What type of syslog format is this and how should I parse it?

Elastic Stack Logstash
1

I have logstash configured like so:

input {
  beats {
    port => "9998"
    type => syslog
  }
  tcp {
    port => "9999"
    type => syslog
  }
  udp {
    port => "9999"
    type => syslog
  }
....
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
...

So for my beats traffic it parses it fine, but for my router which I pointed to it for syslog I get grok parse errors and I see stuff like this in the messages:
<28>1 2017-07-18T04:21:30.008-04:00 myrouter inetd 1362 - - /usr/sbin/sshd[22023]: exited, status 255

All the lines are prefaced with some number in angle brackets. Before I try to manually finagle around this, is this like a specific syslog format? If I know its a format and what that format is then maybe I can google around and figure out how to change it to the right format on the router (junos srx).

Also it seems "2017-07-18T04:21:30.008-04:00" is not a valid SYSLOGTIMESTAMP format either

2

syslog is just the 'type' attribute value you are using for logstash configurations

You can use that as a conditional attribute. Please check whether you have all the plugins in this.

Since you dont have the SYSLOGTIMESTAMP pattern, this error has occured.

3

I do have the plugin it just doesn't seem to be a valid syslog timestamp?

but manually doing this works: yyyy-MM-dd'T'HH:mm:ss,SSSZZZZ

4

You can define the custom patterns and use it in your conf. You can add the reference to the custom patterns directory as well