_grokparsefailure while reading logs from file by logstash

maciej.kola · January 27, 2016, 8:27pm

Hi Mates,

Can anyone please tell me, why I got "_grokparsefailure" while reading logs from file? My logs look like this:

2016-01-27T21:17:31+01:00 10.1.2.132 %ASA-1-302013: Built outbound TCP connection 890918059 for test:10.3.3.54/2222 (10.3.3.54/2222) to inside:192.24.3.103/62065 (192.24.3.103/62065)

I have searched forum and google and I found out that grok thinks that it's not a "syslog style" log. But it is (at least it is a file saved by rsyslog on CentOS 7 so I assume that it's compatible with RFC).

My grok filter:

filter {
if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
}
}
}

magnusbaeck · January 28, 2016, 7:24am

Your grok expression isn't even close to matching the actual log data. The grok expresion you use would parse a log that looks something like this:

<13>Jan 28 08:21:29 hostname smartd[4016]: Device: /dev/sdb [SAT], SMART Usage Attribute: 194 Temperature_Celsius changed from 32 to 33

Your expression should probably begin like this:

%{TIMESTAMP_ISO8601:syslog_timestamp} %{IP:host}

Topic		Replies	Views
Getting _grokparsefailure as a tag Logstash	6	497	May 23, 2018
Grok parsing syslog error Logstash	4	3770	August 30, 2018
_grokparsefailure_syslog but grok filter perfectly from stdin Logstash	3	1059	July 6, 2017
Logstash syslog _grokparsefailure errors Logstash	2	1272	June 11, 2019
GROK pattern for syslogs Logstash	4	7165	October 13, 2021

_grokparsefailure while reading logs from file by logstash

Related topics