Parse logstash - rfc5424

Paulogbr · November 29, 2020, 4:24pm

Hello guys, I need help to parse the syslog RFC 5424 with logstash.

<190> 1 2020-11-28T14:18:03-02:00 workstantion1030.teste.corp WSEE - - [message@01-] @cee:{"type":"1","timestamp":"4698753981054","host_name":"","user_name":"","time":"1606666683","EventContextType":"0","rtid"

I Try this:

input {
  udp {
    port => "5160"
    type => "syslog"
  }
}

filter {
    if [type] == "syslog" {
        grok {
            match => {
                "message" => "<%{NONNEGINT:syslog_pri} %{NONNEGINT:version}%{GREEDYDATA:syslog_message})"
            }

But i have error because the ( <190> 1 ), can you help me ?

Badger · November 29, 2020, 7:30pm

You are missing the > after syslog_pri.

Paulogbr · November 30, 2020, 4:25pm

Thanks, that Works.

Can you help about parse the @cee ?

I can try %{DATA:message_01}:cee , but i think the problem is "@".

Badger · November 30, 2020, 4:35pm

There is no colon preceding cee, but you have one in your pattern.

system · December 28, 2020, 4:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.