Parsing syslog RFC 5424 format

S3l3ct3d · January 13, 2021, 4:20pm

Good morning,

I have a log source that sends syslog messages in RFC 5424 format. I have searched everywhere to figure out how to parse these syslog messages. Since logstash's syslog input is for RFC 3164 format, nothing is working properly.

I have tried multiple grok patterns and nothing seems to work. Can anyone assist?

The raw log coming in looks like this:

{"@version":"1","message":"<40>2021-01-13T11:09:29Z <ipaddress> Agent Desc: Retina\tAgent ID: retina\tAgent Ver: 6.7.6.3716\tCategory: OSDETECT\\CpeString\tSource Host: <hostname>\tEvent Desc: cpe:/o:microsoft:windows_10::v1809:x64\tEvent Name: CPE Name\tOS: \tEvent Severity: 0\tSource IP: <ipaddress>\tEvent Subject: <ipaddress5>\tEvent Type: 0\tUser: <hostname>$\tWorkgroup Desc: BeyondTrust\tWorkgroup ID: BeyondTrust Workgroup\tWorkgroup Location: Default Location\r\n","@timestamp":"2021-01-13T16:09:29.932Z","host":"<ipaddress>"}

Thank you

Badger · January 13, 2021, 8:53pm

I suggest you use a dissect filter to take off the <40>2021-01-13T11:09:29Z <ipaddress> and then a kv filter to parse the rest.

S3l3ct3d · January 13, 2021, 9:07pm

Thanks Badger

system · February 10, 2021, 9:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.