Hi there,
I'm currently looking into Logstash which recieves our logs from the syslog server, which recieves logs from our windows hosts (logged with NXLog, parsed as JSON).
Currently I'm having having a issue with the default syslog parser, due to the program/process ID being 0 (not positive integer). Looking into the RFC it's not saying anything about positive integers is must.
So my question is, should I just make a workaround with filter (if yes, what is the best way?), or is this a subject to posting a GitHub request for changing the default grok pattern?
Below is information about setup (new to this forum, so I doesn't know if it's get formatted correct)
Sample event:
Aug 23 01:20:00 X.X.X.X PowerShell[0]: {"EventTime":"2019-08-23 01:20:00","Hostname"XXXX",....lots of data....}
Config sample:
input { syslog { port => 1514 type => "syslog" } } output { stdout { codec => rubydebug { metadata => true } } }
Original grok:
SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])?
Suggest grok:
SYSLOGPROG %{PROG:program}(?:\[%{NONNEGINT:pid}\])?