Elastic only receiving partial logstash events?

avamore · May 28, 2015, 3:04pm

Hi All,
I have a logstash forwarding syslog events from multiple applications on a single server:

input {

      tcp {
        port => 514
        type => syslog
      }
      udp {
        port => 514
        type => syslog
      }
    }
    
    filter {
      if [type] == "syslog" {
        grok {
          match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
          add_field => [ "received_at", "%{@timestamp}" ]
          add_field => [ "received_from", "%{host}" ]
        }
        syslog_pri { }
        date {
          match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        }
      }
    }
    
    output {
      elasticsearch { host => localhost }
      stdout { codec => rubydebug }
    }

Elastic is only receiving logs from one application, and not another, however, I see both in the stdout. Any idea what may cause this?

Elasticsearch 1.5.2
Kibana 4.0.2
Logstash 1.5.0

warkolm · May 29, 2015, 2:36am

Are the formats the same for both? As your grok pattern will be forced on them and if it doesn't match you should be seeing _grokparsefailures.

avamore · June 1, 2015, 4:16pm

The formats are just about the same.

It's actually weird, the grokparsefailure messages are showing, but the ones without failures aren't. I'm truly stumped

Topic		Replies	Views
Syslog data that is going into logstash not being picked up by elasticsearch Logstash	3	267	November 5, 2020
Parsing Syslog to Logstash Logstash	6	488	March 10, 2020
Config Logstash for Syslog Logstash	5	1328	April 4, 2017
Syslog forwarding question -> Logstash (very basic) Logstash	8	15404	May 9, 2018
Logstash syslog _grokparsefailure errors Logstash	2	1274	June 11, 2019

Elastic only receiving partial logstash events?

Related topics