I'm getting a parse failure on all logs from Cisco ironport appliances. I see a syslog PRI field of <38>. RFC 3164 tables seem to say 3 is daemons but 8 is invalid.
Another method described here https://gist.github.com/marvin/1017480/8fff5fcf7fefab7bfc94817e2241784c2c512c8b
says 38/8 = 4 remainder 6, so AUTH.INFO, which is what WireShark shows.
Is it possible that the syslog input plugin isn't groking PRI correctly?
input {
syslog {
port => 514
codec => plain {
charset => "ISO-8859-1"
}
}
}