Incorrect parsing /var/log/messages

Incorrect parsing /var/log/messages from Centos 7

/var/log/messages have this alerts:
Nov 29 15:49:27 vm logstash: "offset" => 902283

Filebeat paste date in Logstash.

/etc/logstash/conf.d/logs.conf have this data:
input {
beats {
port => 5044
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}( %{TIMESTAMP_ISO8601:timestamp_iso} %{POSINT:syslog_pid} %{LOGLEVEL:syslog_level} %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

output {
elasticsearch { hosts => ["192.168.64.190:9200"] }
stdout { codec => rubydebug }
}

Kibana show the message:

image.png1397×107 9.38 KB

and dont parsing "message: Nov 29 15:49:27 vm logstash: "offset" => 902283" how it does in logstash configuration.

Where is a problem? How to parse /var/log/messages correctly?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.