Incorrect parsing /var/log/messages

MrGangster · November 29, 2018, 1:09pm

Incorrect parsing /var/log/messages from Centos 7

/var/log/messages have this alerts:
Nov 29 15:49:27 vm logstash: "offset" => 902283

Filebeat paste date in Logstash.

/etc/logstash/conf.d/logs.conf have this data:
input {
beats {
port => 5044
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}( %{TIMESTAMP_ISO8601:timestamp_iso} %{POSINT:syslog_pid} %{LOGLEVEL:syslog_level} %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

output {
elasticsearch { hosts => ["192.168.64.190:9200"] }
stdout { codec => rubydebug }
}

Kibana show the message:

and dont parsing "message: Nov 29 15:49:27 vm logstash: "offset" => 902283" how it does in logstash configuration.

Where is a problem? How to parse /var/log/messages correctly?

system · December 27, 2018, 1:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Time mismatch @timestamp and message Logstash	12	1278	February 28, 2020
How to parse Syslog messages Logstash	3	5016	December 7, 2016
Logstash cmd displaying wrong output Logstash	1	212	March 11, 2022
Logstash syslog _grokparsefailure errors Logstash	2	1275	June 11, 2019
Failed to parse [timestamp] invalid formate Logstash	2	1189	July 6, 2017

Incorrect parsing /var/log/messages

Related topics