RELP plugin does not parse syslogs

Elastic Stack Logstash
1

Hi there,

Getting to know Elastic stack here and I noticed that normal TCP reliability is not enough for my usecase where the device will be powered off suddenly at at arbitrary times. It looks like rsyslog RELP protocol is the solution and logstash seems to have a plugin for that too.

But how is that supposed to be used? I first had "normal" syslog input, like:

input {
  syslog {
    type => syslog
    port => 9998
  }
}

and then I could use filter like this for example

filter { 
  if [program] == "temp_sensors" {
    grok {

But now when I installed relp plugin and say

input {
  relp {
    type => syslog
    id => relpinput1
    port => 9998
  }
}

filters do not match to anything and from elastic DB I can see that it has really parsed and found only the message field. Looks like the whole syslog metadata; program, priorities, facility etc. are not there

So the question is: How should I use the relp plugin so that logs are parsed like the syslog plugin does?

2

As a workaround I can add extra rsyslogd instance between the device and logstash. Like this:

module(load="imrelp")
input(type="imrelp" port="9998")

action(type="omfwd" target="logstash" port="9999" protocol="tcp" template="RSYSLOG_ForwardFormat")

Then rsyslog handles the reliability and logstash still manages to parse logs correctly.

But I am sure that there is proper solution to this out there.

3

You can't. The relp plugin just unpacks the frame and creates an event from it. The syslog plugin runs a grok and a date filter and parses the priority string. The relp plugin simply does not do that.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.