Logstash parsing syslog to different indices depending on source hosts

tias · July 6, 2017, 9:57am

Hello everyone,

I have the following logstash config:
input
{
udp
{
type => "syslog"
port => 5140
}
}

filter
{
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

output
{
if [@fields][logsource] == "foobar"
{
elasticsearch
{
hosts => "localhost:9200"
user => "elastic"
password => "XXXX"
index => "foobar-%{+YYYY.MM.dd}"
}
}
else
{
elasticsearch
{
hosts => "localhost:9200"
user => "elastic"
password => "XXXX"
index => "non-foobar-%{+YYYY.MM.dd}"
}
}
}

this is supposed to achieve the following:
server foobar send syslog messages to syslog-server-1 and syslog-server-2
servers syslog-server-1 and syslog-server-2 have syslog-ng configured to duplicate any network received syslog to my ELK host.
ELK host hosts ES, logstash and kibana

the config above is supposed to store foobar syslog in foobar index and the rest into non-foobar index.

what I can see so far is that I never got a foobar index, no matter my tries.

any help greatly appreciated.

thanks and regards

Mathias

Christian_Dahlqvist · July 6, 2017, 10:01am

Where does this come from? A good practice when debugging configurations is to enable stdout output with a rubydebug codec so that you can see exactly what data the events contain. Then you can see which fields are available and how you need to design your logic accordingly.

tias · July 6, 2017, 12:10pm

Dear Christian,

thank you for your comment.
I have added the line:
stdout { codec => rubydebug }
before the last } from output.

I have run the logstash binary from the cmd line and could see indeed I was not using the correct field name.

so thank you for this first advice, it is much appreciated.

here is a sample output from stdout:
{
"received_from" => "10.1.1.5",
"@timestamp" => 2017-07-06T11:48:19.000Z,
"syslog_pid" => "28833",
"syslog_hostname" => "foobar",
"syslog_timestamp" => "Jul 6 13:48:19",
"received_at" => "2017-07-06T11:53:33.438Z",
"@version" => "1",
"host" => "10.1.1.5",
"syslog_program" => "puppet-agent",
"message" => "<29>Jul 6 13:48:19 foobar puppet-agent[28833]: blablablablablablablablablabla has failures: true\n",
"type" => "syslog",
"syslog_message" => "blablablablablablablablablablablablablablablabla has failures: true\n"
}

the config now looks like:

if [syslog_hostname] == "foobar"
{

but still no foobar index created.

any more hint ?

thanks a lot

Mathias

magnusbaeck · July 9, 2017, 6:33pm

But you've verified that you're getting events to the non-foobar index with syslog_hostname being exactly "foobar"?

tias · July 10, 2017, 3:01pm

Dear Magnus,

thank you for your reply.

my current logstash config is:

input {
  udp {
    type => "syslog"
    port => 5140
  }
}

filter {
    grok {
      match => { "message" => "<[0-9]*>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      #add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "comin_from", "%{syslog_hostname}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
}

output
{
  if [comin_from] == "foobar1"  {
    elasticsearch
    {
      hosts => "localhost:9200"
      user => "elastic"
      password => "XXXXXXXXXXXXXXXXXX"
      index => "foobar-%{+YYYY.MM.dd}"
    }
  }
  else
  if [comin_from] == "foobar2"  {
    elasticsearch
    {
      hosts => "localhost:9200"
      user => "elastic"
      password => "XXXXXXXXXXXXXXXXXX"
      index => "foobar-%{+YYYY.MM.dd}"
    }
  }
  else
  {
    elasticsearch
    {
      hosts => "localhost:9200"
      user => "elastic"
      password => "XXXXXXXXXXXXXXXXXX"
      index => "non-foobar-%{+YYYY.MM.dd}"
    }
  }
  stdout { codec => rubydebug }
}

when I run it from cmd-line, I can see some results as this:

{
          "comin_from" => "foobar1",
          "@timestamp" => 2017-07-10T12:11:58.000Z,
     "syslog_hostname" => "foobar1",
    "syslog_timestamp" => "Jul 10 14:11:58",
            "@version" => "1",
                "host" => "10.1.1.5",
      "syslog_program" => "kernel",
             "message" => "<4>Jul 10 14:11:58 foobar1 kernel: blablablablablablablablablablablablablablablablablabla\n",
                "type" => "syslog",
      "syslog_message" => "blablablablablablablablablablablablablablablablablabla\n"
}

and I am quite puzzled because once again foobar index is not getting created, and non-foobar index on the other hand gets everything.

cheers

Mathias

tias · July 11, 2017, 3:20pm

I found out that I had a regex problem, now it works.

thank you for the hints.

best regards

Mathias

system · August 8, 2017, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash parsing syslog Logstash	8	3520	July 6, 2017
Parsing Syslog to Logstash Logstash	6	488	March 10, 2020
Default Index Pattern (logstash-yyyy.MM.dd) Failing Logstash	8	928	October 25, 2022
Config Logstash for Syslog Logstash	5	1328	April 4, 2017
Filter multiple logs from same file to different index Logstash	2	575	June 23, 2020

Logstash parsing syslog to different indices depending on source hosts

Related topics