There is more information after inzone, but I am trying to figure out the issue so right now I am just trying to match the Date IP of the host then GreedyData for the rest.
I had thought that removing greedydata might help but it does not.
Have a very welcome at the Elastic community.
Thank you for your post.
At first I had a short look on your message format.
What is weird on this message for me, is the timestamp. Would you mind to describe the source of this message?
In the defined rfc definitions especially this string especially is not possible --5:00 https://www.ietf.org/rfc/rfc3164.txt rfc3164 bsd syslog protocol 4.1.2 https://www.ietf.org/rfc/rfc5424.txt rfc5424 syslog protocol 6.2.3.1. examples https://www.ietf.org/rfc/rfc3339.txt rfc3339 internet timestamps
If you have a look to the examples there, there is always without a timezone information or if timezone, then like this +00:00 or -00:00 and without space after the seconds.
Ok if you have this grok active what happens in your logstash log? Would you mind posting the logfile and the logstash configuration file. Because I had a short test and apart, that I would change some things on the grok itself which we could discuss later on, the logstash configuration started very normally. What logstash version you are using?
I am using 7.1.1.
I just tried your exact parser, which makes sense to me, and it it tests fine in grok debugger.
But its now tossing everything into my failed_syslog_events file.
Even stuff that is working in the debugger.
It seems to be something with the date.
This does not work;
<%{NUMBER}>%{SYSLOGTIMESTAMP:syslog_timestamp}\S+ %{IP:syslog_hostname} %{GREEDYDATA:test}
Nor this;
<%{NUMBER}>%{SYSLOGTIMESTAMP:syslog_timestamp}\S+ %{GREEDYDATA:test}
Or this;
<%{NUMBER}>%{SYSLOGTIMESTAMP:syslog_timestamp}%{GREEDYDATA:test}
But this does
<%{NUMBER}>%{GREEDYDATA:test}
I would suggest running with '--log.level debug --config.debug --config.test_and_exit' to make sure you really do just have the one grok filter that you think you have, and you are not picking up another version from a some.conf.bak file in the path.config directory.
Yes, they go to this file /var/log/failed_syslog_events.
I have seen this \S+ but this is what I wanted to write about after knowing what it.
With the date filter you transport these dates into your timestampe and at the moment you are assuming, that this timestamp is UTC time. But without the timezone information, this is - at least what I assume - just a wrong information. Would be good, if you have a look into file /var/log/failed_syslog_events, and look to the timestamps, if they really match your time, or if this time zone information is needed. Apart from that, yes, this line you posted is rendering.
Because these syslogs are not normated like a normal syslog format should be.
There are as well forum entries regarding Checkpoint Firewalls. Could you please check, what format you have configured in your Checkpoint firewall?
Apart from the fact, that you can do the config.test_and_exit and if this is delivering OK, you could still disable the inputs with beat and output with elasticsearch and replace them by stdin {} and stdout{}.
Then start logstash by hand with -e parameter. This enables you to just pasting your logline to the logstash wating for input and pressing enter when logstash started?
What is the output you get back?
Otherwise, it still would make sense to use a configuration with a bit more debugging information if needed I could send one.
And like Badger told about already, be secure, that depending on your version, there are no additional configuration files. If you are not sure, please post a ls -lR /etc/logstash.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
