Parsing ASCII character 30

tls · December 3, 2018, 3:35pm

I have several dockers sending their logs to ELK.

input {
udp {
port => 5000
type => docker
}
}
filter {
if [type] == "docker" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
'}

When I listen the UDP packets sent by the Dockers, I can print out the following :

172.17.0.27 : <30>Dec 3 15:32:29 dev-WP_Docker-AT-node_1[991]: 172.22.11.1 - - [03/Dec/2018:15:32:29 +0000] "GET / HTTP/1.0" 200 27334 "-" "Wget/1.19.4 (linux-gnu)"

I would assume <30> is in fact the ASCII character-30... but I cannot remove it and therefore the message is not correctly parsed (it is not parsed at all).

Any hint appreciated.

\T,

system · December 31, 2018, 3:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
"Expected one of [ \\t\\r\\n], \"#\", \"{\", \"}\" Logstash docker	3	1214	May 2, 2021
How to parse Syslog messages Logstash	3	5014	December 7, 2016
Issue with logstash and NNT syslog parsing Logstash	1	389	March 21, 2019
Parse logstash - rfc5424 Logstash	4	1184	December 28, 2020
Parse docker logs with logstash Logstash	5	1609	August 10, 2017

Parsing ASCII character 30

Related topics