Syslog_severity field is always using the default notice rather than the actual severity

Good Morning,

I'm fairly new to ELK but have managed to build my self solution I can use for a syslog server and I'm happy with it with the exceptions of one thing at the moment. The severity of the syslog events seems to always be defaulting to the default of notice. Now I believe there is sometimes issues relating to the RFC and how different vendors format the messages so I'm not sure if this is what is causing it.

My setup consists of a Logstash Server, Elastic Cluster and a Kibana Server all hosted on separate boxes.

My logstash config from /etc/logstash/conf.d/syslog.conf :

input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
syslog_pri { }
}
output {
elasticsearch { hosts => ["10.x.x.x:9200"]
index => "loghive-hdc-%{+YYYY.MM.dd}" }
}

How the event looks when its being stored in the Elastic Cluster:

Screenshot 2019-12-19 at 11.44.221914×629 73.9 KB

Screenshot 2019-12-19 at 11.44.351081×579 54.1 KB

The correct severity is being sent by the device and the existing syslog server is storing that fine:

Screenshot 2019-12-19 at 11.46.461136×27 9.16 KB

If anybody can help me I'd be very grateful. Again I'm new to ELK so apologies in advance if I'm missing something obvious.

Mark

The syslog_pri filter parses the severity and priority from a field on the event. By default it looks for a field called syslog_pri, and if that is missing it uses user-level/notice (13).

You need to use dissect (or grok) to extract the PRI from [message] into [syslog_pri].

Ok thank you, I'll read into dissect and gork see how I get on.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.