Location of custom filters

sushmithak · July 1, 2015, 9:28am

Hi,

I want to extract required fields from syslog-messages where can i write (exact location) custom filters in logstash.
plz provide any examples to write custom filters.
-thanks

praveench · July 1, 2015, 9:30am

Hi,

I am also looking for that...

Please any one suggest us..

magnusbaeck · July 1, 2015, 9:40am

Logstash is normally configured to read all configuration files from /etc/logstash/conf.d in alphabetical order. You could e.g. create a syslog.conf file and put all your syslog-related filters there.

However, keep in mind that unless you wrap filters in explicit conditionals they apply to all messages. You don't want your syslog grok filter to attempt to parse your httpd logs, for example.

sushmithak · July 1, 2015, 9:53am

Thankyou Magnus Bäck.

here is my 10-syslog.conf file

filter {
if [type] == "syslog" {
grok {

 match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
  add_field => [ "received_at", "%{@timestamp}" ]
  add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
  match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
}

}
}
i want to extract fields in syslog_message.
plz tell me a way to do it.

magnusbaeck · July 1, 2015, 10:07am

You could use grok for that too, but it depends on what the message looks like. Please provide examples.

sushmithak · July 1, 2015, 10:28am

here is the example for syslog_message.

i have added another grok to my 10-syslog.conf file like this:

filter {
if [type] == "syslog" {
grok {
match => [ "message" , "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" ]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
}

syslog_pri { }
date {
  match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
}

}
}

the pattern is working correctly in grok debugger.
the problem is fields are not getting extracted and not shown in kibana .
adding my grok filter in 10-syslog.conf is correct ??

sushmithak · July 1, 2015, 11:51am

any suggestions plz...

magnusbaeck · July 1, 2015, 11:59am

Yeah, that should work. Are you getting the _grokparsefailure tag for those messages?

For parsing this particular kind of message the kv filter might be more convenient.

sushmithak · July 1, 2015, 12:07pm

Thanks magnus,
I'm not getting _grokparsefailure tag.
i have changed the 10-syslog.conf file as shown above and restarted the logstash.
but kibana is showing the default fields only.

sushmithak · July 1, 2015, 12:19pm

hi
Thanks

sushmithak · July 2, 2015, 6:01am

Extracted fields are not displaying in kibana.