I am getting those error tags. Here is my filter section from my logstash section (Note that I started to get the _grokparsefailure
after adding the second grok with the src
match, it was working fine with just the top grok):
filter {
if [type]=="syslog" {
grok {
match => {
"message" => "^<%{NUMBER:[syslog][priority]}>%{SPACE}++%{GREEDYDATA:[syslog][message]}$"
}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
remove_field => "message"
}
grok {
match => {
"src" => "%{IP:[src][ip]}:%{NUMBER:[src][port]}:%{GREEDYDATA:[src][extradata]}$"
}
}
kv {
source => "[syslog][message]"
remove_field => "[syslog][message]"
}
date {
match => [ "[time]", "yyyy-MM-dd HH:mm:ss" ]
target => "@timestamp"
}
geoip {
source => "[src][ip]"
}
}
if ![ecs] {
mutate {
rename => ["host", "[host][name]" ]
update => { "[ecs][version]" => "1.5.0" }
add_tag => [ "ecs_converted" ]
}
}
}
Also I want to note I am getting _grokparsefailure
and _geoip_lookup_failure
even with this src
(just using this as an example): 141.239.213.245:60288:X1
Thanks!!