Failed parsing date, linux syslog

Willie_Cadete · March 16, 2016, 11:32am

Hello, Everyone

I'm having problems to parse field timestamp, it shoud be something simple but I'm not getting to see!
I'm already here trying resolve this all day

log example:

Mar 8 03:34:15 fw01 block-INPUT IN=wan0 OUT= MAC=00:00:00:00:00:e3:10:f3:00:00:00:81:08:00 SRC=11.11.11.11 DST=22.22.22.22 LEN=48 TOS=00 PREC=0x00 TTL=119 ID=17927 DF PROTO=TCP SPT=0000 DPT=0000 SEQ=1837860932 ACK=0 WINDOW=8192 SYN URGP=0 MARK=1

config logstash:

input {
    stdin {type => "iptables"}
}

filter {
        if [type] == "iptables" {
        grok {
                        patterns_dir => "/opt/logstash/patterns"
                        match => { "message" => "%{IPTABLES}" }
            }

        date {
                        locale => "pt-BR"
                        match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
                        timezone => "America/Sao_Paulo"
            }
        }
    }

output {

    stdout {
            codec => "rubydebug"
        }
}

patterns:

NETFILTERMAC %{COMMONMAC:dst_mac}:%{COMMONMAC:src_mac}:%{ETHTYPE:ethtype}
ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}))
IPTABLES %{SYSLOGTIMESTAMP:timestamp}\s+%{HOSTNAME:source_host}\s+(?<chain>[A-Za-z0-9_-]+)?.*IN=%{WORD:in_interface}?.*OUT=(%{WORD:out_interface})?.*MAC=%{NETFILTERMAC}?.*SRC=%{IP:src_ip}?.*DST=%{IP:dst_ip}?.*TTL=%{INT:ttl}?.*PROTO=%{WORD:protocol}?.*SPT=%{INT:src_port}?.*DPT=%{INT:dst_port}

Output:

Failed parsing date from field {:field=>"timestamp", :value=>"Mar  8 03:34:15", :exception=>"Invalid format: \"Mar  8 03:34:15\"", :config_parsers=>"MMM  d HH:mm:ss,MMM dd HH:mm:ss", :config_locale=>"pt-BR", :level=>:warn}
{
         "message" => "Mar  8 03:34:15 fw01 block-INPUT IN=wan0 OUT= MAC=00:00:00:00:00:e3:10:f3:00:00:00:81:08:00 SRC=11.11.11.11 DST=22.22.22.22 LEN=48 TOS=00 PREC=0x00 TTL=119 ID=17927 DF PROTO=TCP SPT=0000 DPT=0000 SEQ=1837860932 ACK=0 WINDOW=8192 SYN URGP=0 MARK=1",
        "@version" => "1",
      "@timestamp" => "2016-03-16T11:21:20.368Z",
            "type" => "iptables",
            "host" => "logstash01.srsp.dpf.gov.br",
       "timestamp" => "Mar  8 03:34:15",
     "source_host" => "fw01",
           "chain" => "block-INPUT",
    "in_interface" => "wan0",
         "dst_mac" => "00:00:00:00:00:e3",
         "src_mac" => "10:f3:00:00:00:81",
         "ethtype" => "08:00",
          "src_ip" => "11.11.11.11",
          "dst_ip" => "22.22.22.22",
             "ttl" => "119",
        "protocol" => "TCP",
        "src_port" => "0000",
        "dst_port" => "0000",
            "tags" => [
        [0] "_dateparsefailure"
    ]
}

Thanks!

wiibaa · March 16, 2016, 12:20pm

Are your sure about this parameter, as your date seems to be english, you should prefer the locale => "en" config no?

Willie_Cadete · March 16, 2016, 12:33pm

I'd forgotten that, thank you! =D

Topic		Replies	Views
Failed parsing date from field - how to troubleshoot Logstash	2	1012	July 6, 2017
Syslog filter issue with timestamp Logstash	13	1853	January 3, 2022
Parsing date format error Logstash	3	761	October 24, 2018
Completly lost with how to parse date Logstash	2	286	August 5, 2019
Parsing a crappy date format Logstash	11	4343	July 6, 2017

Failed parsing date, linux syslog

Related topics