Logstash 6.0, not logging similar messages from two different hosts

Elastic Stack Logstash
1

Hello,

Brand new to ELK but I can't seem to find another log or method to try to narrow down what is happening in this case.

Both devices are configured to send log messages to 8514/tcp where logstash is listening. They are essentially the same message and a tcpdump confirms they arrive at the logstash host, however, one message makes it into elasticsearch, the other does not.

My logstash configs are as folows:

001-input.conf
input {
udp {
port => "8514"
type => "syslog-cisco"
}
tcp {
port => "8514"
type => "syslog-cisco"
}
}

010-cisco-sylog.conf
filter {
if [type] == "syslog-cisco" {
fingerprint {
source => [ "message" ]
method => "SHA1"
key => "4dITFMoHkxSXMqifRPf5sd8NZoPb7x7s"
concatenate_sources => true
}

grok {
  patterns_dir => [ "/opt/logstash/patterns" ]

  match => [
    "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
    "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",

    "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?: %{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
    "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?: %{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}"
  ]

  overwrite => [ "message" ]

  add_tag => [ "cisco" ]

  remove_field => [ "syslog5424_pri", "@version" ]
}

}

if "cisco" in [tags] {
date {
match => [
"log_date",
"MMM dd HH:mm:ss.SSS ZZZ",
"MMM dd HH:mm:ss ZZZ",
"MMM dd HH:mm:ss.SSS",
"YYYY MMM dd HH:mm:ss.SSS ZZZ",
"YYYY MMM dd HH:mm:ss ZZZ",
"YYYY MMM dd HH:mm:ss.SSS",
"ISO8601"
]
}

# Add the log level's name instead of just a number.
mutate {
  gsub => [
    "severity_level", "0", "0 - Emergency",
    "severity_level", "1", "1 - Alert",
    "severity_level", "2", "2 - Critical",
    "severity_level", "3", "3 - Error",
    "severity_level", "4", "4 - Warning",
    "severity_level", "5", "5 - Notification",
    "severity_level", "6", "6 - Informational"
    ]
}

}
}

100-outputs.conf
output {
if "_grokparsefailure" in [tags] {
file {
path => "/tmp/fail-%{type}-%{+YYYY.MM.dd}.log"
}
}
if "cisco" in [tags] {
file {
path => "/tmp/%{type}-%{+YYYY.MM.dd}.log"
}

elasticsearch {
  hosts           => ["localhost:9200"]
  index           => "network-%{+YYYY.MM.dd}"
  document_type   => "%{type}"
  document_id     => "%{fingerprint}"
}

}
}

I'm convinced it's a logstash related problem as I would expect to see it in one of the logs defined in the output config. Unfortunately, it just seems to disappear entirely.

Any assistance would be greatly appreciated, thanks in advance.

2

Here are the tcpdump outputs (IP addresses and usernames have been replaced/redacted).

this message makes it into elasticsearch

22:02:41.315898 IP (tos 0x0, ttl 246, id 36230, offset 0, flags [none], proto TCP (6), length 148)
working.16244 > logstash.8514: Flags [.], cksum 0x62d8 (correct), seq 3007141101:3007141209, ack 583889159, win 4128, length 108
0x0000: 4500 0094 8d86 0000 f606 20b1 0a00 ff03 E...............
0x0010: 0a40 02e9 3f74 2142 b33d 54ed 22cd 7107 .@..?t!B.=T.".q.
0x0020: 5010 1020 62d8 0000 3c31 3839 3e37 3232 P...b...<189>722
0x0030: 3634 3a20 4465 6320 2038 2031 343a 3032 64:.Dec..8.14:02
0x0040: 3a34 302e 3330 3420 5053 543a 2025 5359 :40.304.PST:.%SY
0x0050: 532d 352d 434f 4e46 4947 5f49 3a20 436f S-5-CONFIG_I:.Co
0x0060: 6e66 6967 7572 6564 2066 726f 6d20 636f nfigured.from.co
0x0070: 6e73 6f6c 6520 6279 206d 6479 6572 206f nsole.by.user1.o
0x0080: 6e20 7674 7930 2028 3130 2e30 2e34 2e32 n.vty0.(0.0.0.
0x0090: 3531 290a 0).

this message does NOT make it into elasticsearch

22:03:38.229404 IP (tos 0x0, ttl 246, id 21897, offset 0, flags [none], proto TCP (6), length 146)
notworking.56883 > logstaship.8514: Flags [.], cksum 0x87e2 (correct), seq 3949866633:3949866739, ack 1167325245, win 4128, length 106
0x0000: 4500 0092 5589 0000 f606 47a4 0a00 1010 E...U.....G.....
0x0010: 0a40 02e9 de33 2142 eb6e 2e89 4593 f83d .@...3!B.n..E..=
0x0020: 5010 1020 87e2 0000 3c31 3839 3e36 3436 P.......<189>646
0x0030: 363a 2044 6563 2020 3820 3134 3a30 333a 6:.Dec..8.14:03:
0x0040: 3337 2e32 3039 2050 5354 3a20 2553 5953 37.209.PST:.%SYS
0x0050: 2d35 2d43 4f4e 4649 475f 493a 2043 6f6e -5-CONFIG_I:.Con
0x0060: 6669 6775 7265 6420 6672 6f6d 2063 6f6e figured.from.con
0x0070: 736f 6c65 2062 7920 6d64 7965 7220 6f6e sole.by.user1.on
0x0080: 2076 7479 3020 2831 302e 302e 342e 3235 .vty0.(0.0.0.
0x0090: 3129 0)

3

Disregard. This turned out to be an anomaly with syslog using TCP as transport for a Cisco IOS router running 12.4 code. I wasn't able to identify a specific bug but there was mention of similar issues with other logging engines (syslog-ng, kiwi syslog, etc). Switching to UDP transport resolved the issue.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.