I have this syslog message which is ALMOST like the standard RFC3164 so the default syslog plugin should pick it up:
<134>1 2021-10-05T08:48:18Z MYSERVER iLO5 - - - XML logout: SomeUser - 1.2.3.4(DNS name not found).
I was reading the RFC and (this is offtopic), I honestly do not understand how to break down the 134; I know it is a bit representation of it being a emergency, critical, etc. but I dont seem to understand it.
Im using the date plugin because for some odd reason, my iLO doesnt show local time, instead it shows UTC time and Ive been trying to translate it but nothing so far (Thats another topic)
Now, it looks very difficult to what you are proposing and starting with the input. Could you please explain? Thank you.
@timestamp
Oct 5, 2021 @ 16:28:18.011
@version
1
DateILO
Oct 5, 2021 @ 16:28:17.000
HostName
HOSTNAME
LogMessage
iLO5 - - - XML logout: user - 1.2.3.4(DNS name not found).
_id
c83aUHwBCddptw5j8GpB
_index
syslog-hpeilologs-2021.10
_score
-
_type
_doc
facility
0
facility_label
kernel
host
1.2.3.4
message
<134>1 2021-10-05T14:28:17Z HOSTNAME iLO5 - - - XML logout: user - 1.2.3.4(DNS name not found).
priority
0
severity
0
severity_label
Emergency
syslog5424_pri
134
syslog_facility
user-level
syslog_facility_code
1
syslog_severity
notice
syslog_severity_code
5
syslogversion
1
tags
_grokparsefailure_sysloginput
type
syslog
That being said, I see a facility_label and a severity_label that are different from syslog_facility and syslog_severity ; Why? How can I remove them? Or fix them?
Also I see "tags
_grokparsefailure_sysloginput" which is usually because something has failed. Any way to fix?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.