Logstash syslog help

Hi All,

I am having problem with logstash with grok. I am successfully to use the NetScreen firewall logs %{NETSCREENSESSIONLOG} in grok debugger. But when I run it, I get grokpasefailure. I notice the log is different between rsyslog and the output from logstash.
Dec 8 21:20:15 gateway RWING-FW: NetScreen device_id=RWING-FW [Root]system-notification-00257(traffic): start_time="2019-12-08 21:25:14" duration=2 policy_id=1 service=dns proto=17 src zone=Trust dst zone=Untrust action=Permit sent=85 rcvd=97 src= dst= src_port=61003 dst_port=53 src-xlated ip= port=9387 dst-xlated ip= port=53 session_id=31695 reason=Close - RESP

"message" => "<133>RWING-FW: NetScreen device_id=RWING-FW [Root]system-notification-00257(traffic): start_time="2019-12-09 14:55:27" duration=0 policy_id=320001 service=proto:88/port:0 proto=88 src zone=Null dst zone=self action=Deny sent=0 rcvd=66 src= dst= session_id=0\u0000",
"type" => "syslog"

Where the <133> come from?

Thanks in advance

That is the PRI from an RFC3164 syslog message.

Thanks Badger. I'll look into the RFC3164.

I guess the timestamp that I see in rsyslog is a timestamp from the rsyslog and not from the log send by the firewall, right? That is why logstash do not see a timestamp?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.