Logstash syslog help

f1wing · December 9, 2019, 8:08pm

Hi All,

I am having problem with logstash with grok. I am successfully to use the NetScreen firewall logs %{NETSCREENSESSIONLOG} in grok debugger. But when I run it, I get grokpasefailure. I notice the log is different between rsyslog and the output from logstash.
Rsyslog:
Dec 8 21:20:15 gateway RWING-FW: NetScreen device_id=RWING-FW [Root]system-notification-00257(traffic): start_time="2019-12-08 21:25:14" duration=2 policy_id=1 service=dns proto=17 src zone=Trust dst zone=Untrust action=Permit sent=85 rcvd=97 src=10.10.10.86 dst=66.33.205.230 src_port=61003 dst_port=53 src-xlated ip=135.23.196.241 port=9387 dst-xlated ip=66.33.205.230 port=53 session_id=31695 reason=Close - RESP

Logstatsh:
"message" => "<133>RWING-FW: NetScreen device_id=RWING-FW [Root]system-notification-00257(traffic): start_time="2019-12-09 14:55:27" duration=0 policy_id=320001 service=proto:88/port:0 proto=88 src zone=Null dst zone=self action=Deny sent=0 rcvd=66 src=10.10.10.251 dst=224.0.0.10 session_id=0\u0000",
"type" => "syslog"

Where the <133> come from?

Thanks in advance

Badger · December 9, 2019, 10:53pm

That is the PRI from an RFC3164 syslog message.

f1wing · December 10, 2019, 4:02pm

Thanks Badger. I'll look into the RFC3164.

I guess the timestamp that I see in rsyslog is a timestamp from the rsyslog and not from the log send by the firewall, right? That is why logstash do not see a timestamp?

system · January 7, 2020, 4:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.