Hello there, weird problem. I have the following config, which worked in 2015:
input {
tcp {
port => 5000
type => syslog
}
udp {
port => 5000
type => syslog
}
udp {
port => 12201
type => windows
queue_size => 1000000
buffer_size => 65536
workers => 4
}
}
filter {
if [message] =~ /default send string/ {
drop {}
}
if [type] == "syslog" and [message] =~ "run-parts" {
grok {
#match => [ "message", "%{SYSLOG5424PRI:syslog_pri}%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}\(%{URIPATH:syslog_uri}\)\[%{POSINT:syslog_pid}\]%{GREEDYDATA:syslog_message}" ]
match => [ "message", "%{SYSLOG5424PRI:syslog_pri}%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}\(%{URIPATH:syslog_uri}\)\[%{POSINT:syslog_pid}%{GREEDYDATA:syslog_message}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
timezone => "America/Chicago"
}
}
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\]?)?: %{GREEDYDATA:syslog_message}" }
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
timezone => "America/Chicago"
}
}
if [host] == "0:0:0:0:0:0:0:1" or [host] == "127.0.0.1" {
mutate {
replace => [ "host", "%{syslog_hostname}" ]
}
}
if [message] =~ /The Windows Filtering Platform has permitted a connection/ {
drop {}
}
if [type] == "windows" {
json {
source => "message"
}
mutate {
rename => [ "Hostname", "host" ]
remove => [ "SourceModuleType", "SourceModuleName", "EventTime", "EventReceivedTime", "EventType", "Keywords", "full_message" ]
}
}
}
output {
elasticsearch {
hosts => ["10.36.52.82:9200", "10.36.52.83:9200", "10.36.52.84:9200", "10.36.52.85:9200", "10.36.52.86:9200"]
workers => 4
template_overwrite => true
}
}
Now it is sending all syslogs into logstash-2015-xx-xx daily indices instead of logstash-2016-xx-xx and timestamps of the logs are also 2015 instead of 2016. Only the logs that logstash cannot parse (with _grokparsefailure tag) end up in the correct index, others go to 2015
Any idea why this is happening?