We have ELK stack running on V5.6.8 for syslog analytics from Network devices ..We used syslog pri filter (give below . Section 1)on the grok to determine the severity levels of the syslogs .. I use syslog_severity field provided by syslog pri to created a field syslog_sev_level which i overwrite based on our organisation requirement ..(give below . Section 2) . But now is see the severity levels is not working a expected ..is it right to use syslog_severity OR must i use severity_level ..to get my severity level field syslog_sev_level ?? Please advise ..Json output of groked message is provided in Section 3
Section 1
filter {
if [type] == "syslog"
{
syslog_pri {}
##omitted rest of grok
Section 2
if [syslog_severity] == "emergency"
{
mutate { add_field => { "syslog_sev_level" => 0 } }
}
else if [syslog_severity] == "alert"
{
mutate { add_field => { "syslog_sev_level" => 1 } }
}
else if [syslog_severity] == "critical"
{
mutate { add_field => { "syslog_sev_level" => 2 } }
}
else if [syslog_severity] == "error"
{
mutate { add_field => { "syslog_sev_level" => 3 } }
}
else if [syslog_severity] == "warning"
{
mutate { add_field => { "syslog_sev_level" => 4 } }
}
else if [syslog_severity] == "notice"
{
mutate { add_field => { "syslog_sev_level" => 5 } }
}
else if [syslog_severity] == "informational"
{
mutate { add_field => { "syslog_sev_level" => 6 } }
}
else if [syslog_severity] == "debug"
{
mutate { add_field => { "syslog_sev_level" => 7 } }
}
Section 3
{
"_index": "log-2018.07.26",
"_type": "syslog",
"_id": "AWTWcRuhV2CegLK-LbhZ",
"_version": 1,
"_score": null,
"_source": {
"syslog_sev_level": "5",
"log_sequence": "187",
"syslog_severity_code": 5,
"syslog_facility": "user-level",
"syslog_facility_code": 1,
"message": "<187>187: Jul 26 19:54:53.220: %C4K_REDUNDANCY-3-COMMUNICATION: Communication with the peer Supervisor has been established",
"type": "syslog",
"severity_level": "3",
"syslog_severity": "notice",
"tags": [
"cisco"
],
"host_group": "BUILDING",
"hostname": "lgsdtccss02",
"@timestamp": "2018-07-26T11:54:54.227Z",
"log_date": "Jul 26 19:54:53.220",
"host": "12.1.1.1",
"log_message": "Communication with the peer Supervisor has been established",
"Access_switch": "Yes",
"facility": "C4K_REDUNDANCY",
"facility_mnemonic": "COMMUNICATION",
"Critical_device": "No"
},
"fields": {
"@timestamp": [
1532606094227
]
},
"highlight": {
"host": [
"@kibana-highlighted-field@10.95.255.11@/kibana-highlighted-field@"
]
},
"sort": [
1532606094227
]
}