Rsyslogd - Filebeat - Logstash => bad severity/priority

Elastic Stack Logstash
1

Hello,

I think that this question has been already asked a lot but i didn't find any answer ...

Severity of all my syslog logs is notice and priority of all my syslog logs is user-level.

I tried to change the rsyslog template with:

$template CustomTemplate,"%TIMESTAMP% <%syslogfacility-text%:%syslogfacility%> <%syslogseverity-text%:%syslogseverity%> %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf% (%pri-text%)\n"
$ActionFileDefaultTemplate CustomTemplate

And to change the grok part in logstash but it does not work ...

if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} <%{WORD:syslog_facility}:%{POSINT:syslog_facility_code}> <%{WORD:syslog_severity}:%{POSINT:syslog_severity_code}> %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}

2

I found the solution myself so I share with everybody.

Template to use with rsyslog:

$template CustomTemplate,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
$ActionFileDefaultTemplate CustomTemplate

Logstash config:

grok {
match => { "message" => "<%{DATA:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}