Input Filter: Syslog vs TCP/UDP


#1

Hi, I am looking to create an ELK pipeline for a variety of Syslog messages. While I thought it would make sense to use the Syslog input filter in Logstash, I read this piece about why Syslog might not be the most beneficial: https://www.kartar.net/2014/09/when-logstash-and-syslog-go-wrong/

Thoughts on what is more useful depending on the application?


#2

It depends on your messages. If the syslog input successfully parses them then it makes sense to use it. If not, it does not. You really need to try it.


(Robert Cowart) #3

In a perfect world the syslog input would be all you need. However the world isn't perfect, and vendors do all kinds of weird stuff with syslog. We maintain a test file of all of the weirdness we have seen, and use it to validate our base syslog parsing.

The grok patterns to handle almost all of the variations come together in a "super pattern" called KOIOSSYSLOGBASEPARSER.

You can see how this works here...


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.