Syslog data, not getting the "fields" I want

perch · March 10, 2017, 1:41pm

Getting Syslog data to my ELK stack. But the info I am interested in is in the Message field and not Analyzed, it seems?!

The syslog looks like this:

{
  "_index": "logstash-2017.03.06",
  "_type": "logs",
  "_id": "AVqjpUxCy56bZX8RhFRK",
  "_score": null,
  "_source": {
    "severity": 4,
    "@timestamp": "2017-03-06T20:43:25.000Z",
    "@version": "1",
    "host": "192.168.200.1",
    "program": "kernel",
    "message": "[129739.183712] [WAN-TO-VLAN200-1-A] IN=eth1.200 OUT=eth0 MAC=00:15:5d:0a:8d:4f:00:15:5d:0a:8d:55:08:00 SRC=192.168.200.129 DST=23.102.152.32 LEN=89 TOS=0x00 PREC=0x00 TTL=127 ID=22434 PROTO=UDP SPT=49873 DPT=3544 LEN=69 ",
    "priority": 4,
    "logsource": "VyOS",
    "facility": 0,
    "severity_label": "Warning",
    "timestamp": "Mar  6 12:43:25",
    "facility_label": "kernel"
  },
  "fields": {
    "@timestamp": [
      1488833005000
    ]
  },
  "sort": [
    1488833005000
  ]
}

Its the fields in Messages I need:
"message": "[129739.183712] [WAN-TO-VLAN200-1-A] IN=eth1.200 OUT=eth0 MAC=00:15:5d:0a:8d:4f:00:15:5d:0a:8d:55:08:00 SRC=192.168.200.129 DST=23.102.152.32 LEN=89 TOS=0x00 PREC=0x00 TTL=127 ID=22434 PROTO=UDP SPT=49873 DPT=3544 LEN=69 ",

I guess a filter is needed. I am very new to this. Can someone please help me out or point me to the right direction?

magnusbaeck · March 14, 2017, 6:45am

Use a grok filter to match (and possibly extract) "[129739.183712] [WAN-TO-VLAN200-1-A]" from the front of the string and store the key=value pairs in a separate field. Then use the kv filter to parse the key=value pairs.

system · April 11, 2017, 6:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.