Syslog severity and facility not set when upgrading version

Andrea_De_Pinto · October 25, 2023, 5:59am

Hi,
I did the migration from the version 6.8 to the 8.9 and I have a logstash pipeline that use the syslog to feed my elasticsearch.

This is the configuration I have on the 6.8 :

input 	{
			syslog 	{
					type => "syslog"
					port => 515
					grok_pattern => "<%{POSINT:priority}>%{POSINT:faciliy} %{TIMESTAMP_ISO8601:syslog_timestamp} %{DATA:hostname} %{DATA:source} %{NUMBER:pid:int} %{DATA:service} %{GREEDYDATA:message}"
					}
		}

output {
		  elasticsearch { hosts => ["https://<machinename>:9200"] 
		  user => <myuser>
		  password => <mypwd>
		  ssl => true
		  cacert => <mycert>
		  index => "lasernetlogs-%{+YYYY.MM.dd}"
		}
}

and as output on elastic I have a proper message.

On the new configuration I adjust my pipeline with a new grok_pattern and I put also the "syslog_pri", but when I try to send a message I cannot have the proper severity and facility code.

New pipeline :

input {
  tcp {
    port => 514
  }
  udp  {
    port => 514
  } 
}

filter {
    grok {
       match => {"message" => "<%{POSINT:priority}>%{POSINT:faciliy} %{TIMESTAMP_ISO8601:syslog_timestamp} %{GREEDYDATA:datamessage}"}
    }
    syslog_pri {
    }
}

output {
  stdout {
    codec => "rubydebug"
  }
}

i.e. when I do a test from the powershell by launching:

Send-SyslogMessage -Server localhost -Port 514 -Message "This is a logstash testmessage" -Severity 3 -Facility 22

I get the following :

{
                 "log" => {
        "syslog" => {
            "severity" => {
                "code" => 5,
                "name" => "notice"
            },
            "facility" => {
                "code" => 1,
                "name" => "user-level"
            }
        }
    },
             "faciliy" => "1",
            "@version" => "1",
                "host" => {
        "ip" => "127.0.0.1"
    },
          "@timestamp" => 2023-10-25T05:42:11.360859500Z,
               "event" => {
        "original" => "<179>1 2023-10-25T07:42:11.265868+02:00 <machinename> PowerShell 642008 - - This is a logstash testmessage"
    },
            "priority" => "179",
    "syslog_timestamp" => "2023-10-25T07:42:11.265868+02:00",
             "message" => "<179>1 2023-10-25T07:42:11.265868+02:00 <machinename> PowerShell 642008 - - This is a logstash testmessage",
         "datamessage" => "<machinename> PowerShell 642008 - - This is a logstash testmessage"
}

what It's missing in my configuration?

I saw on other topics that maybe I have to use the dictionary, but it's not really clear to me how.

Badger · October 27, 2023, 12:42am

syslog_pri does not parse the [priority] field. It looks for either [syslog_pri] or [log][syslog][priority] depending on your ECS compatibility level.

Andrea_De_Pinto · October 30, 2023, 12:37pm

so do you mean that i just see such king of a default value of them? so how should I read them in a proper way?

Badger · October 30, 2023, 3:13pm

Edit your grok to change the name of the [priority] field.

system · November 27, 2023, 3:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.