All syslogs have same severity

I'm still very new to elastic stack and I ditched filebeat because it made all of my syslogs look like they were coming from the same host. I have my syslogs coming into logstash now and for the most part its working, however, the syslog_severity and syslog_severity code always show up as 'notice' and '5' respectively, regardless of the data sent.

I tested with Kiwi, by sending 500 randomized messages, and all 500 of them came over as 'notice' and '5'.

Here's my filter in my config file:

filter {
if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>% %{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

I freely admit that I don't fully understand grok to the point that I know how to extract the proper priority fileds.

Also in Kibana when I try to do a visualization, the syslog_priority fields aren't showing up as fields I can use to split up pie charts and such.

Any help is very greatly appreciated. Thank you.

Those are the default values if the syslog_pri field does not exist. Are you sure your grok is working? It look to me like you have an extra % in there.

Would you mind pointing out the extra % sign? As I said above, I dont grok grok.

You have a % after the closing > that probably should not be there. You may not want a space there either.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.