Logstash dateparse failure error

Elastic Stack Logstash
1

Hi,

I am trying to use grok filter to change some indexes and format. Also trying to change the date format but comes with error "dateparsefailure". Please help me identify the mistake I made in following grok pattern.

Grok Pattern

filter {
if [type] == "syslog" {
grok {
match => ["message", "<%{POSINT:syslog_pri}>%{GREEDYDATA:message}"]
overwrite => [ "message" ]
tag_on_failure => [ "forti_grok_failure" ]
}
kv {
source => "message"
value_split => "="
field_split => " "
}
mutate {
add_field => { "temp_time" => "%{date} %{time}" }
rename => { "type" => "ftg_type" }
rename => { "msg" => "message" }
rename => { "subtype" => "ftg_subtype" }
add_field => { "type" => "forti_log" }
convert => { "rcvdbyte" => "integer" }
convert => { "sentbyte" => "integer" }
convert => { "rcvdpkt" => "integer" }
convert => { "sentpkt" => "integer" }
}
date {
match => [ "temp_time", "yyyy-MM-dd HH:mm:ss" ]
timezone => "UTC"
target => "@timestamp"
}
mutate {
remove_field => ["temp_time","date","time"]
}
syslog_pri {}
}
}

Example of Firewall log

date=2020-02-27 time=14:08:49 devname="Firewall" devid="Firewall" logid="014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1582812529 srcip=1.2.1.3 srcport=54219 srcintf="mgmt" srcintfrole="lan" dstip=1.2.1.5 dstport=161 dstintf="root" dstintfrole="undefined" sessionid=4612343 proto=17 action="accept" policyid=0 policytype="local-in-policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="SNMP" duration=180 sentbyte=184 rcvdbyte=345 sentpkt=1 rcvdpkt=2 appcat="unscanned"

2

Hi there,

please format your code when posting, pasting the code properly formatted and spaced, highlithing it and clicking on the Preformatted text tool (image ).

As for your question, can you please post here the output of the following pipeline?

input {
  ...whater your input is...
}

filter {}

output {
  stdout{}
}
3

Hi Fabio,

Please see below.

input {
udp {
port => 1514
type => "syslog"
  }
}
filter {
if [type] == "syslog" {
grok {
match => ["message", "<%{POSINT:syslog_pri}>%{GREEDYDATA:message}"]
overwrite => [ "message" ]
tag_on_failure => [ "forti_grok_failure" ]
}
  kv {
source => "message"
value_split => "="
field_split => " "
}
mutate {
add_field => { "temp_time" => "%{date} %{time}" }
rename => { "type" => "ftg_type" }
rename => { "msg" => "message" }
rename => { "subtype" => "ftg_subtype" }
add_field => { "type" => "forti_log" }
convert => { "rcvdbyte" => "integer" }
convert => { "sentbyte" => "integer" }
convert => { "rcvdpkt" => "integer" }
convert => { "sentpkt" => "integer" }
}
date {
match => [ "temp_time", "yyyy-MM-dd HH:mm:ss" ]
timezone => "UTC"
target => "@timestamp"
}
mutate {
remove_field => ["temp_time","date","time"]
}
    syslog_pri {}
}
}
output {
 elasticsearch {
 hosts => "10.212.99.36:9200"
 index => "firewall-%{+YYYY.MM.dd}"
 user => elastic
 password => password
 document_type => "syslogs"
}  
}

Output

"@timestamp" => 2020-02-27T16:55:05.561Z,
                "host" => "10.212.103.33",
                "tags" => [
    [0] "_dateparsefailure"
],
            "ftg_type" => "syslog",
            "@version" => "1",
     "syslog_severity" => "critical",
             "message" => "Feb 27 16:55:04 localhost IPMIMain: [640 : 735 CRITICAL][NMAPI.c:152]PnmTask.c : Error fetching messages from NM_RESPONSE_MSG_Q",
     "syslog_facility" => "local0",
                "type" => "forti_log",
          "syslog_pri" => "130",
"syslog_severity_code" => 2,
"syslog_facility_code" => 16
4

Can you please post the output of the pipeline I wrote above? I don't wanna see the output after the filters you wrote. I wanna see the output without any filter.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.