Logstash - how to parse rsyslog date field from logs message into @timestamp (UTC)

Jenisha_Ramanathan · March 2, 2021, 5:27am

Hi Team,

I am trying to monitor Linux logs with rsyslog and kibana. Able to receive the logs from rsyslog client to rsyslog server and load the data to elastic. Getting the reported time in kibana ( UTC format ) but we need to get the time from raw logs (EST format) and made it as global time filter.

Please find the below configuration used to load the data to elastic in the given json format and the logstash configuration.

json-template.conf:

template(name="json-template"
type="list") {
constant(value="{")
constant(value=""@timestamp":"") property(name="timereported" dateFormat="rfc3339")
constant(value="","@version":"1")
constant(value="","message":"") property(name="msg" format="json")
constant(value="","sysloghost":"") property(name="hostname")
constant(value="","severity":"") property(name="syslogseverity-text")
constant(value="","facility":"") property(name="syslogfacility-text")
constant(value="","programname":"") property(name="programname")
constant(value="","procid":"") property(name="procid")
constant(value=""}\n")
}

logstash.conf:

input {
udp {
host => "127.0.0.1"
port => 10514
codec => "json"
type => "rsyslog"
}
}
output {
if [type] == "rsyslog" {
elasticsearch {
hosts => ["http://10.67.169.18:9200"]
index => "rsyslog-logstash-%{+YYYY.MM.dd}"
user => "elastic"
password => "Infy123++"
}
}
}

Sample Output json for single document:

{
"_index": "rsyslog-logstash-2021.03.01",
"_type": "_doc",
"_id": "QiZe8XcBAmuLMuU_V1Et",
"_version": 1,
"_score": null,
"_source": {
"@version": "1",
"message": " I0302 00:17:07.513325 1667 kubelet_network_linux.go:111] Not using --random-fully in the MASQUERADE rule for iptables because the local version of iptables does not support it",
"facility": "daemon",
"host": "127.0.0.1",
"@timestamp": "2021-03-01T18:47:07.000Z",
"programname": "kubelet",
"sysloghost": "blb44imspro009",
"procid": "-",
"type": "rsyslog",
"severity": "info"
},
"fields": {
"@timestamp": [
"2021-03-01T18:47:07.000Z"
]
},

In the above sample example, i need to get the date from message in timestamp format.
Current output:
message - > I0302 00:17:07.513325
@timestamp -> 2021-03-01T18:47:07.000Z
Expected output :
message - > I0302 00:17:07.513325
@timestamp - > 2021-03-02T00:17:07.000Z

Could you kindly help me on how to extract the date filed from the input pattern and parse the field into @ timestamp.
Thank you in advance.

Badger · March 5, 2021, 4:27pm

I have not tested it, but you could try

grok { match => { "message" => "(?<[@metadata][ts]>\d{4} \d{2}:\d{2}:\d{2})" } }
date { match => [ "[@metadata][ts]", "MMdd HH:mm:ss" ] }

See comments on guessing the year here.

system · April 2, 2021, 4:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
UTC vs EST log events in Kibana Logstash	6	683	March 24, 2021
Set timestamp from message Logstash	5	2685	April 30, 2021
Parsing log date into timestamp Logstash	2	446	February 8, 2022
Log Timezone Question Logstash	13	4849	January 10, 2020
Logstash Date parsing error Logstash	12	406	April 1, 2022

Logstash - how to parse rsyslog date field from logs message into @timestamp (UTC)

Related Topics