I'm trying to structure my mail logs using the pattern %SYSLOGLINE (https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/linux-syslog).
The parse is ok and I'm not getting grokparsefailure, but syslog_facility and syslog_severity always return user-level and notice, respectively.
My filter section:
if [type] == "syslog" {
grok {
match => [ "message", "%{SYSLOGLINE}"]
}
syslog_pri { }
date {
match => ["syslog_timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss"]
locale => "en"
timezone => "America/Sao_Paulo"
}
}
The result is something like these:
{"message":["<22>Jun 30 14:44:19 mail1 postfix/smtp[13428]: B2A1365441: to=<accucco@xxx.yyy.zz>, relay=10.10.10.69[10.10.10.69]:25, delay=0.56, delays=0.49/0/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CB135192997)","B2A1365441: to=<accucco@xxx.yyy.zz>, relay=10.10.10.69[10.10.10.69]:25, delay=0.56, delays=0.49/0/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CB135192997)"],"@version":"1","@timestamp":"2015-06-30T17:44:19.864Z","type":"syslog","host":"10.10.10.78","timestamp":"Jun 30 14:44:19","logsource":"mail1","program":"postfix/smtp","pid":"13428","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}
{"message":["<22>Jun 30 14:44:19 mail1 postfix/qmgr[22929]: B2A1365441: removed","B2A1365441: removed"],"@version":"1","@timestamp":"2015-06-30T17:44:19.864Z","type":"syslog","host":"10.10.10.78","timestamp":"Jun 30 14:44:19","logsource":"mail1","program":"postfix/qmgr","pid":"22929","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}
{"message":["<22>Jun 30 14:44:20 mail1 postfix/smtpd[14015]: connect from ng18-ip3.bullet.mail.ne1.yahoo.com[98.138.215.104]","connect from ng18-ip3.bullet.mail.ne1.yahoo.com[98.138.215.104]"],"@version":"1","@timestamp":"2015-06-30T17:44:20.036Z","type":"syslog","host":"10.10.10.78","timestamp":"Jun 30 14:44:20","logsource":"mail1","program":"postfix/smtpd","pid":"14015","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}
{"message":["<22>Jun 30 14:44:20 mail1 postfix/smtpd[14012]: disconnect from ng21.bullet.mail.gq1.yahoo.com[67.195.87.64]","disconnect from ng21.bullet.mail.gq1.yahoo.com[67.195.87.64]"],"@version":"1","@timestamp":"2015-06-30T17:44:20.134Z","type":"syslog","host":"10.10.10.78","timestamp":"Jun 30 14:44:20","logsource":"mail1","program":"postfix/smtpd","pid":"14012","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}
{"message":["<22>Jun 30 14:44:20 mail1 postfix/smtpd[13996]: disconnect from ng18-ip3.bullet.mail.ne1.yahoo.com[98.138.215.104]","disconnect from ng18-ip3.bullet.mail.ne1.yahoo.com[98.138.215.104]"],"@version":"1","@timestamp":"2015-06-30T17:44:20.142Z","type":"syslog","host":"10.10.10.78","timestamp":"Jun 30 14:44:20","logsource":"mail1","program":"postfix/smtpd","pid":"13996","syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}
- How to properly collect severity and facility from syslog?
- This <22> at the beginning of each message is normal?
Regards,
Emerson