Form the syslog_pri field

anushka1203 · March 28, 2022, 8:44am

I have the following syslog messages -

Oct 18 16:11:54 1aen ai_controller[419]: [16:11:54.479933] ERROR     [ntp_client.cpp:113 fetch_time()] Can't get NTP response
Oct 18 16:11:55 1aen ntpd[442]: bind(21) AF_INET6 fe80::868b:cdff:fe20:32a%2#123 flags 0x11 failed: Cannot assign requested address
Oct 18 16:11:55 1aen ntpd[442]: unable to create socket on eth0 (5) for fe80::868b:cdff:fe20:32a%2#123

The grok pattern constructed for this is
%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}

However, I need the syslog_pri field to be able to obtain the severity. How can i do the same? Help would be appreciated

Thank you

Badger · March 28, 2022, 2:41pm

You cannot do so. The messages do not contain the priority.

anushka1203 · March 29, 2022, 3:25am

Thank you so much for confirming.

Topic		Replies	Views
All syslogs have same severity Logstash	4	549	September 20, 2019
Syslog pri not working as expected Logstash	1	409	August 24, 2018
Parsing syslog entries Logstash	6	9621	July 6, 2017
Syslog severity and facility not set when upgrading version Logstash	4	386	November 27, 2023
Grok pattern for this syslog message for Logstash? Logstash	9	5823	November 2, 2021

Form the syslog_pri field

Related topics