Logstash parsing syslog to different indices depending on source hosts

Hello everyone,

I have the following logstash config:
input
{
udp
{
type => "syslog"
port => 5140
}
}

filter
{
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

output
{
if [@fields][logsource] == "foobar"
{
elasticsearch
{
hosts => "localhost:9200"
user => "elastic"
password => "XXXX"
index => "foobar-%{+YYYY.MM.dd}"
}
}
else
{
elasticsearch
{
hosts => "localhost:9200"
user => "elastic"
password => "XXXX"
index => "non-foobar-%{+YYYY.MM.dd}"
}
}
}

this is supposed to achieve the following:
server foobar send syslog messages to syslog-server-1 and syslog-server-2
servers syslog-server-1 and syslog-server-2 have syslog-ng configured to duplicate any network received syslog to my ELK host.
ELK host hosts ES, logstash and kibana

the config above is supposed to store foobar syslog in foobar index and the rest into non-foobar index.

what I can see so far is that I never got a foobar index, no matter my tries.

any help greatly appreciated.

thanks and regards

Mathias

Where does this come from? A good practice when debugging configurations is to enable stdout output with a rubydebug codec so that you can see exactly what data the events contain. Then you can see which fields are available and how you need to design your logic accordingly.

Dear Christian,

thank you for your comment.
I have added the line:
stdout { codec => rubydebug }
before the last } from output.

I have run the logstash binary from the cmd line and could see indeed I was not using the correct field name.

so thank you for this first advice, it is much appreciated.

here is a sample output from stdout:
{
"received_from" => "10.1.1.5",
"@timestamp" => 2017-07-06T11:48:19.000Z,
"syslog_pid" => "28833",
"syslog_hostname" => "foobar",
"syslog_timestamp" => "Jul 6 13:48:19",
"received_at" => "2017-07-06T11:53:33.438Z",
"@version" => "1",
"host" => "10.1.1.5",
"syslog_program" => "puppet-agent",
"message" => "<29>Jul 6 13:48:19 foobar puppet-agent[28833]: blablablablablablablablablabla has failures: true\n",
"type" => "syslog",
"syslog_message" => "blablablablablablablablablablablablablablablabla has failures: true\n"
}

the config now looks like:

if [syslog_hostname] == "foobar"
{

but still no foobar index created.

any more hint ?

thanks a lot

Mathias

But you've verified that you're getting events to the non-foobar index with syslog_hostname being exactly "foobar"?

Dear Magnus,

thank you for your reply.

my current logstash config is:

input {
  udp {
    type => "syslog"
    port => 5140
  }
}

filter {
    grok {
      match => { "message" => "<[0-9]*>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      #add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "comin_from", "%{syslog_hostname}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
}

output
{
  if [comin_from] == "foobar1"  {
    elasticsearch
    {
      hosts => "localhost:9200"
      user => "elastic"
      password => "XXXXXXXXXXXXXXXXXX"
      index => "foobar-%{+YYYY.MM.dd}"
    }
  }
  else
  if [comin_from] == "foobar2"  {
    elasticsearch
    {
      hosts => "localhost:9200"
      user => "elastic"
      password => "XXXXXXXXXXXXXXXXXX"
      index => "foobar-%{+YYYY.MM.dd}"
    }
  }
  else
  {
    elasticsearch
    {
      hosts => "localhost:9200"
      user => "elastic"
      password => "XXXXXXXXXXXXXXXXXX"
      index => "non-foobar-%{+YYYY.MM.dd}"
    }
  }
  stdout { codec => rubydebug }
}

when I run it from cmd-line, I can see some results as this:

{
          "comin_from" => "foobar1",
          "@timestamp" => 2017-07-10T12:11:58.000Z,
     "syslog_hostname" => "foobar1",
    "syslog_timestamp" => "Jul 10 14:11:58",
            "@version" => "1",
                "host" => "10.1.1.5",
      "syslog_program" => "kernel",
             "message" => "<4>Jul 10 14:11:58 foobar1 kernel: blablablablablablablablablablablablablablablablablabla\n",
                "type" => "syslog",
      "syslog_message" => "blablablablablablablablablablablablablablablablablabla\n"
}

and I am quite puzzled because once again foobar index is not getting created, and non-foobar index on the other hand gets everything.

cheers

Mathias

I found out that I had a regex problem, now it works.

thank you for the hints.

best regards

Mathias

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.