Logstash doesn't catch severity/loglevel from Jboss log using rsyslog

Hello everybody. I'm starting with ELK and I was able to configure a lot of filters and other stuff.

Right now I'm trying to configure JBoss log, but I couldn't configure logstash to match the correct severity. It's always showing me as "Notice".

I'm using Rsyslog on Redhat 5.5 and my ELK is on Redhat 7.

This is the block for Rsyslog:

$ModLoad imfile.so # Load the imfile input module

$InputFileName /usr/local/jboss-soap/jboss-as/server/production/log/server.log
$InputFileTag soap-server-log-rs:
$InputFileStateFile stat-soap-server-log-rs
$InputFileFacility local5
$InputRunFileMonitor
$InputFilePollInterval 10

local5.* @@REMOTE_IP:5544
:syslogtag, contains, "soap-server" stop

I set the Facility as "local5" because it didn't allow me to use other name (I set up Rsyslog on Centos and it allowed me to set any name I wanted)

This is the logstash INPUT on my ELK server:

input {
syslog {
type => rsyslog
port => 5544
}
}

And this is my logstash FILTER configuration:

filter {
if [program] == "soap-server-log-rs" {
multiline {
pattern => "^[\d]{4}-[\d]{2}-[\d]{2} "
negate => true
what => previous
}
if "grokparsefailure" in [tags] {
drop { }
}
grok {
match => {
"message" => "(?[\d]{4}-[\d]{2}-[\d]{2} [\d]{2}:[\d]{2}:[\d]{2},[\d]{3})%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}[(?[^]]+)]%{SPACE}((?[^)]+))%{SPACE}%{GREEDYDATA:message}"
}
overwrite => [ "message" ]
}
mutate {
gsub => [
"logsource", "-", "
"
]
}
if !("_grokparsefailure" in [tags]) {
date {
match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS"]
}
}
}
}

This is an example of the server.log file:

2016-08-11 15:50:20,341 ERROR [STDERR] [Thread-128] ConnectionDesc.expire(): not expired com.sun.jndi.ldap.LdapClient@e2216c1 busy

I've tried with other configurations like:

%{LOGLEVEL:severity}
%{LOGLEVEL:severity_label}

But the severity is always on Notice.

I wish someone could help me.

Thanks for all.

The syslog input creates the severity field for you, right? If you want the grok filter to overwrite that value with the extracted string you need to set overwrite => ["severity"] for the grok filter.

Hello Magnus. Thanks for your answer.

I don't know how to grok assigns the variable to "severity"

Just putting the overwrite gets the severity from the message?

Should this %{LOGLEVEL:severity} set the "severity" variable? Do you know if I should set "severity_label" instead of "severity"? ("severity" is number and "severity_label" is string, but I don't know if setting one, the other changes or if I have to set both)

Thanks for all.

Should this %{LOGLEVEL:severity} set the "severity" variable?

Yes. Please familiarize yourself with the grok filter.

Just putting the overwrite gets the severity from the message?

No, but it allows the grok filter to overwrite the current severity value that the syslog input sets for you. Without it, %{LOGLEVEL:severity} won't do anything if severity already has a value.

Do you know if I should set "severity_label" instead of "severity"? ("severity" is number and "severity_label" is string, but I don't know if setting one, the other changes or if I have to set both)

Well, what do you want to keep? Will you need the numerical value for anything? Logstash doesn't care which fields you keep and which ones you get rid of. Decide what you want your events to look like, then change the filters accordingly.

Thanks Magnus for your answer. I will let you know if that works.

Right now I found that I'm having a _grokparsefailure so I should fix that first to continue with the severity thing.

Well, it's working now.

Thanks for all Magnus.