Hello,
I think that this question has been already asked a lot but i didn't find any answer ...
Severity of all my syslog logs is notice and priority of all my syslog logs is user-level.
I tried to change the rsyslog template with:
$template CustomTemplate,"%TIMESTAMP% <%syslogfacility-text%:%syslogfacility%> <%syslogseverity-text%:%syslogseverity%> %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf% (%pri-text%)\n"
$ActionFileDefaultTemplate CustomTemplate
And to change the grok part in logstash but it does not work ...
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} <%{WORD:syslog_facility}:%{POSINT:syslog_facility_code}> <%{WORD:syslog_severity}:%{POSINT:syslog_severity_code}> %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}