Hi All,
I am having problem with logstash with grok. I am successfully to use the NetScreen firewall logs %{NETSCREENSESSIONLOG} in grok debugger. But when I run it, I get grokpasefailure. I notice the log is different between rsyslog and the output from logstash.
Rsyslog:
Dec 8 21:20:15 gateway RWING-FW: NetScreen device_id=RWING-FW [Root]system-notification-00257(traffic): start_time="2019-12-08 21:25:14" duration=2 policy_id=1 service=dns proto=17 src zone=Trust dst zone=Untrust action=Permit sent=85 rcvd=97 src=10.10.10.86 dst=66.33.205.230 src_port=61003 dst_port=53 src-xlated ip=135.23.196.241 port=9387 dst-xlated ip=66.33.205.230 port=53 session_id=31695 reason=Close - RESP
Logstatsh:
"message" => "<133>RWING-FW: NetScreen device_id=RWING-FW [Root]system-notification-00257(traffic): start_time="2019-12-09 14:55:27" duration=0 policy_id=320001 service=proto:88/port:0 proto=88 src zone=Null dst zone=self action=Deny sent=0 rcvd=66 src=10.10.10.251 dst=224.0.0.10 session_id=0\u0000",
"type" => "syslog"
Where the <133> come from?
Thanks in advance