Syslog Filter Plugin

I am building a logging pipeline and there is a syslog collector that is depositing raw syslog messages into a Kafka topic. I would usually accept syslog off the wire by using the Logstash syslog input plugin which handles the parsing of the syslog header very nicely. But in this instance, my input is now a Kafka topic, and therefore I am finding it difficult to process the events as syslog messages as the syslog input plugin only accepts events from a network port. Is there such a thing as a syslog filter plugin, or codec?

Example raw syslog message as stored in Kafka.

<14>Nov  3 16:42:05 1,2020/11/03 16:42:04,013222003452,TRAFFIC,end,2304,2020/11/03 16:42:04,,,,,GlobalProtect-Internet-Access,prod\tomar,,quic,vsys2,Prod-GlobalProtect,Prod-L3-inet,tunnel.9998,ethernet1/8.666,SIEM-Syslog,2020/11/03 16:42:04,2593114,1,65111,443,31573,443,0x400050,udp,allow,2863,1467,1396,3,2020/11/03 16:40:02,0,any,0,6854539165046534753,0x0,,United States,0,2,1,aged-out,171,0,0,0,Production,CX-PaloHE01,from-policy,,,0,,0,,N/A,0,0,0,0,bfc04636-c4f2-43ef-a25d-9f93fe9a04b3,0

A syslog input applies a grok pattern


You can then use a syslog_pri filter to parse the priority field.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.