + +- **Elastic Agent:** A running Elastic Agent enrolled in a Fleet policy. +- **Filesystem Access:** The Elastic Agent must have write permission to the directory where the socket will be created. + +## Source prerequisites + +- The sending process must run on the same host as the Elastic Agent. +- The sending process must have permission to write to the Unix socket (controlled via the `group` and `mode` options). + +## Kibana set up steps + +### Custom Unix Logs +1. Navigate to **Management > Integrations** in Kibana. +2. Search for **Custom Unix Logs** and select it. +3. Click **Add Custom Unix Logs**. +4. Configure the following fields: + - **Socket Path**: The filesystem path where the Unix domain socket will be created. Default: `/tmp/elastic-agent.sock`. + - **Socket Type**: The socket variety: `stream` (default) or `datagram`. + - **Dataset Name**: The name of the dataset to which logs will be written. Default: `unix.generic`. + - **Framing**: Specify how the Agent identifies the end of a log message. Options include `delimiter` (default) or `rfc6587`. + - **Line Delimiter**: The character used to split incoming data into separate log events. Default: `\n`. + - **Max Message Size**: The maximum allowed size for a single log message. Default: `20MiB`. + - **Syslog Parsing**: Enable this boolean if the incoming data is in standard Syslog format (RFC3164/5424). +5. (Optional) Configure advanced options: + - **Socket Group**: Group ownership for the created Unix socket. + - **Socket Mode**: File permissions as an octal string (e.g. `0660`). + - **Max Connections**: Maximum number of simultaneous connections. + - **Timeout**: Duration of inactivity before a connection is closed. +6. (Optional) Provide a **Custom Ingest Pipeline** name if you have pre-defined processing logic in Elasticsearch. +7. Click **Save and Continue** to deploy the configuration to your Agents. + +# Validation Steps + +After configuration is complete, follow these steps to verify data is flowing correctly. + +### 1. Send a Test Event: +- Using `socat`: + `echo "Integration Validation Test Message $(date)" | socat - UNIX-CONNECT:/tmp/elastic-agent.sock` +- Using `logger` (for syslog-formatted data): + `logger -u /tmp/elastic-agent.sock "This is a test syslog message"` + +### 2. Check Data in Kibana: +1. Navigate to **Analytics > Discover**. +2. Select the `logs-*` data view. +3. Enter the following KQL filter: `data_stream.dataset : "unix.generic"` +4. Verify logs appear in the results. Expand a log entry and confirm these fields are populated: + - `event.dataset` (should be `unix.generic`) + - `log.syslog.priority` (if syslog parsing is enabled) + - `message` (containing the test message) + - `input.type` (should indicate `unix`) + +# Troubleshooting + +## Common Configuration Issues + +- **Socket Creation Failure**: Verify that the Elastic Agent has write permission to the directory containing the socket path. Ensure no regular file already exists at the configured path. +- **Permission Denied When Connecting**: If client processes cannot connect to the socket, adjust the `group` and `mode` options to allow the appropriate users or groups access. +- **Dataset Naming Restriction**: If data is not appearing, check the integration configuration for hyphens in the **Dataset Name**. Hyphens are not supported in this field and will cause ingestion issues. + +## Ingestion Errors + +- **Parsing Failures**: If data appears in Kibana but is not parsed correctly, check the `error.message` field. This often happens if **Syslog Parsing** is enabled but the incoming logs do not strictly adhere to RFC 3164 or RFC 5424. +- **Framing Issues**: If multiple log lines appear as a single event or if events are cut off, verify that the **Framing** method matches the sender configuration. +- **Message Truncation**: If logs are incomplete, check if they exceed the **Max Message Size**. Increase this value if your application sends large payloads. + +# Documentation sites +- [Filebeat Unix Input](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-unix) diff --git a/packages/unix/fields/base-fields.yml b/packages/unix/fields/base-fields.yml new file mode 100644 index 00000000000..1a1374ba735 --- /dev/null +++ b/packages/unix/fields/base-fields.yml @@ -0,0 +1,19 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: unix +- name: event.dataset + type: constant_keyword + description: Event dataset +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/unix/fields/beats.yml b/packages/unix/fields/beats.yml new file mode 100644 index 00000000000..ede69588554 --- /dev/null +++ b/packages/unix/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: tags + type: keyword + description: User defined tags diff --git a/packages/unix/fields/ecs.yml b/packages/unix/fields/ecs.yml new file mode 100644 index 00000000000..3eed6ab1f26 --- /dev/null +++ b/packages/unix/fields/ecs.yml @@ -0,0 +1,33 @@ +- name: ecs.version + external: ecs +- name: log.level + external: ecs +- name: log.source.address + type: keyword + description: The path to the Unix domain socket the event was received on. +- name: event.original + external: ecs +- name: message + external: ecs +- name: log.syslog.appname + external: ecs +- name: log.syslog.facility.code + external: ecs +- name: log.syslog.facility.name + external: ecs +- name: log.syslog.hostname + external: ecs +- name: log.syslog.msgid + external: ecs +- name: log.syslog.priority + external: ecs +- name: log.syslog.procid + external: ecs +- name: log.syslog.severity.code + external: ecs +- name: log.syslog.severity.name + external: ecs +- name: log.syslog.structured_data + external: ecs +- name: log.syslog.version + external: ecs diff --git a/packages/unix/img/icon.svg b/packages/unix/img/icon.svg new file mode 100644 index 00000000000..630353ca503 --- /dev/null +++ b/packages/unix/img/icon.svg @@ -0,0 +1,4 @@ + + + + diff --git a/packages/unix/kibana/tags.yml b/packages/unix/kibana/tags.yml new file mode 100644 index 00000000000..47f20a8f551 --- /dev/null +++ b/packages/unix/kibana/tags.yml @@ -0,0 +1,4 @@ +- text: Security Solution + asset_types: + - dashboard + - search diff --git a/packages/unix/manifest.yml b/packages/unix/manifest.yml new file mode 100644 index 00000000000..c9773839196 --- /dev/null +++ b/packages/unix/manifest.yml @@ -0,0 +1,158 @@ +format_version: "3.3.2" +name: unix +title: Custom Unix Logs +description: Collect data from a Unix domain socket with Elastic Agent. +type: input +version: "1.0.0" +conditions: + kibana: + version: "^9.4.0" +categories: + - custom + - custom_logs +policy_templates: + - name: unix + type: logs + title: Custom Unix Logs + description: Collect data from a Unix domain socket with Elastic Agent. + input: unix + template_path: unix.yml.hbs + vars: + - name: path + type: text + title: Socket Path + description: | + Path to the Unix domain socket file that will receive events. + required: true + show_user: true + - name: socket_type + type: text + title: Socket Type + description: | + The socket type: stream or datagram. The default is stream. + required: false + show_user: true + default: stream + - name: use_logs_stream + type: bool + title: Use the "logs" data stream + description: | + Enabling this will send all the ingested data to the "logs.ecs" data stream. This feature requires Elasticsearch 9.4.0 or later and is disabled by default. If enabled the Dataset name option is ignored. "Write to logs streams" option must be enabled in the output settings for this to work. + required: false + show_user: true + default: false + - name: data_stream.dataset + type: text + title: Dataset name + description: | + Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html). + default: unix.generic + required: true + show_user: true + - name: pipeline + type: text + title: Ingest Pipeline + description: | + The Ingest Node pipeline ID to be used by the integration. + required: false + show_user: true + - name: max_message_size + type: text + title: Max Message Size + description: The maximum size of the message received over the socket. The default is 20MiB. + required: false + show_user: false + - name: framing + type: text + title: Framing + description: Specify the framing used to split incoming events. Can be one of delimiter or rfc6587. The default is delimiter. + required: false + show_user: false + - name: line_delimiter + type: text + title: Line Delimiter + description: Specify the characters used