_grokparsefailure in Kibana tag (Synology messages)

hispeed · December 13, 2017, 7:09am

Hi,

I recieve a _grokparsefailure in Kibana tags but all the fields are splitted correct. How can I remove the grokparsefailure for those incomming messages?

   if [logsource] == "BackupStation" {
     mutate {
       add_tag => [ "SynologyBackupstation" ]
       }

      kv  {
               value_split => ":"
               field_split => ","
       }
  }

How could I track that failure down to the problem from where it is comming from?

magnusbaeck · December 13, 2017, 1:42pm

Show an example event that exhibits the problem. Copy/paste from Kibana's JSON tab.

hispeed · December 13, 2017, 3:12pm

Hi Magnus,

No problem:

{
  "_index": "logstash-2017.12.13",
  "_type": "syslog",
  "_id": "ArxpUGABKDf7kXJ8cWPV",
  "_version": 1,
  "_score": null,
  "_source": {
    "severity": 6,
    " User": "Marc XXXXX",
    "syslog_severity_code": 5,
    "syslog_facility": "user-level",
    " IP": "192.168.0.29\n",
    "syslog_facility_code": 1,
    " Size": "3.07 MB",
    "message": "WinFileService Event: read, Path: /Privat Marc XXX/Eigene Dateien/Weiterbildung/XXXXX/5. Semester/Führung und Personalmanagement/Gruppenarbeit/XXXXX.docx, File/Folder: File, Size: 3.07 MB, User: Marc XXX, IP: 192.168.0.29\n",
    "type": "syslog",
    "priority": 14,
    "logsource": "Titanserver",
    " Path": "/Privat Marc XXXX/Eigene Dateien/Weiterbildung/Dipl. XXXX/5. Semester/Führung und Personalmanagement/Gruppenarbeit/ParkSpace4U.docx",
    "syslog_severity": "notice",
    "tags": [
      "syslog",
      "_grokparsefailure",
      "SynologyTitanserver"
    ],
    "WinFileService Event": "read",
    "@timestamp": "2017-12-13T15:06:15.000Z",
    "@version": "1",
    "host": "192.168.0.20",
    " File/Folder": "File",
    "facility": 1,
    "severity_label": "Informational",
    "timestamp": "Dec 13 16:06:15",
    "facility_label": "user-level"
  },
  "fields": {
    "@timestamp": [
      "2017-12-13T15:06:15.000Z"
    ]
  },
  "highlight": {
    "logsource": [
      "@kibana-highlighted-field@Titanserver@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1513177575000
  ]
}

For this Synology Server I have the same filter as above.

magnusbaeck · December 13, 2017, 8:11pm

What does your full configuration look like?

hispeed · December 13, 2017, 8:35pm

I sent you a link for downloading the files.

magnusbaeck · December 14, 2017, 6:22am

I only spend time on publicly posted questions and details so please post the link publicly.

hispeed · December 20, 2017, 3:06pm

Okey here is the link for downloading all the configuration files.

https://mega.nz/#!QbxFBYza!00uFmeOn5QM9irEORlMSpiqOnfhNxap52YPgVgSdg5Y

magnusbaeck · December 21, 2017, 7:18am

Nothing obviously wrong there. You don't have any extra files in /etc/logstash/conf.d apart from the five .conf files you included in the archive? What does an example input syslog event look like?

system · January 18, 2018, 7:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Eliminating _grokparsefailure Logstash	5	2524	July 6, 2017
_grokparsefailure tag - fails to do a thing Logstash	3	420	March 22, 2017
"_grokparsefailure" field in Kibana Logstash	2	445	July 6, 2017
Problem tag _grokparsefailure Logstash	1	918	March 8, 2018
Grokparsefailure in processing a log file Logstash	6	262	March 3, 2023

_grokparsefailure in Kibana tag (Synology messages)

Related topics