Logstash Syslog input plugin | @timestamp issue

Hi, I faced a brick wall and I seem to not be able to overcome it.

My scenario

  1. FW logs coming to a server where they are caught by Syslog-ng
  2. Syslog-ng passes the logs to Logstash on the same server
  3. Currently, as a test Logstash writes the logs to a file.

My problem

I can see my FW logs arriving in the following format (pasted just a single entry)

sudo tcpdump port 514 -v
Msg: May 18 09:11:27 somehost 1/bla/blabla/box_Firewall_Activity: +02:00 Security somehost Block: FWD|TCP|bond1.181||8080|00:00:00:00:00:00||5678|||<no-match>|1234|||0|1|0|0|0|0||||||\0x0a

However, upon their arrival in Logstash (Syslog plugin) these log entries seem to have been truncated to the Time Zone and as a result @timestamp is another syslog field/property. Please check below how the message looks like

+02:00 Security somehost Block: FWD|TCP|bond1.181||8080|00:00:00:00:00:00||31900|||<no-match>|4003|||0|1|0|0|0|0||||||

Part of my config

input {

    syslog {
      host => ""
      port => 5000

filter {
        if [message] =~ "Security" or [message] =~ "Info" {
                #grok { keep_empty_captures => true match => { "message" => "(?....}

In order to parse the FW events I use grok filter that checks the syslog message field where raw log is (but without the timestamp which is in another syslog field @timestamp).

My filter works as a charm but now I don't have a time stamp. The below is the content of the file where the logs are written


My question

How can I add a timestamp to my events?

Thank you in advance for any input.

Got it :slight_smile:
In my grok filter I just added add_field => [ "EventTime", "%{@timestamp}" ]

So my grok filter is
grok { match => { "message" => { balbalbla } add_field => [ "EventTime", "%{@timestamp}" ] }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.