Syslog Severity and Priority not being parsed by syslog plugin

avamore · January 25, 2016, 6:44pm

Hi all
I've upgrade to Kibana 4.3, which required Elastic 2.3 which required logstash 2.1

After I upgrade to 2.1, the syslog input is no loner parsing out priority, severity and facility properly. I receive the error:
_grokparsefailure_sysloginput,

This was working fine before I upgraded logstash.. After trying to update all plugins, at which point I ran into this bug.

So now I'm just wondering if anyone has run into this issue as well and what steps they took to resolve it.

magnusbaeck · January 25, 2016, 9:13pm

Can you give an example of a raw and unparsed syslog message?

avamore · January 25, 2016, 9:29pm

I added the raw field based on this article and got the following result:

<134> Jan 25 16:21:25 JCAFARELLI-AIO BPEL: checkoutAPI: InsertMerchantInGateway: Creating Contact In Gateway

I've resorted to destroying all of my templates because of said bug report

I've also deleted all of my indexes due to the breaking 2.0 change after I was unable to update the mappings.

I am now using the following filter to parse the messages:
grok {
match => { "message" => "<%{POSINT:syslog_pri}> %{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
}
}

While I am now getting basic syslog message working, I am still working on deriving the severity syslog priority.

magnusbaeck · January 26, 2016, 7:00am

While I am now getting basic syslog message working, I am still working on deriving the severity syslog priority.

Use the syslog_pri filter.

avamore · January 26, 2016, 1:49pm

Yep! that is what I did! It looks better now. A lot of work for an upgrade. But the format feature is nice.

If anyone one runs into this issue like I did, I used the following config:

input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}> (%{SYSLOGTIMESTAMP:syslog_timestamp}) %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
}
translate {
dictionary_path => [ "/etc/logstash/dictionary.yaml" ]
field => "syslog_pri"
destination => "Severity"
}
}
}

output {
elasticsearch {
hosts => localhost
template_overwrite => true
}
stdout { codec => rubydebug }
}

system · July 6, 2017, 5:14am