The unusual syslog from cisco

We have some cisco devices , all of them have the same syslog configuration.

The normal format should like:
<187>11640: PH18L1_CS29SW01: Oct 19 09:11:45.797 GMT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
then i can using some pattern to grok that,

but now i can receive some unusual syslog
it just like as below:
<187>11640: PH18L1_CS29SW01: ]: Oct 19 09:11:45.797 GMT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down

I don't know why,because all the switches have the same configuration.And until now i can not find any valid pattern to grok the error syslog message, i had tried to use self-defined pattern, but still doesn't work.

What is your question ?

You can use (\]: )? to optionally match an extra square bracket and colon.

My question is how can i match the unexpected string " ]",and please notice that there is a space before ].Thanks
Actually i have tried to use "^\s{1}]$" to match the string , it does work when i using it individually .But the problem is that if i using the grok expression such as %{HOSTNAME}:%{UNP:hahha} （I defined " unp ^\s{1}]$" in my pattern）,it doesn't work !!!

Ah . I got it.

HOSTNAME does not parse _ .

If you look at the template,

HOSTNAME \b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)

it parses - but not underscore.

So , you may want to try a filter like below.

filter {
  grok {
    match => { "message" => "\A<%{INT}>%{INT}: (?<hostname>[a-zA-Z0-9_-]+):(\s\]:)? %{GREEDYDATA:greedy}\Z" }
  }
}

Parsed correctly for both cases.

{
          "path" => "/tmp/sample.file",
      "hostname" => "PH18L1_CS29SW01",
    "@timestamp" => 2017-10-19T06:42:59.845Z,
      "@version" => "1",
          "host" => "localhost.localdomain",
        "greedy" => "Oct 19 09:11:45.797 GMT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down",
       "message" => "<187>11640: PH18L1_CS29SW01: ]: Oct 19 09:11:45.797 GMT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down"
}

{
          "path" => "/tmp/sample.file",
      "hostname" => "PH18L1_CS29SW01",
    "@timestamp" => 2017-10-19T06:46:33.074Z,
      "@version" => "1",
          "host" => "localhost.localdomain",
        "greedy" => "Oct 19 09:11:45.797 GMT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down",
       "message" => "<187>11640: PH18L1_CS29SW01: Oct 19 09:11:45.797 GMT: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down"
}

Wow it does work,but i find something interesting , i tried to replace it by ”(^\s+]$)?“
It does work , but i can not find the string that i've defined , such as

filter {
grok {
patterns_dir => ["/usr/share/logstash/pattern"]
match => { "message" => "%{SYSLOGHOST:origin_hostname}:%{TEST1:anod}" }

then i put in "PH18L1-CS29SW01: ]",the output just like

PH18L1-CS29SW01: ]
{
"@version" => "1",
"host" => "logstash",
"@timestamp" => 2017-10-19T07:25:45.658Z,
"message" => "PH18L1-CS29SW01: ]",
"origin_hostname" => "PH18L1-CS29SW01",
"tags" => [
[0] "_geoip_lookup_failure"
]
}

But where is my anod ? hha

Wow it does work,but i find something interesting , i tried to replace it by ”(^\s+]$)?“
It does work , but i can not find the string that i've defined , such as

filter {
grok {
patterns_dir => ["/usr/share/logstash/pattern"]
match => { "message" => "%{SYSLOGHOST:origin_hostname}:%{TEST1:anod}" }

then i put in "PH18L1-CS29SW01: ]",the output just like

PH18L1-CS29SW01: ]
{
"@version" => "1",
"host" => "logstash",
"@timestamp" => 2017-10-19T07:25:45.658Z,
"message" => "PH18L1-CS29SW01: ]",
"origin_hostname" => "PH18L1-CS29SW01",
"tags" => [
[0] "_geoip_lookup_failure"
]
}

But where is my anod ? hha

Take off ^.

It means the beginning of the line .

5. Anchors

^ beginning of the line

Thank you so much , i am a totally newcomer in logstash,it's been a big help

Glad that it worked out!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.