Hello Everyone
im trying to parse my fotigate firewal logs with Grok Plese help
im getting this failure message "_grokparsefailure_sysloginput" (kibana gui) but Grok debuggr works fine
im using logstash 1.5.0-rc3
java version "1.7.0_65"
Any help will appriciate
filter{
if [type] == "syslog" {
grok {
match => [
'message', ".date=(?:%{YEAR:fw_year})-(?:%{MONTHNUM:fw_month})-(?:%{MONTHDAY:fw_day}).(?:%{NOTSPACE}).devname(?:%{NOTSPACE:fw_name}).devid=(?:%{NOTSPACE:serialid}).(?:%{NOTSPACE}).type=(?:%{NOTSPACE:utm}).subtype=(?:%{NOTSPACE:IPS}).eventtype=(?:%{NOTSPACE:signature}).level=(?:%{NOTSPACE:ips-alert}).(?:%{NOTSPACE}).severity=(?:%{NOTSPACE:severity}).srcip=(?:%{NOTSPACE:srcip}).dstip=(?:%{NOTSPACE:dstip}).(?:%{NOTSPACE}).(?:%{NOTSPACE}).(?:%{NOTSPACE}).(?:%{NOTSPACE}).(?:%{NOTSPACE}).status=(?:%{NOTSPACE:status}).proto=(?:%{NOTSPACE:protocol}).service=(?:%{NOTSPACE:service}).(?:%{NOTSPACE}).attackname(?:%{NOTSPACE:attack}).(?:%{NOTSPACE}).dstport=(?:%{NOTSPACE:dstport}).attackid=(?:%{NOTSPACE:attackid}).sensor=(?:%{NOTSPACE:sensor}).ref=(?:%{NOTSPACE:reffrenceurl})*.(?:%{GREEDYDA
TA})"i
]
}
You can't prevent the initial addition of the _grokparsefailure_sysloginput tag (but you can remove it afterwards). As I said your grok and kv filters should be working and if they really don't I suggest you scale down your configuration to a minimal example that we can use for debugging. For example, drop inputs and output replace with this:
Then feed the string you think you're getting from syslog to Logstash. The results of that should make it easier to figure out what's going on and decide on a next step.
If the plugin wasn't installed you'd have bigger problems.
I repeat: You can't prevent the initial addition of the _grokparsefailure_sysloginput tag. Focus on the real problem instead. I have described the steps I think you should take to debug why your grok and kv filters aren't working.
Hi Magnus Bäck
After a week of debugging i think i have a lead to find out the root of grok failure
when i use "file input" The grok is parsing the "message" with no failure and i can see all fields correctly
this input works perfect !!
file {
type => "fortigate"
path => [ "/var/log/*.log"]
}
}
But when i use logstash input syslog
i get grokfailure
The message apperas in the kibana with an ascii character like this
<157>date=2015-05-19 time=10:04:32 devname=USFLFW01-MASTER
i have reason to believe that syslog message is been distorted somehow
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.