Syslog Input - Grok Error

Hello!

I have this input:

<189>date=2019-11-06 time=09:18:24 devname="FW" devid="FG200D4Q645" logid="0000000011" type="traffic" subtype="forward" level="notice" vd="josep" eventtime=1573045874 srcip=192.168.1.1 srcport=22222 srcintf="vlan11" srcintfrole="undefined" dstip=4.221.55.87 dstport=443 dstintf="vlan55" dstintfrole="undefined" poluuid="8az53d526-5480-5je6-d2f3-1c0d252b8ccde" sessionid=1457621354 proto=2 action="accept" policyid=11 policytype="policy" service="HTTPS" dstcountry="Country" srccountry="Reserved" trandisp="snat" transip=155.84.27.111 transport=22222 appid=41245 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" applist="AppControl_General" appact="detected" duration=1120 sentbyte=4449 rcvdbyte=12391 sentpkt=223 rcvdpkt=222 sentdelta=222 rcvddelta=222

I set the following input:

syslog {
port => 5444
type => 'firewall'
}

The data is coming to logstash but does not recognize the fields. I understand that if it is an input syslog would I have to do the automatic grok? Also I have a tag that says this:

tags: _grokparsefailure_sysloginput

Any idea what can happen? Thanks for your time!

Your syslog might be UDP or TCP - tcpdump to confirm and change the input.

Also use kvdata instead since your message is already in a key value pair format.

https://www.elastic.co/guide/en/logstash/current/plugins-filters-kv.html

Basic example:

input { 
  udp {
    port => 5444
  }
}

filter {
  kv {
      source => "message"
  }
}

output {
  stdout {
    codec => "rubydebug"
  }
}

Test that and see if it works. It's a very basic example just to put you on the right path.

Thanks for your answer, I finaly have:

input {
  udp {
    port => 5444
	type => "firewall"
  }
}

filter {
  if [type] == "firewall" {
    kv {
      source => "message"
    }
  }
}

output {
    elasticsearch { 
      hosts => ["localhost:9200"]
      index => "firewall-%{+yyyy.ww}"
    }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.