Parsing syslog data: Need help understanding documentation example

gaurav1424 · December 16, 2015, 11:26pm

Hello All,

I am referring logstash example of parsing syslog data : https://www.elastic.co/guide/en/logstash/current/config-examples.html#_processing_syslog_messages

My input line is :
Dec 3 01:22:48 arista1.lab ProcMgr-worker: %PROCMGR-7-NEW_PROCESSES: New processes configured to run under ProcMgr control: ['PciBus', 'Picasso', 'PlxPcie', 'PlxPcie-system']

What I have output with same config mentioned in above link :

{
"message" => "Dec 3 01:22:48 arista1.lab ProcMgr-worker: %PROCMGR-7-NEW_PROCESSES: New processes configured to run under ProcMgr control: ['PciBus', 'Picasso', 'PlxPcie', 'PlxPcie-system']\r",
"@version" => "1",
"@timestamp" => "2015-12-03T09:22:48.000Z",
"host" => "0:0:0:0:0:0:0:1",
"type" => "syslog",
"syslog_timestamp" => "Dec 3 01:22:48",
"syslog_hostname" => "arista1.lab",
"syslog_program" => "ProcMgr-worker",
"syslog_message" => "%PROCMGR-7-NEW_PROCESSES: New processes configured to run under ProcMgr control: ['PciBus', 'Picasso', 'PlxPcie', 'PlxPcie-system']\r",
"received_at" => "2015-12-15T15:46:37.596Z",
"received_from" => "0:0:0:0:0:0:0:1",
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
"syslog_facility" => "user-level",
"syslog_severity" => "notice"
}

Questions :
1: How did it get "@version" => "1" ?
2: Why @timestamp and received_at are different timestamps, I should get almost same time at which this event was sent, right ?
3: I know this is coming from syslog_pri {}
How did it get these fields, My input line does not seem to have these values anywhere.
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
"syslog_facility" => "user-level",
"syslog_severity" => "notice"

Thanks !

gaurav1424 · December 16, 2015, 11:28pm

Also why I am seeing "message" => as first line of parsed data. I dont want to see my message again.

magnusbaeck · December 17, 2015, 10:44am

It's always added to indicate the schema of the message. Previously the message field was named @message and I think @version was added around that time so that consumers of the messages would know what to expect.
Yes, but you're obviously parsing a message from Dec 3 and the @timestamp field should reflect the time an event occurred.
It's the syslog_pri filter that's does this.

Also why I am seeing "message" => as first line of parsed data. I dont want to see my message again.

Then delete or overwrite that field. I prefer overwriting it with the actual message payload.

grok {
  match => ["message", "... %{GREEDYDATA:message}"]
  overwrite => ["message"]
}

gaurav1424 · December 17, 2015, 7:27pm

Thanks a lot once again !

May I know how can I prevent certain Key: value pairs getting displayed in my logstash output section ?
for eg :
I dont want these lines in my output :

"host" => "0:0:0:0:0:0:0:1",
"type" => "syslog",

gaurav1424 · December 17, 2015, 8:01pm

I figured out with remove_field option.

Thanks !