Grok parsing issue

I am logstash newbie. Would be nice if anyone can help I tried it many times, still no luck. I used grok debuger and log is matched without issues. With following settings I am still getting _grokparsefailure as tag.

"<190>date=2017-01-16 time=15:38:09 devname=FortiGate-VM64 devid=FGVMEV0000000000 logid=0100032003 type=event subtype=system level=information vd="root" logdesc="Admin logout successful" sn=1484577398 user="admin" ui=http( action=logout status=success duration=91 reason=exit msg="Administrator admin logged out from http(""

I have added simple custom grok patterns:
FORTIHEADER <%{NUMBER:syslog_index}>%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:deviceid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=\"%{WORD:vdom}

logstash conf:

input {
udp {
port => 5000
type => syslog

filter {
grok {
break_on_match => true
patterns_dir => ["/usr/share/logstash/bin/patterns"]
match => [
"message", "%{FORTIHEADER}"
add_tag => ["fortigate"]

output {

stdout {
	codec => rubydebug


Thank you!


Just use a kv filter to parse the key/value pairs. Use grok to separate <190> from the key/value pairs.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.