Parsing syslog entries

eacoimbra · July 2, 2015, 10:06am

Problem solved. Thanks Magnus!

I took the example of Logstash documentation and made a small modification to identify the priority at the beginning of the message.

  if [type] == "syslog" {

    grok {
      match => [ "message", "<%{NONNEGINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
    }

    syslog_pri { }

I suggest to put <%{NONNEGINT:syslog_pri}> in documentation example, because only with then the syslog_pri can properly capture the priority of the message. Otherwise, as you previously mentioned, syslog_pri always return 13 and it does not make any sense.

Topic		Replies	Views
How to parse Syslog messages Logstash	3	5007	December 7, 2016
Logstash syslog _grokparsefailure errors Logstash	2	1271	June 11, 2019
Grok pattern for this syslog message for Logstash? Logstash	9	4415	November 2, 2021
Logstash, syslog severity, etc Logstash	2	2066	July 6, 2017
Grok parsing, still not solved Logstash	15	573	March 13, 2019

Parsing syslog entries

Related Topics