to split the incoming events. The default is \n. + required: false + show_user: false + - name: max_connections + type: text + title: Max Connections + description: The at most number of connections to accept at any given point in time. + required: false + show_user: false + - name: timeout + type: text + title: Timeout + description: The duration of inactivity before a remote connection is closed. The default is 300s. Valid time units are ns, us, ms, s, m, h. + required: false + show_user: false + - name: group + type: text + title: Socket Group + description: Sets the group ownership for the created Unix socket. If not set, uses the primary group of the running user. Ignored on Windows. + required: false + show_user: false + - name: mode + type: text + title: Socket Mode + description: Sets the file permissions for the socket as an octal string (e.g. 0660). If not set, the system default is used. + required: false + show_user: false + - name: keep_null + type: bool + title: Keep Null Values + description: If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false. + required: false + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: | + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: tags + type: text + title: Tags + description: Tags to include in the published event + required: false + multi: true + show_user: true + - name: syslog + type: bool + title: Syslog Parsing + description: Enable the syslog parser to automatically parse RFC3164 and RFC5424 syslog formatted data. The syslog parser can be configured under Advanced Options. + required: false + show_user: true + - name: syslog_options + type: yaml + title: Syslog Configuration + description: i.e. field, format, time zone, etc. See [Syslog](https://www.elastic.co/guide/en/beats/filebeat/current/syslog.html) for details. + multi: false + required: false + show_user: false + default: | + field: message + #format: auto + #timezone: Local + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: custom + title: Custom configurations + description: > + Here YAML configuration options can be used to be added to your configuration. Be careful using this as it might break your configuration file. + type: yaml + default: "" +icons: + - src: "/img/icon.svg" + type: "image/svg+xml" +owner: + github: elastic/integration-experience + type: elastic diff --git a/packages/unix/validation.yml b/packages/unix/validation.yml new file mode 100644 index 00000000000..406e69f42b9 --- /dev/null +++ b/packages/unix/validation.yml @@ -0,0 +1,3 @@ +docs_structure_enforced: + enabled: true + version: 1 From d434559aae4a7e71436168649a6b7959bb4eadee Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Mon, 11 May 2026 14:13:10 -0500 Subject: [PATCH 2/9] add CODEOWNERS --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ba6fae00663..68d81560b57 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -557,6 +557,7 @@ /packages/universal_profiling_agent @elastic/ingest-otel-data /packages/universal_profiling_collector @elastic/obs-ds-intake-services /packages/universal_profiling_symbolizer @elastic/obs-ds-intake-services +/packages/unix @elastic/elastic-agent-data-plane /packages/varonis @elastic/security-service-integrations /packages/vectra_detect @elastic/security-service-integrations /packages/vectra_rux @elastic/security-service-integrations From ec5f8735c425c4cc63f2202f3d27fca628b8b5d6 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Mon, 11 May 2026 14:14:03 -0500 Subject: [PATCH 3/9] Fix PR in changelog --- packages/unix/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/unix/changelog.yml b/packages/unix/changelog.yml index 5cfedc71542..8df69e57652 100644 --- a/packages/unix/changelog.yml +++ b/packages/unix/changelog.yml @@ -2,4 +2,4 @@ changes: - description: Initial Release type: enhancement - link: https://github.com/elastic/integrations/pull/9999 + link: https://github.com/elastic/integrations/pull/18944 From 83f91dd92a1dd22aff228b028283eb8ce173c591 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Mon, 11 May 2026 14:53:33 -0500 Subject: [PATCH 4/9] fix owner in manifest --- packages/unix/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/unix/manifest.yml b/packages/unix/manifest.yml index