Hello, I'm still struggling with the syslog parsing issue.
So, my config file looks like this:
input {
udp {
port => 5514
type => syslog
}
tcp {
port => 5514
type => syslog
}
}
filter {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => ["message", "%{SYSLOG5424LINE}"]
overwrite => [ "message" ]
tag_on_failure => [ "failure_grok_fortigate" ]
}
kv { }
if [msg] {
mutate {
replace => [ "message", "%{msg}" ]
}
}
mutate {
add_field => ["logTimestamp", "%{date} %{time}"]
add_field => ["loglevel", "%{level}"]
replace => [ "fortigate_type", "%{type}"]
replace => [ "fortigate_subtype", "%{subtype}"]
remove_field => [ "msg", "type", "level", "date", "time" ]
}
date {
locale => "en"
match => ["logTimestamp", "YYYY-MM-dd HH:mm:ss"]
remove_field => ["logTimestamp", "year", "month", "day", "time", "date"]
add_field => ["type", "syslog"]
}
Then when debug this field is having problems:
"<189>date" => "2019-02-08",
"logTimestamp" => "%{date} 19:00:34",
"message" => "<189>date=2019-02-08 time=19:00:35
So the parsing of the date doesn't go well...
This is an example of a raw log line:
1: date=2019-02-08 time=18:35:20 logid=0000000011 type=traffic subtype=forward level=warning vd=root srcip=3.4.1.1 srcport=45679 srcintf="internal3" dstip=8.8.8.8 dstport=53 dstintf="wan1" poluuid=45245042-ccf9-51e6-28f5-f8fa6131fcdf sessionid=32098621 proto=17 action=dns policyid=1 appcat="unscanned" crscore=5 craction=262144 crlevel=low
Anyone?