What type of syslog format is this and how should I parse it?

I have logstash configured like so:

input {
  beats {
    port => "9998"
    type => syslog
  }
  tcp {
    port => "9999"
    type => syslog
  }
  udp {
    port => "9999"
    type => syslog
  }
....
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
...

So for my beats traffic it parses it fine, but for my router which I pointed to it for syslog I get grok parse errors and I see stuff like this in the messages:
<28>1 2017-07-18T04:21:30.008-04:00 myrouter inetd 1362 - - /usr/sbin/sshd[22023]: exited, status 255

All the lines are prefaced with some number in angle brackets. Before I try to manually finagle around this, is this like a specific syslog format? If I know its a format and what that format is then maybe I can google around and figure out how to change it to the right format on the router (junos srx).

Also it seems "2017-07-18T04:21:30.008-04:00" is not a valid SYSLOGTIMESTAMP format either

syslog is just the 'type' attribute value you are using for logstash configurations

You can use that as a conditional attribute. Please check whether you have all the plugins in this.

Since you dont have the SYSLOGTIMESTAMP pattern, this error has occured.

I do have the plugin it just doesn't seem to be a valid syslog timestamp?

but manually doing this works: yyyy-MM-dd'T'HH:mm:ss,SSSZZZZ

You can define the custom patterns and use it in your conf. You can add the reference to the custom patterns directory as well

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.