_grokparsingfailure with Cisco Catalyst switch syslogs

Christer_Palmen · November 10, 2020, 3:21pm

'Hello everybody!'
'I am setting up an Elastic PoC logserver and I am trying to setup Logstash for parsing syslogs from a Cisco switch.
Everything is going forward but now I need some help with the filter part of the configuration.
I have come this far with the configuration:

//#SYSLOG from Cisco Catalyst Switches at port 514

input {
'tcp {
port => "514"
type => "syslog"
}
udp {
port => "514"
type => "syslog"
}
}

filter {
grok {
patterns_dir => [ "/Elastic/logstash/patterns" ]

  match => [
    # IOS
    "message", '%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}',
    "message", '%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}'
  ]
overwrite => [ "message" ]

#mutate {
#add_tag => [ "PITnet-cisco" ]
#remove_field => [ "syslog5424_pri", "@version" ]
}
}

output {
elasticsearch {
hosts => [ "1.1.1.1:9200" ]
user => "elastic"
password => "Testa00"
index => "pitnet-switchlog-%{+yyyy.MM.dd}"
}
stdout { codec => rubydebug }
}//

I get no errors when i start Logstash with this configuration, but when I do a couple of tests with creating some events in my switch I get this message in Logstash:

// "@timestamp" => 2020-11-10T15:07:32.439Z,
"message" => "<187>1055: 0.0.0.0: Nov 10 15:07:31.436: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/8, changed state to down",
"@version" => "1",
"tags" => [
[0] "_grokparsefailure"
],
"host" => "2.2.2.2",
"type" => "syslog"
}
{
"@timestamp" => 2020-11-10T15:07:46.784Z,
"message" => "<189>1056: 0.0.0.0: Nov 10 15:07:45.791: %LINK-5-CHANGED: Interface GigabitEthernet2/0/8, changed state to administratively down",
"@version" => "1",
"tags" => [
[0] "_grokparsefailure"
],
"host" => "2.2.2.2",
"type" => "syslog"
}//

The Syslog format from the switch is pretty basic:

//Nov 10 15:07:31.436: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/8, changed state to down
Nov 10 15:07:45.791: %LINK-5-CHANGED: Interface GigabitEthernet2/0/8, changed state to administratively down//

So there it is, and I would really appreciate with some good feedback so I can parse logs logs succesfully

//Christer'

system · December 8, 2020, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.