[SOLVED] Get the real date

Elastic Stack Logstash
1

Hello,

I have a logstash running well, but I don't understand how to get the real date instead of the timestamp.
I have read this doc Date filter plugin | Logstash Reference [8.11] | Elastic

The is my config file :

 input{
    file{
            path => "/home/logs/firewall/*.log"
            type => "linux-syslog"
            #start_position => "beginning"
    }
}

filter {
    grok {
            match => {
            "message" => '%{SYSLOGTIMESTAMP} %{IPV4:iphost} %{GREEDYDATA:fgtlogmsg}'
            #"message" => '%{SYSLOG5424PRI} %{IPV4:iphost} %{GREEDYDATA:fgtlogmsg}'
            }
    }

    kv {
            source => "fgtlogmsg"
    }

    mutate {
            remove_field => [ "message" , "fgtlogmsg", "vd", "host", "logid", "path", "devid", "devname", "_id", "craction"]
    }
}

output {
    elasticsearch {
            codec => "json"
            hosts => ["127.0.0.1:9200"]
            index => "heimdall-%{+YYYY.MM.dd}"
            user => "elastic"
            password => "password"
    }
#       stdout { codec => rubydebug }
}

And I need to read old syslog file just for one time. How can I do that?

Thanks in advance.

2

You need to parse the timestamp part of the syslog message into a field of its own. Then feed that field to the date filter. The syslog example in the documentation should be helpful: https://www.elastic.co/guide/en/logstash/current/config-examples.html#_processing_syslog_messages

3

Hello,

Thanks for your reply.
Now I have the real syslog date.

filter {
grok {
match => {
"message" => '%{SYSLOGTIMESTAMP:timestamp} %{IPV4:iphost} date=%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} time=%{TIME:time} %{GREEDYDATA:fgtlogmsg}'
}
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.