c9773839196..abc5521bfd0 100644 --- a/packages/unix/manifest.yml +++ b/packages/unix/manifest.yml @@ -154,5 +154,5 @@ icons: - src: "/img/icon.svg" type: "image/svg+xml" owner: - github: elastic/integration-experience + github: elastic/elastic-agent-data-plane type: elastic From 3624ce8b99f29c1e86ed4844670954f2fe65ab03 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Mon, 11 May 2026 16:02:28 -0500 Subject: [PATCH 5/9] trap the SIGHUP --- packages/unix/_dev/deploy/docker/docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/unix/_dev/deploy/docker/docker-compose.yml b/packages/unix/_dev/deploy/docker/docker-compose.yml index 7c46703166f..fd09724687f 100644 --- a/packages/unix/_dev/deploy/docker/docker-compose.yml +++ b/packages/unix/_dev/deploy/docker/docker-compose.yml @@ -8,7 +8,7 @@ services: command: - sh - -c - - apk add --quiet socat && echo "Added socat" && until [ -S /tmp/test.sock ]; do sleep 1 && echo "Sleeping"; done; socat - UNIX-CONNECT:/tmp/test.sock < /sample_logs/test-unix.log && echo "socat done" + - apk add --quiet socat && echo "Added socat" && trap 'socat - UNIX-CONNECT:/tmp/test.sock < /sample_logs/test-unix.log; echo "socat done"; exit 0' HUP && echo "Waiting for SIGHUP" && while true; do sleep 1 & wait $!; done test-syslog: image: alpine:latest volumes: @@ -17,4 +17,4 @@ services: command: - sh - -c - - apk add --quiet socat && echo "Added socat" && until [ -S /tmp/test-syslog.sock ]; do sleep 1 && echo "Sleeping"; done; socat - UNIX-CONNECT:/tmp/test-syslog.sock < /sample_logs/test-unix.log && echo "socat done" + - apk add --quiet socat && echo "Added socat" && trap 'socat - UNIX-CONNECT:/tmp/test-syslog.sock < /sample_logs/test-unix.log; echo "socat done"; exit 0' HUP && echo "Waiting for SIGHUP" && while true; do sleep 1 & wait $!; done From 04f6cb1e922c3ca13b9fe9b206fcccf5c58635cd Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Wed, 13 May 2026 14:58:43 -0500 Subject: [PATCH 6/9] switch to stream for testing --- .../unix/_dev/deploy/docker/docker-compose.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/packages/unix/_dev/deploy/docker/docker-compose.yml b/packages/unix/_dev/deploy/docker/docker-compose.yml index fd09724687f..6e9bbc4d3a8 100644 --- a/packages/unix/_dev/deploy/docker/docker-compose.yml +++ b/packages/unix/_dev/deploy/docker/docker-compose.yml @@ -1,20 +1,14 @@ version: '2.3' services: test-unix: - image: alpine:latest + image: docker.elastic.co/observability/stream:v0.21.0 volumes: - ./sample_logs:/sample_logs:ro - ${SERVICE_LOGS_DIR}:/tmp - command: - - sh - - -c - - apk add --quiet socat && echo "Added socat" && trap 'socat - UNIX-CONNECT:/tmp/test.sock < /sample_logs/test-unix.log; echo "socat done"; exit 0' HUP && echo "Waiting for SIGHUP" && while true; do sleep 1 & wait $!; done + command: log --start-signal=SIGHUP --delay=5s --addr /tmp/test.sock -p=unix /sample_logs/test-unix.log test-syslog: - image: alpine:latest + image: docker.elastic.co/observability/stream:v0.21.0 volumes: - ./sample_logs:/sample_logs:ro - ${SERVICE_LOGS_DIR}:/tmp - command: - - sh - - -c - - apk add --quiet socat && echo "Added socat" && trap 'socat - UNIX-CONNECT:/tmp/test-syslog.sock < /sample_logs/test-unix.log; echo "socat done"; exit 0' HUP && echo "Waiting for SIGHUP" && while true; do sleep 1 & wait $!; done + command: log --start-signal=SIGHUP --delay=5s --addr /tmp/test-syslog.sock -p=unix /sample_logs/test-unix.log From 6bb96b4905251f2bb17a9dffcb58b19ccd785da7 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Thu, 14 May 2026 11:11:17 -0500 Subject: [PATCH 7/9] Add change to set permissions for socket dir --- packages/unix/_dev/deploy/docker/docker-compose.