Grok patterns for syslog configuration in logstash

elbesraoui_imane · May 24, 2017, 9:52am

Hi,I recentely started working with the ELK stack but I have a problem for
my syslog logstash configuration. Can you give me hand pleaase ? I don't know what's the problem I'm having in my config file, but when i do the /bin/logstash -f it gives me this :
Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword"}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}

pts0 · May 24, 2017, 11:21am

Hi,
could you please post your config ?
What u post here

 Attempting to install template 
{:manage_template=>
      {"template"=>"logstash-",
        "version"=>50001,
        "settings"=>
              {"index.refresh_interval"=>"5s"},
                "mappings"=>
                          {"default"=>
                                   {"all"=>
                                          {"enabled"=>true, 
                                            "norms"=>false},
                                     "dynamictemplates"=>
                                           [{"message_field"=>
                                   ....

Is just an info message that tell you the default template is installed. I don't this is something wrong with that.

Did you get any document into the elasticsearch node ?

cheers

pts0

elbesraoui_imane · May 24, 2017, 11:59am

Hi Kim,
this is my config :

 input {
    file {
    path => "/data/log/testlogstash/messages"
    type => "syslog"
    start_position => "beginning"
    }

    }

    filter {
    if [type] == "syslog" {
    grok {
    patterns_dir => "/etc/logstash/conf.d/patterns/"
    match => ["message",  "(%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_process}\[%{NUMBER:syslog_uid}\]:(?=%{GREEDYDATA:syslog_message})|(%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} \|%{NUMBER:syslog_epoch:int}\|%{IP:syslog_ip}\|%{GREEDYDATA:syslog_path}\|%{GREEDYDATA:syslog_title}\|%{GREEDYDATA:syslog_referrer}\|%{NUMBER:syslog_uid}\|%{GREEDYDATA:syslog_sid}\|%{NUMBER:syslog_timer:int}\|%{GREEDYDATA:syslog_cache}\|%{GREEDYDATA:syslog_user_agent}\|%{NUMBER:syslog_peak_memory:int}))"]

    }
    if "_grokparsefailure" in [tags] {
                            drop { }
                    }
      

     }

    }

    output {
     elasticsearch { hosts => ["localhost:9200"]
     index => "syslogindex-%{+YYYY.MM.dd}"
    sniffing => false
     manage_template => false
    }
     stdout { codec => rubydebug }
    }

magnusbaeck · May 28, 2017, 6:56pm

There is nothing wrong with your configuration. The message is an informational message that you'll get every time Logstash starts up if you have an elasticsearch output. Move on.

system · June 25, 2017, 6:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.