Logstash grok filter with syslog

tolasto · October 30, 2016, 8:09pm

Hi,

I'm tryin to get a filter for this logfile with logstash:
2016-10-30T13:23:47+01:00 router.lan pppd[12566]: local IP address 1.2.3.4

The Grok debugger can resolve the fields nicely with this expression:
%{DATE:datum}T%{TIME:time}%{ISO8601_TIMEZONE:timezone} %{HOSTNAME:hostname} %{WORD:service}%{GREEDYDATA:id fields} %{IP:wanip}

What I would like to get working with your help(after trying unsuccessfully for a day) is transfering the fields recognized by grok into elasticsearch via a logstash config for being able to filter in kibana for e.g. wanip

Hope you can help

The logstash looks like this at the moment:

input {
   file {
       path => "/var/log/rsyslog/router1.log"
       start_position => "beginning"
       type => "routerlog"
   }
}

filter {
if [type] == "routerlog" {
  grok {
         match => { "message" => "%{DATE:datum}    <<<<would like to add more custom fields - here? >>>>>>}
}
}
}

output {
elasticsearch {
    hosts => ["localhost:9200"]
}
}

warkolm · October 31, 2016, 6:51am

Does this not work? What happens? What version are you on?

tolasto · October 31, 2016, 7:08am

It's working if I remove the filter section
or just have one match in the filter.
But then it's just recognizing the timestamp and some fields I don't need.
I would like to have it recognizing the IP and fqdn.
How do I send the file nicely parsed (like grok does it easily ) to elasticsearch?

I'm on Version 5.0.0 with all components.

magnusbaeck · October 31, 2016, 8:30pm

Instead of %{DATE:datum}T%{TIME:time}%{ISO8601_TIMEZONE:timezone} use %{TIMESTAMP_ISO8601:timestamp}. For the sake of the date filter you'll want to have the full timestamp in a single field anyway. The DATE pattern doesn't match yyyy-mm-dd dates.

tolasto · October 31, 2016, 9:46pm

Thanks for the tip Yes I probably just need one field for date.
My main problem still is: How do I get everything nicely filtered (with the grok expressions I have) into elasticsearch and Kibana?
I just want to get nicely searchable data in kibana - or do I apply the grok filter somewhere in kibana?
Sorry, noob questions I hope I can start digging through bigger logs soon...

MGG · November 1, 2016, 2:41am

Start with this --
%{TIMESTAMP_ISO8601:timestamp} %{DATA:router} %{DATA:proc}: %{GREEDYDATA:msg}

If you wish to play with grok a bit more and refine your filter, you can use this --

http://grokconstructor.appspot.com/do/match#result

magnusbaeck · November 1, 2016, 6:31am

My main problem still is: How do I get everything nicely filtered (with the grok expressions I have) into elasticsearch and Kibana?

If you extract the fields with the grok filter like you're doing in your first example (where you have %{HOSTNAME:hostname} etc) they will end up in Elasticsearch and will therefore be available in Kibana.

magnusbaeck · November 1, 2016, 6:34am

%{TIMESTAMP_ISO8601:timestamp} %{DATA:router} %{DATA:proc}\: %{GREEDYDATA:msg}

Using more than one DATA or GREEDYDATA in the same expression easily leads to weird matches. I instead suggest use of standard patterns for syslog messages:

%{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:host} %{SYSLOGPROG}: %{GREEDYDATA:msg}

github.com

logstash-plugins/logstash-patterns-core/blob/v2.0.5/patterns/grok-patterns#L83-L84


      
          SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])?
          SYSLOGHOST %{IPORHOST}

tolasto · November 2, 2016, 8:02pm

Thanks all! I went with the last one from magnus. It has no Field for IP but I'll get there
It's a nice tool with a lot of potential.