Failed parsing date, linux syslog

Willie_Cadete · March 16, 2016, 11:32am

Hello, Everyone

I'm having problems to parse field timestamp, it shoud be something simple but I'm not getting to see!
I'm already here trying resolve this all day

log example:

Mar 8 03:34:15 fw01 block-INPUT IN=wan0 OUT= MAC=00:00:00:00:00:e3:10:f3:00:00:00:81:08:00 SRC=11.11.11.11 DST=22.22.22.22 LEN=48 TOS=00 PREC=0x00 TTL=119 ID=17927 DF PROTO=TCP SPT=0000 DPT=0000 SEQ=1837860932 ACK=0 WINDOW=8192 SYN URGP=0 MARK=1

config logstash:

input {
    stdin {type => "iptables"}
}

filter {
        if [type] == "iptables" {
        grok {
                        patterns_dir => "/opt/logstash/patterns"
                        match => { "message" => "%{IPTABLES}" }
            }

        date {
                        locale => "pt-BR"
                        match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
                        timezone => "America/Sao_Paulo"
            }
        }
    }

output {

    stdout {
            codec => "rubydebug"
        }
}

patterns:

NETFILTERMAC %{COMMONMAC:dst_mac}:%{COMMONMAC:src_mac}:%{ETHTYPE:ethtype}
ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}))
IPTABLES %{SYSLOGTIMESTAMP:timestamp}\s+%{HOSTNAME:source_host}\s+(?<chain>[A-Za-z0-9_-]+)?.*IN=%{WORD:in_interface}?.*OUT=(%{WORD:out_interface})?.*MAC=%{NETFILTERMAC}?.*SRC=%{IP:src_ip}?.*DST=%{IP:dst_ip}?.*TTL=%{INT:ttl}?.*PROTO=%{WORD:protocol}?.*SPT=%{INT:src_port}?.*DPT=%{INT:dst_port}

Output:

Failed parsing date from field {:field=>"timestamp", :value=>"Mar  8 03:34:15", :exception=>"Invalid format: \"Mar  8 03:34:15\"", :config_parsers=>"MMM  d HH:mm:ss,MMM dd HH:mm:ss", :config_locale=>"pt-BR", :level=>:warn}
{
         "message" => "Mar  8 03:34:15 fw01 block-INPUT IN=wan0 OUT= MAC=00:00:00:00:00:e3:10:f3:00:00:00:81:08:00 SRC=11.11.11.11 DST=22.22.22.22 LEN=48 TOS=00 PREC=0x00 TTL=119 ID=17927 DF PROTO=TCP SPT=0000 DPT=0000 SEQ=1837860932 ACK=0 WINDOW=8192 SYN URGP=0 MARK=1",
        "@version" => "1",
      "@timestamp" => "2016-03-16T11:21:20.368Z",
            "type" => "iptables",
            "host" => "logstash01.srsp.dpf.gov.br",
       "timestamp" => "Mar  8 03:34:15",
     "source_host" => "fw01",
           "chain" => "block-INPUT",
    "in_interface" => "wan0",
         "dst_mac" => "00:00:00:00:00:e3",
         "src_mac" => "10:f3:00:00:00:81",
         "ethtype" => "08:00",
          "src_ip" => "11.11.11.11",
          "dst_ip" => "22.22.22.22",
             "ttl" => "119",
        "protocol" => "TCP",
        "src_port" => "0000",
        "dst_port" => "0000",
            "tags" => [
        [0] "_dateparsefailure"
    ]
}

Thanks!

wiibaa · March 16, 2016, 12:20pm

Are your sure about this parameter, as your date seems to be english, you should prefer the locale => "en" config no?

Willie_Cadete · March 16, 2016, 12:33pm

I'd forgotten that, thank you! =D

Topic		Replies	Views
Failed parsing date from field - how to troubleshoot Logstash	2	1011	July 6, 2017
Syslog filter issue with timestamp Logstash	13	1844	January 3, 2022
Parsing date format error Logstash	3	761	October 24, 2018
Logstash - Syslog Timestamp Logstash	2	131	March 19, 2024
Timestamp parsing issue Logstash	2	324	July 6, 2017

Failed parsing date, linux syslog

Related Topics