Data Filter issue

cdra · October 26, 2017, 5:18am

We have some switches that send syslog messages like:
Oct 25 16:35:05 2017 wsscc000 %%10SHELL/6/SHELL_CMD(l): -Task=vt0-IPAddr=10.61.7.10-User=afg; Command is sys

In this case, logstash set syslog_hostname = 2017 not wsscc000

magnusbaeck · October 26, 2017, 5:23am

Then you'll have to use a custom grok filter. If you currently use a syslog input I think you'll have to switch to a tcp and/or udp input and add the necessary filters separately.

cdra · October 26, 2017, 5:59am

Unix / Linux computer don't send year field...so it work fine...but in some switches don't work because year field exists.. My grok filter is like:
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }

Input is like:
input {
tcp {
port => 514
type => "syslog"
}
udp {
port => 514
type => "syslog"
}

cdra · October 26, 2017, 7:00am

My solution:
grok {
match => { "message" => ["%{SYSLOGTIMESTAMP:syslog_timestamp} %{YEAR:syslog_year} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}","%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}"]}

}

system · November 23, 2017, 7:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.