Logstash, syslog severity, etc


(Don C.) #1

I am a logstash noob, and have been trying to find the answer for a few hours now, searching here and all over google. Please forgive me if my question has been asked and answered - I'm starting to see double..

I have a Logstash/Elasticsearch/Kibana setup and running, and have my index configured, however - I am not able to determine why I don't see any of the syslog severity or facility codes. I am pretty sure its a grok filtering issue, but as I mentioned, I'm a noob, and I haven't figured it out yet.

Can someone point me in the right direction about a filter to use? I am using a pretty basic one now -

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}


(Magnus B├Ąck) #2

Is the syslog_pri field set anywhere? That (configurable) field is used by the syslog_pri filter to populate the facility and severity fields. You're not setting it in the grok filter so unless it's set by the input I don't know how this is supposed to work.


(system) #3