From 4be3dd61200b80fd501fd3509b2406a66d572912 Mon Sep 17 00:00:00 2001
From: Blake Rouse <blake.rouse@elastic.co>
Date: Mon, 10 Feb 2020 09:50:57 -0500
Subject: [PATCH] [Journalbeat] Improve parsing of syslog.pid in journalbeat to
 strip the username when present (#16116)

* Improve parsing of syslog.pid in journalbeat to strip the username in pid when present.

* Add entry to changelog with pull ID.

* Improve the comment on the username strip.

(cherry picked from commit 6a7dbd6016e8009761f55f4d7be89d98f506b435)
---
 CHANGELOG.next.asciidoc            |  2 ++
 journalbeat/reader/journal.go      | 12 +++++++--
 journalbeat/reader/journal_test.go | 39 ++++++++++++++++++++++++++++++
 3 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 7291ac0c5db5..86520d4795f1 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -37,6 +37,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Journalbeat*
 
 - Remove broken dashboard. {pull}15288[15288]
+- Improve parsing of syslog.pid in journalbeat to strip the username when present {pull}16116[16116]
+
 
 *Metricbeat*
 
diff --git a/journalbeat/reader/journal.go b/journalbeat/reader/journal.go
index 463f50909817..a2c9d0e8ce17 100644
--- a/journalbeat/reader/journal.go
+++ b/journalbeat/reader/journal.go
@@ -288,8 +288,16 @@ func (r *Reader) convertNamedField(fc fieldConversion, value string) interface{}
 	if fc.isInteger {
 		v, err := strconv.ParseInt(value, 10, 64)
 		if err != nil {
-			r.logger.Debugf("Failed to convert field: %s \"%v\" to int: %v", fc.name, value, err)
-			return value
+			// On some versions of systemd the 'syslog.pid' can contain the username
+			// appended to the end of the pid. In most cases this does not occur
+			// but in the cases that it does, this tries to strip ',\w*' from the
+			// value and then perform the conversion.
+			s := strings.Split(value, ",")
+			v, err = strconv.ParseInt(s[0], 10, 64)
+			if err != nil {
+				r.logger.Debugf("Failed to convert field: %s \"%v\" to int: %v", fc.name, value, err)
+				return value
+			}
 		}
 		return v
 	}
diff --git a/journalbeat/reader/journal_test.go b/journalbeat/reader/journal_test.go
index 76ff33ecea29..8ce288e05d7f 100644
--- a/journalbeat/reader/journal_test.go
+++ b/journalbeat/reader/journal_test.go
@@ -57,6 +57,45 @@ func TestToEvent(t *testing.T) {
 				},
 			},
 		},
+		// 'syslog.pid' field without user append
+		ToEventTestCase{
+			entry: sdjournal.JournalEntry{
+				Fields: map[string]string{
+					sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "123456",
+				},
+			},
+			expectedFields: common.MapStr{
+				"syslog": common.MapStr{
+					"pid": int64(123456),
+				},
+			},
+		},
+		// 'syslog.pid' field with user append
+		ToEventTestCase{
+			entry: sdjournal.JournalEntry{
+				Fields: map[string]string{
+					sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "123456,root",
+				},
+			},
+			expectedFields: common.MapStr{
+				"syslog": common.MapStr{
+					"pid": int64(123456),
+				},
+			},
+		},
+		// 'syslog.pid' field empty
+		ToEventTestCase{
+			entry: sdjournal.JournalEntry{
+				Fields: map[string]string{
+					sdjournal.SD_JOURNAL_FIELD_SYSLOG_PID: "",
+				},
+			},
+			expectedFields: common.MapStr{
+				"syslog": common.MapStr{
+					"pid": "",
+				},
+			},
+		},
 		// custom field
 		ToEventTestCase{
 			entry: sdjournal.JournalEntry{