Syslog_facility always set to kernel

norus · December 14, 2016, 1:00am

For some reason facility is always showing kernel (0) but in this test it should show syslog (5).

"hits" : [ {
  "_index" : "filebeat-2016.12.14",
  "_type" : "fbsyslog",
  "_id" : "AVj6wwB4Si_4urkNEHOu",
  "_score" : 14.27702,
  "_source" : {
    "message" : "<5.2> Dec 14 01:37:02 elkclient bob  testmsg36",
    "@version" : "1",
    "@timestamp" : "2016-12-14T00:37:09.022Z",
    "beat" : {
      "hostname" : "elkclient.foo.com",
      "name" : "elkclient.foo.com"
    },
    "count" : 1,
    "fields" : null,
    "input_type" : "log",
    "offset" : 18242,
    "source" : "/var/log/messages",
    "type" : "fbsyslog",
    "host" : "elkclient.foo.com",
    "tags" : [ "beats_input_codec_plain_applied" ],
    "facility" : "5",
    "syslog_pri" : "2",
    "syslog_timestamp" : "Dec 14 01:37:02",
    "syslog_hostname" : "elkclient",
    "syslog_program" : "bob",
    "syslog_message" : " testmsg36",
    "syslog_severity_code" : 2,
    >>>>>>>>>> "syslog_facility_code" : 0,
    >>>>>>>>>>"syslog_facility" : "kernel",
    "syslog_severity" : "critical"
  }
} ]

Server: logstash-2.3.2
Client: filebeat-1.2.1 and rsyslog-5.8.10

Server

/etc/logstash/conf.d/02-beats-input.conf

input {
    beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
    }
}

filter {
    if [type] == "fbsyslog" {
        grok {
          match => { "message" => "<%{NONNEGINT:facility}.%{NONNEGINT:syslog_pri}> %{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} %{GREEDYDATA:syslog_message}" }
        }
        syslog_pri { }
    }
}

Client

/etc/filebeat/filebeat.yml

filebeat:
    prospectors:
        -
            paths:
                - /var/log/messages
            document_type: fbsyslog
            input_type: log

    registry_file: /var/lib/filebeat/registry

  output:
        logstash:
            hosts: [“elk.foo.com:5044"]
            bulk_max_size: 1024

            tls:
                certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

shipper:

logging:
    files:
        rotateeverybytes: 10485760 # = 10MB

/etc/rsyslog.conf

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$template mytemplate,"<%syslogfacility%.%syslogseverity%> %timegenerated% %hostname% %programname% %msg%\n"
*.info;mail.none;authpriv.none;cron.none                /var/log/messages;mytemplate
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

norus · December 14, 2016, 8:16am

Thanks, Nick. I'll give it a try.

But now that I think about it, first 8 bits of a syslog packet contain PRI information (facility, severity).
I know that in my case I'm using Filebeat on the client side and input { beats {} } on the server side.

Is it possible to somehow extract these and populate syslog_facility and syslog_severity properly?

It would be great to avoid having to change my default logging template in rsyslog as I would like to leave it as is.

Before I changed rsyslog:

Dec 12 18:00:43 foo puppet-agent[22985]: Finished catalog run in 10.45 seconds

After I had to change rsyslog to have PRI information in the message itself:

<0.6> Dec 12 18:00:43 foo puppet-agent[22985]: Finished catalog run in 10.45 seconds

nick.e · December 14, 2016, 8:48am

Ignore my answer above please, it's wrong.

This should be the solution:
Rename the "facility" field to "syslog_facility", otherwise it can't be populated by syslog_pri correctly.

Best is to just change this part of your match <%{NONNEGINT:facility}.%{NONNEGINT:syslog_pri}>
to this: <%{NONNEGINT:syslog_facility}.%{NONNEGINT:syslog_pri}>
or even more easy to this %{SYSLOGFACILITY}.

norus · December 14, 2016, 1:31pm

Thanks, Nick.

I get both facility and severity this way. However, as I mentioned in my previous reply, I will have to modify rsyslog.conf on all clients and make sure /var/log/messages (for example) starts with <facility.severity>

Have I understood it correctly that if I want to avoid doing that, I should instead use pure syslog and not Filebeat? This way first 8 bits should be sent to Logstash's input syslog.

system · January 11, 2017, 1:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.