Syslog_severity field is always using the default notice rather than the actual severity

oldhamuk · December 19, 2019, 11:53am

Good Morning,

I'm fairly new to ELK but have managed to build my self solution I can use for a syslog server and I'm happy with it with the exceptions of one thing at the moment. The severity of the syslog events seems to always be defaulting to the default of notice. Now I believe there is sometimes issues relating to the RFC and how different vendors format the messages so I'm not sure if this is what is causing it.

My setup consists of a Logstash Server, Elastic Cluster and a Kibana Server all hosted on separate boxes.

My logstash config from /etc/logstash/conf.d/syslog.conf :

input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
syslog_pri { }
}
output {
elasticsearch { hosts => ["10.x.x.x:9200"]
index => "loghive-hdc-%{+YYYY.MM.dd}" }
}

How the event looks when its being stored in the Elastic Cluster:

The correct severity is being sent by the device and the existing syslog server is storing that fine:

If anybody can help me I'd be very grateful. Again I'm new to ELK so apologies in advance if I'm missing something obvious.

Mark

Badger · December 19, 2019, 4:12pm

The syslog_pri filter parses the severity and priority from a field on the event. By default it looks for a field called syslog_pri, and if that is missing it uses user-level/notice (13).

You need to use dissect (or grok) to extract the PRI from [message] into [syslog_pri].

oldhamuk · December 20, 2019, 8:36am

Ok thank you, I'll read into dissect and gork see how I get on.

system · January 17, 2020, 8:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.