Filter Logstash syslog

yayitaing · December 5, 2017, 10:08pm

I have the following message that is displayed in the kibana brought by filebeat from a linux syslog:

However, I need each field of the message to be shown in the kibana as an independent field to be able to perform metrics, for example the user field:

The configuration of my filter in logstash is the following:

Badger · December 5, 2017, 11:44pm

SYSLOGLINE names the parsed message field "message". That field name is the source message, so you end up with an array. This should get you started:

filter {
  grok {
    match => { "message" => "%{SYSLOGLINE}" }
  }
  if [message][1] { kv { source => "[message][1]" } }
}

magnusbaeck · December 6, 2017, 6:30am

With overwrite => ["message"] in the grok filter the message field won't become an array.

system · January 3, 2018, 6:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[SOLVED] Syslog filter additional filtering Logstash	6	2447	December 8, 2016
Filtered Log messages show up as empty fields in Kibana Logstash	2	338	October 29, 2022
Filtered Log messages show up as empty fields in Kibana Logstash	8	594	October 27, 2022
Logstash filter for firewall packet drops Logstash	3	584	January 5, 2021
Grok filter confusion - Am I missing something? Logstash	9	4080	July 6, 2017

Filter Logstash syslog

Related Topics