Form the syslog_pri field

anushka1203 · March 28, 2022, 8:44am

I have the following syslog messages -

Oct 18 16:11:54 1aen ai_controller[419]: [16:11:54.479933] ERROR     [ntp_client.cpp:113 fetch_time()] Can't get NTP response
Oct 18 16:11:55 1aen ntpd[442]: bind(21) AF_INET6 fe80::868b:cdff:fe20:32a%2#123 flags 0x11 failed: Cannot assign requested address
Oct 18 16:11:55 1aen ntpd[442]: unable to create socket on eth0 (5) for fe80::868b:cdff:fe20:32a%2#123

The grok pattern constructed for this is
%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}

However, I need the syslog_pri field to be able to obtain the severity. How can i do the same? Help would be appreciated

Thank you

Badger · March 28, 2022, 2:41pm

You cannot do so. The messages do not contain the priority.

anushka1203 · March 29, 2022, 3:25am

Thank you so much for confirming.

system · April 26, 2022, 3:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Syslog pri not working as expected Logstash	1	392	August 24, 2018
All syslogs have same severity Logstash	4	531	September 20, 2019
Parsing syslog entries Logstash	6	9587	July 6, 2017
Severity_label not available with tcp input Logstash	5	2603	July 6, 2017
Logstash, syslog severity, etc Logstash	2	2130	July 6, 2017

Form the syslog_pri field

Related topics