Hi, I am looking to create an ELK pipeline for a variety of Syslog messages. While I thought it would make sense to use the Syslog input filter in Logstash, I read this piece about why Syslog might not be the most beneficial: https://www.kartar.net/2014/09/when-logstash-and-syslog-go-wrong/
Thoughts on what is more useful depending on the application?
It depends on your messages. If the syslog input successfully parses them then it makes sense to use it. If not, it does not. You really need to try it.
In a perfect world the syslog input would be all you need. However the world isn't perfect, and vendors do all kinds of weird stuff with syslog. We maintain a test file of all of the weirdness we have seen, and use it to validate our base syslog parsing.
The grok patterns to handle almost all of the variations come together in a "super pattern" called KOIOSSYSLOGBASEPARSER.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.