Am sending OpenBSD logs to logstash via a syslog input.
Logstash however, appears to be having trouble digesting the OpenBSD format, it adds a "_grokparsefailure_sysloginput" tag.
This is the message format : <30>Jan 13 11:45:21 ntpd[15698]: peer 10.11.12.13 now valid <78>Jan 13 11:45:01 /usr/sbin/cron[21976]: (root) CMD (/bin/ksh /etc/X/X.ksh /home/Y/var/named/var/named)
I suggest you use a udp or tcp input and a separate grok filter. Then you can easily choose exactly which pattern to use for parsing the syslog payload.
Good idea, thanks. But I'm not clear whether I need to write the grok pattern myself or whether it is one of the pre-defined ones ? I'm guessing its not pre-defined because otherwise the parsing would not fail ?
There are numerous syslog-related patterns predefined and the syslog input doesn't necessarily use all of them. If you find one that works go ahead and use it, otherwise use one that's close enough and make adjustments (either as a new pattern or write the expression directly in the Logstash configuration).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.