Grok parsing syslog error

DanielE · August 2, 2018, 11:00am

Hey there,
i am trying to gather my syslog infos parse them trough a grok filter. But i am getting _grokparsefailure_sysloginput and _grokparsefailure. I am using the following configs:

input

input {
  syslog {
      port => 5000
      syslog_field => "syslog"
      grok_pattern => "<%{POSINT:syslog_pri}> %{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:host} %{POSINT:syslog_pid} %{DATA:syslog_program}: %{GREEDYDATA:syslog_message}"
      tags => "syslog"
      add_field => {
          "origin" => "syslog"
      }
  }
}

filter

filter {
  if [origin] == "syslog" {
      grok {
            match => { "message" => "<%{POSINT:syslog_pri}> %{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:host} %{POSINT:syslog_pid} %{DATA:syslog_program}: %{GREEDYDATA:syslog_message}" }
            add_field => [ "received_at", "%{@timestamp}" ]
            add_field => [ "received_from", "%{host}" ]
      }
      mutate {
         add_field => {
            retention => "medium"
         }
      }
  }
}

A Syslog message looks something like this:

<14> Jan 2 01:01:05 10.121.116.8 00828 lldp: PVID mismatch on port 1(VID 100)with peer device port 37(VID 2)(2887)

magnusbaeck · August 2, 2018, 11:31am

Surely you don't need both the syslog input and a grok filter? I can't immediately spot any problems with the grok expression in the syslog input. Start simple with ^<%{POSINT:syslog_pri}>and verify that that works, then continue to add more and more to the expression until things break.

DanielE · August 2, 2018, 11:45am

i removed the grok pattern in the filter conf. Now i only have a small grok in the input conf

input {
  syslog {
      port => 5000
      syslog_field => "syslog"
      grok_pattern => "<%{POSINT:syslog_pri}>"
      tags => "syslog"
      add_field => {
          "origin" => "syslog"
      }
  }
}

Now i´m only getting _grokparsefailure_sysloginput but still no syslog_pri in my log.

DanielE · August 2, 2018, 1:48pm

It now works. I removed the grok_pattern and used a grok in the filter config. But i am still getting the _grokparsefailure_sysloginput. I will probably remove it in the filter. For documentation reasons my running input and filter.

input {
  syslog {
      port => 5000
      syslog_field => "syslog"
      tags => "syslog"
      add_field => {
          "origin" => "syslog"
      }
  }
}

filter {
  if [origin] == "syslog" {
      grok {
        match => { "message" => "<%{POSINT:syslog_pri}> %{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:host} %{NUMBER:syslog_pid} %{DATA:syslog_program}: %{GREEDYDATA:syslog_message}"}
      }
      mutate {
         add_field => {
            retention => "medium"
         }
         remove_tag => ["_grokparsefailure_sysloginput"]
      }
  }
}

system · August 30, 2018, 1:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.