I have little problem with Logstash 1.5.2 and grok filtering.. My Logstash get messages from syslog and grok have problems with one of them - it is adding _grokparsefailure_syslog tag. When I put message to stdin everything goes well. Here is grok filter rule:
The syslog input uses grok internally, and that's what isn't matching (hence _grokparsefailure_syslog instead of _grokparsefailure). It seems the syslog input doesn't like what is sent to it, possibly because it's malformed.
The problem was with builtin syslog grok filter. Now I'm using TCP input plugin and use own syslog grok filter which is working with specific message type.
Thanks!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.