Grok pattern for SYSLOGPROG

Hi there,

I'm currently looking into Logstash which recieves our logs from the syslog server, which recieves logs from our windows hosts (logged with NXLog, parsed as JSON).

Currently I'm having having a issue with the default syslog parser, due to the program/process ID being 0 (not positive integer). Looking into the RFC it's not saying anything about positive integers is must.

So my question is, should I just make a workaround with filter (if yes, what is the best way?), or is this a subject to posting a GitHub request for changing the default grok pattern?

Below is information about setup (new to this forum, so I doesn't know if it's get formatted correct)

Sample event:

Aug 23 01:20:00 X.X.X.X PowerShell[0]: {"EventTime":"2019-08-23 01:20:00","Hostname"XXXX",....lots of data....}

Config sample:

input {
	syslog {
		port => 1514
		type => "syslog"
	}
}

output {
	stdout { codec => rubydebug { metadata => true } }
}

Original grok:
SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])?

Suggest grok:
SYSLOGPROG %{PROG:program}(?:\[%{NONNEGINT:pid}\])?

I suggest using the grok_pattern option on the syslog filter to replace the default "<%{POSINT:priority}>%{SYSLOGLINE}" to a version that includes your modified SYSLOGPROG

Thank you for the answer, Badger... That is also an option. Reason writing this is because when you're using type => syslog in input, it's automatically testing multiple formats as I've read in the documentation.

Based on your reply I've solved this with the grok_pattern and reversed the syslog2 pattern to the following:

grok_pattern => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{PROG:program}(?:[%{NONNEGINT:pid}])?:|) %{GREEDYDATA:message}"

That's what you meant, right?

Yes, it is.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.