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/packages/unix/_dev/deploy/docker/docker-compose.yml b/packages/unix/_dev/deploy/docker/docker-compose.yml index 6e9bbc4d3a8..dfd3ac664d8 100644 --- a/packages/unix/_dev/deploy/docker/docker-compose.yml +++ b/packages/unix/_dev/deploy/docker/docker-compose.yml @@ -1,13 +1,24 @@ version: '2.3' services: + setup-permissions: + image: busybox + command: chmod 1777 /tmp + volumes: + - ${SERVICE_LOGS_DIR}:/tmp test-unix: image: docker.elastic.co/observability/stream:v0.21.0 + depends_on: + setup-permissions: + condition: service_completed_successfully volumes: - ./sample_logs:/sample_logs:ro - ${SERVICE_LOGS_DIR}:/tmp command: log --start-signal=SIGHUP --delay=5s --addr /tmp/test.sock -p=unix /sample_logs/test-unix.log test-syslog: image: docker.elastic.co/observability/stream:v0.21.0 + depends_on: + setup-permissions: + condition: service_completed_successfully volumes: - ./sample_logs:/sample_logs:ro - ${SERVICE_LOGS_DIR}:/tmp From 1b3da995dffee2afffaa7c15dfc5581ecdd5b78c Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Fri, 15 May 2026 13:20:42 -0500 Subject: [PATCH 8/9] respond to feedback --- packages/unix/_dev/build/docs/README.md | 6 ++--- packages/unix/docs/README.md | 4 ++-- .../unix/docs/knowledge_base/service_info.md | 5 +++- packages/unix/fields/beats.yml | 3 --- packages/unix/fields/ecs.yml | 2 ++ packages/unix/kibana/tags.yml | 4 ---- packages/unix/manifest.yml | 24 ++++++++++++++----- 7 files changed, 29 insertions(+), 19 deletions(-) delete mode 100644 packages/unix/kibana/tags.yml diff --git a/packages/unix/_dev/build/docs/README.md b/packages/unix/_dev/build/docs/README.md index 66e14d25d7a..523947e910b 100644 --- a/packages/unix/_dev/build/docs/README.md +++ b/packages/unix/_dev/build/docs/README.md @@ -1,6 +1,6 @@ # Custom Unix Logs Integration for Elastic -> **Note**: This integration is currently in beta and subject to change. +> **Note**: This AI-assisted guide was validated by our engineers. You may need to adjust the steps to match your environment. ## Overview @@ -40,7 +40,7 @@ This integration includes the following data stream: ### Elastic prerequisites -- Elastic Agent: A running Elastic Agent that's enrolled in a Fleet policy. +- Elastic Agent: A running Elastic Agent managed by a Fleet policy or configured in standalone mode. - The Elastic Agent must have write permission to the directory where the socket will be created. ### Source prerequisites @@ -62,7 +62,7 @@ You'll follow these steps to add and configure the integration in Kibana: 2. Search for **Custom Unix Logs** and select it. 3. Click **Add Custom Unix Logs**. 4. Configure the integration settings: - - **Socket Path**: The filesystem path where the Unix domain socket will be created (e.g. `/tmp/elastic-agent.sock`). + - **Socket Path**: The filesystem path where the Unix domain socket will be created (e.g. `/tmp/example.sock`). - **Socket Type**: The socket variety: `stream` or `datagram`. The default is `stream`. - **Dataset Name**: The name of the dataset where logs will be written. The default is `unix.generic`. - **Framing**: Specify how the Agent identifies the end of a log message. Options include `delimiter` (default) or `rfc6587`. diff --git a/packages/unix/docs/README.md b/packages/unix/docs/README.md index 66e14d25d7a..7d576c61805 100644 --- a/packages/unix/docs/README.md +++ b/packages/unix/docs/README.md @@ -1,6 +1,6 @@ # Custom Unix Logs Integration for Elastic -> **Note**: This integration is currently in beta and subject to change. +> **Note**: This AI-assisted guide was validated by our engineers. You may need to adjust the steps to match your environment. ## Overview @@ -40,7 +40,7 @@ This integration includes the following data stream: ### Elastic prerequisites -- Elastic Agent: A running Elastic Agent that's enrolled in a Fleet policy. +- Elastic Agent: A running Elastic Agent managed by a Fleet policy or configured in standalone mode. - The Elastic Agent must have write permission to the directory where the socket will be created. ### Source prerequisites diff --git a/packages/unix/docs/knowledge_base/service_info.md b/packages/unix/docs/knowledge_base/service_info.md index 174a2adf436..9b5faeb9527 100644 --- a/packages/unix/docs/knowledge_base/service_info.md +++ b/packages/unix/docs/knowledge_base/service_info.md @@ -29,7 +29,7 @@ The **Custom Unix Logs** integration is compatible with any process or applicati ## Elastic prerequisites -- **Elastic Agent:** A running Elastic Agent enrolled in a Fleet policy. +- **Elastic Agent:** A running Elastic Agent managed by a Fleet policy or configured in standalone mode. - **Filesystem Access:** The Elastic Agent must have write permission to the directory where the socket will be created. ## Source prerequisites @@ -95,3 +95,6 @@ After configuration is complete, follow these steps to verify data is flowing co # Documentation sites - [Filebeat Unix Input](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-unix) +- [RFC 3164: The BSD Syslog Protocol](https://datatracker.ietf.org/doc/html/rfc3164) +- [RFC 5424: The Syslog Protocol](https://datatracker.ietf.org/doc/html/rfc5424) +- [RFC 6587: Transmission of Syslog Messages over TCP](https://datatracker.ietf.org/doc/html/rfc6587) diff --git a/packages/unix/fields/beats.yml b/packages/unix/fields/beats.yml index ede69588554..22565288a1d 100644 --- a/packages/unix/fields/beats.yml +++ b/packages/unix/fields/beats.yml @@ -1,6 +1,3 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags diff --git a/packages/unix/fields/ecs.yml b/packages/unix/fields/ecs.yml index 3eed6ab1f26..8aaf81f15ad 100644 --- a/packages/unix/fields/ecs.yml +++ b/packages/unix/fields/ecs.yml @@ -31,3 +31,5 @@ external: ecs - name: log.syslog.version external: ecs +- name: tags + external: ecs diff --git a/packages/unix/kibana/tags.yml b/packages/unix/kibana/tags.yml deleted file mode 100644 index 47f20a8f551..00000000000 --- a/packages/unix/kibana/tags.yml +++ /dev/null @@ -1,4 +0,0 @@ -- text: Security Solution - asset_types: - - dashboard - - search diff --git a/packages/unix/manifest.yml b/packages/unix/manifest.yml index abc5521bfd0..f8f5400e710 100644 --- a/packages/unix/manifest.yml +++ b/packages/unix/manifest.yml @@ -1,4 +1,4 @@ -format_version: "3.3.2" +format_version: "3.6.2" name: unix title: Custom Unix Logs description: Collect data from a Unix domain socket with Elastic Agent. @@ -26,13 +26,19 @@ policy_templates: required: true show_user: true - name: socket_type - type: text + type: select title: Socket Type description: | The socket type: stream or datagram. The default is stream. required: false show_user: true default: stream + multi: false + options: + - value: stream + text: stream + - value: datagram + text: datagram - name: use_logs_stream type: bool title: Use the "logs" data stream @@ -63,11 +69,17 @@ policy_templates: required: false show_user: false - name: framing - type: text + type: select title: Framing - description: Specify the framing used to split incoming events. Can be one of delimiter or rfc6587. The default is delimiter. + description: Specify the framing used to split incoming events. The default is delimiter. required: false show_user: false + multi: false + options: + - value: delimiter + text: delimiter + - value: rfc6587 + text: rfc6587 - name: line_delimiter type: text title: Line Delimiter @@ -75,13 +87,13 @@ policy_templates: required: false show_user: false - name: max_connections - type: text + type: integer title: Max Connections description: The at most number of connections to accept at any given point in time. required: false show_user: false - name: timeout - type: text + type: duration title: Timeout description: The duration of inactivity before a remote connection is closed. The default is 300s. Valid time units are ns, us, ms, s, m, h. required: false From ee7019494316b45b68d5846c0b52ca2b01702299 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Fri, 15 May 2026 13:52:13 -0500 Subject: [PATCH 9/9] update readme --- packages/unix/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/unix/docs/README.md b/packages/unix/docs/README.md index 7d576c61805..523947e910b 100644 --- a/packages/unix/docs/README.md +++ b/packages/unix/docs/README.md @@ -62,7 +62,7 @@ You'll follow these steps to add and configure the integration in Kibana: 2. Search for **Custom Unix Logs** and select it. 3. Click **Add Custom Unix Logs**. 4. Configure the integration settings: - - **Socket Path**: The filesystem path where the Unix domain socket will be created (e.g. `/tmp/elastic-agent.sock`). + - **Socket Path**: The filesystem path where the Unix domain socket will be created (e.g. `/tmp/example.sock`). - **Socket Type**: The socket variety: `stream` or `datagram`. The default is `stream`. - **Dataset Name**: The name of the dataset where logs will be written. The default is `unix.generic`. - **Framing**: Specify how the Agent identifies the end of a log message. Options include `delimiter` (default) or `rfc6587`.