I am a logstash noob, and have been trying to find the answer for a few hours now, searching here and all over google. Please forgive me if my question has been asked and answered - I'm starting to see double..
I have a Logstash/Elasticsearch/Kibana setup and running, and have my index configured, however - I am not able to determine why I don't see any of the syslog severity or facility codes. I am pretty sure its a grok filtering issue, but as I mentioned, I'm a noob, and I haven't figured it out yet.
Can someone point me in the right direction about a filter to use? I am using a pretty basic one now -
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}