I'm still very new to elastic stack and I ditched filebeat because it made all of my syslogs look like they were coming from the same host. I have my syslogs coming into logstash now and for the most part its working, however, the syslog_severity and syslog_severity code always show up as 'notice' and '5' respectively, regardless of the data sent.
I tested with Kiwi, by sending 500 randomized messages, and all 500 of them came over as 'notice' and '5'.
Here's my filter in my config file:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>% %{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
I freely admit that I don't fully understand grok to the point that I know how to extract the proper priority fileds.
Also in Kibana when I try to do a visualization, the syslog_priority fields aren't showing up as fields I can use to split up pie charts and such.
Any help is very greatly appreciated. Thank you.