Dell iDrac Syslog Grok Logstash

rcraigncs · November 30, 2022, 9:52pm

I am looking for help to grok Syslog from Dell idrac I am having problems taking the grok below and making it work with a Logstash. Your help is deeply appreciated!

Extracting additional fields from iDRAC logs I found online.

<Exec>
        parse_syslog();
        if $Message =~ /(?x)^([a-zA-Z]*),\ Category:\ ([a-zA-Z]*),
                        \ MessageID:\ ([a-zA-Z0-9]*),\ Message:\ (.*)$/
        {
            $DracMsgLevel = $1;
            $DracMscCategory = $2;
            $DracMscID = $3;
            $DracMessage = $4;
        }
    </Exec>

My logstash conf

input {
  udp  { 
    port => "514"
    type => "syslog"
  }
}

filter {
if [type] == "syslog"  {
}
if [host] == '101' {
	mutate {
		add_tag => ["idrac"]
	}
    grok { # Match syslog data and add fields
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date { # Match date in syslog message and set timestamp field to this
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      target => "syslog_timestamp"
    }
  }
}

rcraigncs · November 30, 2022, 11:10pm

here is what the message log looks like what's my option to grok this?

{
  "_index": "syslog-2022.11.30",
  "_id": "2ELOyoQBFRFz4SudHDNI",
  "_version": 1,
  "_score": null,
  "_source": {
    "tags": [
      "idrac",
      "_grokparsefailure"
    ],
    "type": "syslog",
    "@version": "1",
    "message": "<182>os[16910]: 2022 RAC:login failed from fsdfd: '10.1.1.1 \n",
    "@timestamp": "2022-11-30T23:10:16.030Z",
    "host": "10.1.1.1"
  },
  "fields": {
    "@timestamp": [
      "2022-11-30T23:10:16.030Z"
    ]
  },
  "sort": [
    1669849816030
  ]
}

rcraigncs · December 1, 2022, 5:32pm

Here is my updated grok what should I do to improve it?

filter {
if [type] == "syslog"  {
}
if [host] == '10.22.0.71' {
	mutate {
		add_tag => ["idrac"]
	}
  syslog_pri { }
    }
    grok { # Match syslog data and add fields
      match => { "message" => " %{GREEDYDATA:DracMessage}" }
    }
    date { # Match date in syslog message and set timestamp field to this
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      target => "syslog_timestamp"
    }
  }

system · December 29, 2022, 5:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.