Skip to content

[panw] Drop malformed messages from syslog processor #16949

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mjwolf merged 4 commits into from
Jan 15, 2026
Merged

[panw] Drop malformed messages from syslog processor #16949

mjwolf merged 4 commits into from
Jan 15, 2026
+18 −1

Conversation

@mjwolf
Copy link
Contributor

@mjwolf mjwolf commented Jan 13, 2026
edited
Loading

Proposed commit message

In panw, drop events where the syslog processor could not parse a syslog message from the event. This behaviour is the same as the TCP syslog parser, which will also drop unparsable syslog messages.

The drop_event condition is "error.message" is set and "log.syslog.priority" is absent, which should indicate the syslog processor is the source of the error, because the mandatory syslog field is not present, and not drop events where an earlier processor is the cause of the error.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

mjwolf added 2 commits January 13, 2026 09:41
@mjwolf
[panw] Drop malformed messages from syslog processor
7156c90 
In cases where a malformed syslog message is received, drop the message,
since it likely won't contain enough data to parse properly, and will
cause futher errors in the ingest pipeline and the document which would
be stored.
@mjwolf
Update changelog
bd253da
@andrewkroh andrewkroh added the Integration:panw Palo Alto Next-Gen Firewall label Jan 13, 2026
@mjwolf
Drop event when error originates with syslog processor
4dbc4a4 
Change the drop_event condition to drop the event when error.message is
set AND log.syslog.priority is absent. This would indicate that the
syslog message was not parsed properly, and the origin of the error
message is in the syslog processor.
@mjwolf mjwolf self-assigned this Jan 15, 2026
@mjwolf mjwolf added bugfix Pull request that fixes a bug issue Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels Jan 15, 2026
@mjwolf mjwolf marked this pull request as ready for review January 15, 2026 19:31
@mjwolf mjwolf requested a review from a team as a code owner January 15, 2026 19:31
@elasticmachine
Copy link

elasticmachine commented Jan 15, 2026

Pinging @elastic/integration-experience (Team:Integration-Experience)

@mjwolf mjwolf enabled auto-merge (squash) January 15, 2026 19:35
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 15, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Jan 15, 2026

💚 Build Succeeded

History

cc @mjwolf

@mjwolf mjwolf merged commit 125b327 into elastic:main Jan 15, 2026
8 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 15, 2026

Package panw - 5.4.1 containing this change is available at https://epr.elastic.co/package/panw/5.4.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@taylor-swanson taylor-swanson taylor-swanson approved these changes

Assignees

@mjwolf mjwolf

Labels

bugfix Pull request that fixes a bug issue Integration:panw Palo Alto Next-Gen Firewall Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mjwolf @elasticmachine @taylor-swanson @andrewkroh