_grokparsefailure in Kibana tag (Synology messages)


I recieve a _grokparsefailure in Kibana tags but all the fields are splitted correct. How can I remove the grokparsefailure for those incomming messages?

   if [logsource] == "BackupStation" {
     mutate {
       add_tag => [ "SynologyBackupstation" ]

      kv  {
               value_split => ":"
               field_split => ","

How could I track that failure down to the problem from where it is comming from?

Show an example event that exhibits the problem. Copy/paste from Kibana's JSON tab.

Hi Magnus,

No problem:

  "_index": "logstash-2017.12.13",
  "_type": "syslog",
  "_id": "ArxpUGABKDf7kXJ8cWPV",
  "_version": 1,
  "_score": null,
  "_source": {
    "severity": 6,
    " User": "Marc XXXXX",
    "syslog_severity_code": 5,
    "syslog_facility": "user-level",
    " IP": "\n",
    "syslog_facility_code": 1,
    " Size": "3.07 MB",
    "message": "WinFileService Event: read, Path: /Privat Marc XXX/Eigene Dateien/Weiterbildung/XXXXX/5. Semester/Führung und Personalmanagement/Gruppenarbeit/XXXXX.docx, File/Folder: File, Size: 3.07 MB, User: Marc XXX, IP:\n",
    "type": "syslog",
    "priority": 14,
    "logsource": "Titanserver",
    " Path": "/Privat Marc XXXX/Eigene Dateien/Weiterbildung/Dipl. XXXX/5. Semester/Führung und Personalmanagement/Gruppenarbeit/ParkSpace4U.docx",
    "syslog_severity": "notice",
    "tags": [
    "WinFileService Event": "read",
    "@timestamp": "2017-12-13T15:06:15.000Z",
    "@version": "1",
    "host": "",
    " File/Folder": "File",
    "facility": 1,
    "severity_label": "Informational",
    "timestamp": "Dec 13 16:06:15",
    "facility_label": "user-level"
  "fields": {
    "@timestamp": [
  "highlight": {
    "logsource": [
  "sort": [

For this Synology Server I have the same filter as above.

What does your full configuration look like?

I sent you a link for downloading the files.

I only spend time on publicly posted questions and details so please post the link publicly.

Okey here is the link for downloading all the configuration files.


Nothing obviously wrong there. You don't have any extra files in /etc/logstash/conf.d apart from the five .conf files you included in the archive? What does an example input syslog event look like?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.