Need help with date filter

Hello to everyone!
I am new to ELK stack so I need help with date filter for rsyslog messages from Aix.
I am sending logs from Aix to ELK and here is what I see in logstash stdout:

apr 21 08:45:01 myhost logstash[19429]: [2020-04-21T08:45:01,363][WARN ][org.logstash.Event ][main] Error parsing @timestamp string value=2020-04-21T08:45:01.104840+90:21

{
"@timestamp" => 2020-04-21T08:45:01.363Z,
"tags" => [
[0] "timestampparsefailure"
],
"@timestamp" => "2020-04-21T08:45:01.104840+90:21",
"type" => "rsyslog_aix",
"host" => "myhost",
"syslog-tag" => "unix:",
"@version" => "1",
"message" => " The privilege command /usr/bin/vmstat, is executed by user with id 200"
}

Currently I am not using any filter for this log type.
What filter can I use to solve this error?

Can you please paste your logstash configuration as well.

My config looks like this

input {
beats {
port => 5044
}
udp {
port => 5114
codec => "json"
type => "rsyslog_aix"
}
}
filter {
if [type] == "nginx_access" {
grok {
match => { "message" => "%{IPORHOST:remote_ip} - %{DATA:user} [%{HTTPDATE:access_time}] "%{WORD:http_method} %{DATA:url} HTTP/%{NUMBER:http_version}" %{NUMBER:response_code} %{NUMBER:body_sent_bytes} "%{DATA:referrer}" "%{DATA:agent}"" }
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
}
geoip {
source => "remote_ip"
target => "geoip"
add_tag => [ "nginx-geoip" ]
}
}
}
output {
if [type] == "nginx_access" {
elasticsearch {
hosts => "localhost:9200"
index => "nginx-%{+YYYY.MM.dd}"
}
}
else if "winlogs" in [tags] {
elasticsearch {
hosts => "localhost:9200"
index => "winlogs-%{+YYYY.MM.dd}"
}
}
else if [type] == "rsyslog_aix" {
elasticsearch {
hosts => "localhost:9200"
index => "rsyslog_aix-%{+YYYY.MM.dd}"
}
}
else {
elasticsearch {
hosts => "localhost:9200"
index => "unknown_messages"
}
}
#stdout { codec => rubydebug }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.