On the logstash forum, they said that my question had more to do with elasticsearch, so here I am.
So far I've added hosts to my logstash input that have used ISO8601 time format in their syslog config. Those have imported ok and the date/time is interpreted into the timestamp field. I have the following stanza in my logstash.conf:
date {
locale => "en"
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ]
}
I then tried to add a host that has the default syslog date format of MMM dd HH:mm:ss and Elasticsearch is choking on it's date for some reason with the following error:
[2019-05-06T06:31:23,884][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2019.05.06", :_type=>"syslog", :_routing=>nil}, 2019-05-06T10:31:18.000Z {name=ludwig, id=081a9a13d60d41deb4c6e2229bdc197a, os={name=Ubuntu, family=debian, version=18.10 (Cosmic Cuttlefish), platform=ubuntu, codename=cosmic}, containerized=false, architecture=x86_64} May 6 06:31:18 ludwig nm-dispatcher: req:1 'dhcp4-change' [enp3s0]: start running ordered scripts...], :response=>{"index"=>{"_index"=>"logstash-2019.05.06", "_type"=>"syslog", "_id"=>"AWqMsrflWmfBzhmpAUtm", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [timestamp]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: "May 6 06:31:18""}}}}}
I see that the error is invalid format for the date, but I don't understand how it doesn't match.