Filter syslog messages via priority

Currently I have logstash as a centralized syslog server.
I want to send to Elasticsearch only syslog messages with priority warn and above.
So, I create the following configuration file:

input {
  tcp {
    port => 5514
    type => syslog
  udp {
    port => 5514
    type => syslog

# Apply some filters
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
## Send the message to Elasticsearch
output {
  if [syslog_severity_code]<5 {
    elasticsearch {
      hosts => ['http://localhost:9200']
      index => "syslog-%{+YYYY.MM.dd}"
      document_type => "system_logs"

However, all I get is this error message in the logs:

[2020-02-13T12:18:17,156][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2020-02-13T12:18:17,859][ERROR][org.logstash.execution.WorkerLoop][main] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash.
java.lang.NullPointerException: null

Removing the if... everything works as expected.
Is there anything wrong with this condition?
If so, how can I send to ES only the messages with severity higher than warn?

Thank you,

Where does [syslog_severity_code] get set?

This is a very good question, honestly.
I just used this index/field or whatever, from the logstash output, like for example here:

The documentation is not correct. [syslog_severity_code] would not get set unless the syslog_pri filter is called.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.