Logstash syslog rfc 5424 and rfc 3164 input

mkain · May 10, 2019, 9:04am

Hi,

I want to handle syslogs of both RFC in ELK 6.7. So far my working config is:

input {
    tcp {
            port => 514
            type => syslog
    }
    udp {
            port => 514
            type => syslog
    }
}

filter {
    if [type] == "syslog" {
            grok {
            match => {
                    "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
                    }
    add_field => [ "received_from", "%{host}" ]
            }
    }
}

output {
    elasticsearch {
    hosts => ["127.0.0.1:9200"]
    }
    stdout {
            codec => rubydebug
    }
}

And with this I get _grokparsefailure error while processing many syslog messages. I think above config is just handling RFC 3164.

Can someone please guide me how can I handle rfc 5424 and rfc 3164 message parsing in logstash ?

Regards,
-Manish

system · June 7, 2019, 9:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.