Syslog Severity and Priority not being parsed by syslog plugin

avamore · 2016-01-25 18:44:29 UTC

Hi all
I've upgrade to Kibana 4.3, which required Elastic 2.3 which required logstash 2.1

After I upgrade to 2.1, the syslog input is no loner parsing out priority, severity and facility properly. I receive the error:
_grokparsefailure_sysloginput,

This was working fine before I upgraded logstash.. After trying to update all plugins, at which point I ran into this bug.

So now I'm just wondering if anyone has run into this issue as well and what steps they took to resolve it.

magnusbaeck · 2016-01-25 21:13:51 UTC

Can you give an example of a raw and unparsed syslog message?

avamore · 2016-01-25 21:29:17 UTC

I added the raw field based on this article and got the following result:

<134> Jan 25 16:21:25 JCAFARELLI-AIO BPEL: checkoutAPI: InsertMerchantInGateway: Creating Contact In Gateway

I've resorted to destroying all of my templates because of said bug report

I've also deleted all of my indexes due to the breaking 2.0 change after I was unable to update the mappings.

I am now using the following filter to parse the messages:
grok {
match => { "message" => "<%{POSINT:syslog_pri}> %{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
}
}

While I am now getting basic syslog message working, I am still working on deriving the severity syslog priority.

magnusbaeck · 2016-01-26 07:00:28 UTC

While I am now getting basic syslog message working, I am still working on deriving the severity syslog priority.

Use the syslog_pri filter.

avamore · 2016-01-26 13:49:57 UTC

Yep! that is what I did! It looks better now. A lot of work for an upgrade. But the format feature is nice.

If anyone one runs into this issue like I did, I used the following config:

input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}> (%{SYSLOGTIMESTAMP:syslog_timestamp}) %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
}
translate {
dictionary_path => [ "/etc/logstash/dictionary.yaml" ]
field => "syslog_pri"
destination => "Severity"
}
}
}

output {
elasticsearch {
hosts => localhost
template_overwrite => true
}
stdout { codec => rubydebug }
}

system · 2017-07-06 05:14:18 UTC