Hello, we're receiving messages from the Cisco UCS system in the following format:
<181>: 2017 May 5 17:34:40 BST: last message repeated 1 time
The Grok debugger at https://grokdebug.herokuapp.com/ confirms the following patter does match:
%{SYSLOG5424PRI}:%{SPACE}%{YEAR}%{SPACE}%{CISCOTIMESTAMP}%{SPACE}%{DATA:timezone}:%{SPACE}%{GREEDYDATA:syslog_message}
I have the following in Logstash.conf:
if [type] == "syslogucs" {
grok {
match => { "message" => "%{SYSLOG5424PRI}:%{SPACE}%{YEAR}%{SPACE}%{CISCOTIMESTAMP}%{SPACE}%{DATA:timezone}:%{SPACE}%{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
}
However when I view the message in Kibana it doesn't look right, for example the syslog priority isn't identified for a start:
@timestamp May 5th 2017, 17:34:39.891
t @version 1
t _id AVvZdnpWlq-Z6-tmfLE2
t _index syslogucs-2017.05
# _score -
t _type syslogucs
t host 192.168.27.6
t message <181>: 2017 May 5 17:34:40 BST: last message repeated 1 time
t type syslogucs
Can anyone help?