Hello,
I am logstash newbie. Would be nice if anyone can help I tried it many times, still no luck. I used grok debuger http://grokconstructor.appspot.com/ and log is matched without issues. With following settings I am still getting _grokparsefailure as tag.
Log:
"<190>date=2017-01-16 time=15:38:09 devname=FortiGate-VM64 devid=FGVMEV0000000000 logid=0100032003 type=event subtype=system level=information vd="root" logdesc="Admin logout successful" sn=1484577398 user="admin" ui=http(10.0.0.32) action=logout status=success duration=91 reason=exit msg="Administrator admin logged out from http(10.0.0.32)""
I have added simple custom grok patterns:
FORTIDATE date=%{YEAR}-%{MONTHNUM}-%{MONTHDAY}
FORTIHEADER <%{NUMBER:syslog_index}>%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:deviceid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=\"%{WORD:vdom}
logstash conf:
input {
udp {
port => 5000
type => syslog
}
}
filter {
grok {
break_on_match => true
patterns_dir => ["/usr/share/logstash/bin/patterns"]
match => [
"message", "%{FORTIHEADER}"
]
add_tag => ["fortigate"]
}
}
output {
stdout {
codec => rubydebug
}
}
Thank you!
Jiri