Parse JSON string contained in a Syslog message

norandom · July 7, 2016, 1:50pm

Hi,

I have a program which sends its JSON data via Syslog.

Example:
Jul 7 14:17:48 10.1.1.221 suricata[28230]: {"timestamp":"2016-07-07T14:19:52.081015+0000",..."}

input {
        file {
                type => "syslog"
                path => [ "/var/log/foo/suricata.log"
                        ]
        }
}

filter {

        if [type] == "syslog" {
                grok {
                        match   =>   {  "message" => "%{SYSLOGBASE} %{GREEDYDATA:syslog_message}"  }
                }

                json {
                        source  =>   {  source  => "syslog_message"   }
                }
        }
}

output {
        elasticsearch {
                hosts => ["search-bar.es.amazonaws.com:80"]
        }
}

This yields a strange error:

java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Djava.io.tmpdir=/var/lib/logstash -Xmx1g -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Djava.io.tmpdir=/var/lib/logstash -XX:HeapDumpPath=/opt/logstash/heapdump.hprof -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstash/conf.d

Settings: Default pipeline workers: 4
Logstash startup completed
Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>#<NoMethodError: undefined method `start_with?' for ["source", "syslog_message"]:Array>, "backtrace"=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-event-2.2.4-java/lib/logstash/event.rb:117:in `[]'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-json-2.0.6/lib/logstash/filters/json.rb:69:in `filter'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/filters/base.rb:151:in `multi_filter'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/filters/base.rb:148:in `multi_filter'", "(eval):83:in `cond_func_1'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):79:in `cond_func_1'", "(eval):66:in `filter_func'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:259:in `filter_batch'", "org/jruby/RubyArray.java:1613:in `each'", "org/jruby/RubyEnumerable.java:852:in
`inject'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:257:in `filter_batch'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:215:in `worker_loop'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:193:in `start_workers'"],
:level=>:error}
NoMethodError: undefined method `start_with?' for ["source", "syslog_message"]:Array
             [] at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-event-2.2.4-java/lib/logstash/event.rb:117
         filter at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-json-2.0.6/lib/logstash/filters/json.rb:69
   multi_filter at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/filters/base.rb:151
           each at org/jruby/RubyArray.java:1613
   multi_filter at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/filters/base.rb:148
    cond_func_1 at (eval):83
           each at org/jruby/RubyArray.java:1613
    cond_func_1 at (eval):79
    filter_func at (eval):66
   filter_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:259
           each at org/jruby/RubyArray.java:1613
         inject at org/jruby/RubyEnumerable.java:852
   filter_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:257
    worker_loop at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:215
  start_workers at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:193

Does anyone know what the problem is?

marke72 · July 7, 2016, 2:34pm

Your json filter is incorrect. It should be json { source => "syslog_message" }. Not sure if that's the problem though. Reference https://www.elastic.co/guide/en/logstash/current/plugins-filters-json.html#plugins-filters-json-source

norandom · July 7, 2016, 2:57pm

That was the issue. Thank you

Topic		Replies	Views
Problem with parsing json in syslog format Logstash	5	1366	November 18, 2020
Parsing issues of JSON within a syslog event Logstash	1	635	December 29, 2018
JSON parser error Logstash	6	668	May 28, 2021
JSON Parsing Of Filtered Syslog JSON Objects Fails Logstash	3	412	February 26, 2021
Error parsing syslog input message in Logstash Logstash	3	1036	April 12, 2019

Parse JSON string contained in a Syslog message

Related topics