Severity_label not available with tcp input

willemdh · July 16, 2015, 11:37am

Hello,

I'm having an issue with an Infoblox filter I'm working on. As I can't use the default syslog filter, I have to use tcp input. This is working fine except for one part and that is the severity_label not being available. I suppose I have to use this plugin: https://www.elastic.co/guide/en/logstash/current/plugins-filters-syslog_pri.html#plugins-filters-syslog_pri
But I don't really get it to work.
An example message that should have a informational severity_label =>
<134>Jul 15 08:53:58 10.23.17.250 dhcpd[10639]: DHCPACK to 10.23.136.206 (f8:b1:56:de:be:4d) via eth2
And another that should have an error severity_label =>
<131>Jul 15 08:53:58 10.15.17.251 dhcpd[31808]: Unable to add forward map from PRGEN11420.gep.gt.be to 10.15.129.164: REFUSED
So I need to somehow retrieve the severity_label from <131> or <134>. I'm using this filter to start with:

if [type] == "syslog-infoblox" {
grok {
break_on_match => false
match => [ "message", "\A%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP} %{HOSTNAME} %{SYSLOGPROG}: %{GREEDYDATA:info}" ]
add_tag => "grokked_syslog_infoblox"
}
syslog_pri {
syslog_pri_field_name = syslog5424_pri
}
}

for this input:

tcp {
type => 'syslog-infoblox'
port => 5525
}

Any hint how to use this syslog_pri plugin, so I get a field severity_label that contains the syslog severity label?

Thanks and grtz

Willem

magnusbaeck · July 16, 2015, 11:45am

Is the syslog5424_pri field extracted correctly? If you add a stdout { codec => rubydebug } output, what do you get?

MiCRoPhoBIC · July 22, 2015, 10:45am

Hi willemdh,

I have tried to reply to your question in the nagios forum, but I can't post reply there (I have created forum account yesterday, but still cannot post anything). So I'm posting it here - it is the right place anyway.
I'm not sure if you can convert the numbers from syslog rfc5424 to severity labels using the syslog_pri(_field_name) . Yesterday I was trying to do exactly the same thing as you, unsuccessfully so I read in the manual of this filter plugin: "Filter plugin for logstash to parse the PRI field from the front of a Syslog (RFC3164) message

And the severity numbers in RFC3164 are different from the numbers in RFC5424, so maybe this is why it doesn't work.
So I have achieved the desired severity labels by using translate plugin:

In the logstash directory, install this filter:

bin/plugin install logstash-filter-translate

then I have created a dictionary file (because it is way too big for inline in the config):

/etc/logstash/dictionary.yaml

the contents of this file you can get from here:
http://pastebin.com/raw.php?i=RDj5E7NR
(basically it is a mapping RFC5424 value: label)

then in the logstash config insert this:

 translate {
 dictionary_path => [ "/etc/logstash/dictionary.yaml" ]
 field => "syslog5424_pri"
 destination => "syslog5424_sev"
 }

This way you can keep your severity number in "syslog5424_pri" field, but you will have a new field called 'syslog5424_sev' which will contain the desired 'notice','warning'.... severity labels.

I'm happy with the results now, but I really think this should be possible by some logstash intergrated filter in the future versions.

willemdh · July 22, 2015, 12:47pm

Hey,

Thanks for taking the time to pass this info to me. I'm on holiday at the moment, but I'll definitely look into your solution from the moment I'm back at work.

Grtz.

Willem

willemdh · September 16, 2015, 2:40pm

Hello again MiCRoPhoBIC,

I just tried your solution and it is working fine for me. the syslogpri5424_pri field is getting translated very nice. Thank you very much for sharing your solution!

Grtz

Willem
http://outsideit.net