Parsing syslog entries

Elastic Stack Logstash
1

I'm trying to structure my mail logs using the pattern %SYSLOGLINE (https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/linux-syslog).

The parse is ok and I'm not getting grokparsefailure, but syslog_facility and syslog_severity always return user-level and notice, respectively.

My filter section:

  if [type] == "syslog" {
    grok {
      match => [ "message", "%{SYSLOGLINE}"]
    }

    syslog_pri { }

    date {
      match => ["syslog_timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM  d yyyy HH:mm:ss"]
      locale => "en"
      timezone => "America/Sao_Paulo"
    }

  }

The result is something like these:

{"message":["<22>Jun 30 14:44:19 mail1 postfix/smtp[13428]: B2A1365441: to=<accucco@xxx.yyy.zz>, relay=10.10.10.69[10.10.10.69]:25, delay=0.56, delays=0.49/0/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CB135192997)","B2A1365441: to=<accucco@xxx.yyy.zz>, relay=10.10.10.69[10.10.10.69]:25, delay=0.56, delays=0.49/0/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CB135192997)"],"@version":"1","@timestamp":"2015-06-30T17:44:19.864Z","type":"syslog","host":"10.10.10.78","timestamp":"Jun 30 14:44:19","logsource":"mail1","program":"postfix/smtp","pid":"13428","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}

{"message":["<22>Jun 30 14:44:19 mail1 postfix/qmgr[22929]: B2A1365441: removed","B2A1365441: removed"],"@version":"1","@timestamp":"2015-06-30T17:44:19.864Z","type":"syslog","host":"10.10.10.78","timestamp":"Jun 30 14:44:19","logsource":"mail1","program":"postfix/qmgr","pid":"22929","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}

{"message":["<22>Jun 30 14:44:20 mail1 postfix/smtpd[14015]: connect from ng18-ip3.bullet.mail.ne1.yahoo.com[98.138.215.104]","connect from ng18-ip3.bullet.mail.ne1.yahoo.com[98.138.215.104]"],"@version":"1","@timestamp":"2015-06-30T17:44:20.036Z","type":"syslog","host":"10.10.10.78","timestamp":"Jun 30 14:44:20","logsource":"mail1","program":"postfix/smtpd","pid":"14015","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}

{"message":["<22>Jun 30 14:44:20 mail1 postfix/smtpd[14012]: disconnect from ng21.bullet.mail.gq1.yahoo.com[67.195.87.64]","disconnect from ng21.bullet.mail.gq1.yahoo.com[67.195.87.64]"],"@version":"1","@timestamp":"2015-06-30T17:44:20.134Z","type":"syslog","host":"10.10.10.78","timestamp":"Jun 30 14:44:20","logsource":"mail1","program":"postfix/smtpd","pid":"14012","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}

{"message":["<22>Jun 30 14:44:20 mail1 postfix/smtpd[13996]: disconnect from ng18-ip3.bullet.mail.ne1.yahoo.com[98.138.215.104]","disconnect from ng18-ip3.bullet.mail.ne1.yahoo.com[98.138.215.104]"],"@version":"1","@timestamp":"2015-06-30T17:44:20.142Z","type":"syslog","host":"10.10.10.78","timestamp":"Jun 30 14:44:20","logsource":"mail1","program":"postfix/smtpd","pid":"13996","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}
  1. How to properly collect severity and facility from syslog?
  2. This <22> at the beginning of each message is normal?

Regards,
Emerson

2
  1. How to properly collect severity and facility from syslog?

Aren't you already getting the severity and facility in the syslog_severity and syslog_facility fields?

  1. This <22> at the beginning of each message is normal?

That's the encoded severity and facility that the syslog_pri filter extracts.

3

Aren't you already getting the severity and facility in the syslog_severity and syslog_facility fields?

Unfortunately not. After grok, logstash classifies all my mail logs with facility: USER-LEVEL and severity: NOTICE. Facility should be MAIL and severity in most cases INFO.

I can force facility mail with mutate, but severity I can not predict what's coming... :frowning:

4

Oh, right. By default the syslog_pri filter tries to read the syslog_pri_field_name field, but you're not extracting such a field from the payload. Otherwise it defaults to 13 (see code snippet below), which happens to be user-level/notice. You'll have to adjust your grok pattern slightly to extract a field that syslog_pri can consume.

5

Problem solved. Thanks Magnus!

I took the example of Logstash documentation and made a small modification to identify the priority at the beginning of the message.

  if [type] == "syslog" {

    grok {
      match => [ "message", "<%{NONNEGINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
    }

    syslog_pri { }

I suggest to put <%{NONNEGINT:syslog_pri}> in documentation example, because only with then the syslog_pri can properly capture the priority of the message. Otherwise, as you previously mentioned, syslog_pri always return 13 and it does not make any sense.

:smile:

2 Likes
6

Thanks for posting! I have the same problem and changed my logstash configuration file to add <%{NONNEGINT:syslog_pri}> to my grok, but still not getting my severity to show up as non-notice. Here's my filter:

filter {
 if [type] == "syslog" {
    grok {
      match => { "message" => "<%{NONNEGINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

My messages are of this format:

<134>1 2015-01-01T11:12:23.180242-02:00 message

Anyone know why it's still showing up as notice in kibana? Thanks

1 Like