Problem solved. Thanks Magnus!
I took the example of Logstash documentation and made a small modification to identify the priority at the beginning of the message.
if [type] == "syslog" {
grok {
match => [ "message", "<%{NONNEGINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
}
syslog_pri { }
I suggest to put <%{NONNEGINT:syslog_pri}> in documentation example, because only with then the syslog_pri can properly capture the priority of the message. Otherwise, as you previously mentioned, syslog_pri always return 13 and it does not make any sense.
