logstash failing to parse syslog input

logstash

I've configured logstash (v1.5.0), with a simple syslog input, as follows:

input {
  syslog {
    type => syslog
    port => 5514
  }
}

filter {
  kv {}
}

output {
  elasticsearch {
    cluster => "logs"
    host => "0.0.0.0"
    protocol => "transport"
  }
}

However it seems to be failing on some of the cron logs. The following line fails to parse with a _grokparsefailure_sysloginput:

<77>Jul 22 22:01:01 ip-172-31-2-48 run-parts(/etc/cron.hourly)[2599 finished 0yum-hourly.cron

The final JSON output is:

{
  "_index": "logstash-2015.07.22",
  "_type": "syslog",
  "_id": "AU63yLrC118PBgBqQxRA",
  "_score": null,
  "_source": {
    "message": "<77>Jul 22 22:01:01 ip-172-31-2-48 run-parts(/etc/cron.hourly)[2599 finished 0yum-hourly.cron\n",
    "@version": "1",
    "@timestamp": "2015-07-22T22:01:01.569Z",
    "type": "syslog",
    "host": "172.31.2.48",
    "tags": [
      "_grokparsefailure_sysloginput"
    ],
    "priority": 0,
    "severity": 0,
    "facility": 0,
    "facility_label": "kernel",
    "severity_label": "Emergency"
  },
  "fields": {
    "@timestamp": [
      1437602461569
    ]
  },
  "sort": [
    1437602461569
  ]
}

Any pointers?


The syslog input use grok internally, your message is probably not following the syslog standard 100%.

The solution in this link worked for me: http://kartar.net/2014/09/when-logstash-and-syslog-go-wrong/

The key info from the link is:

Replace the existing syslog block in the Logstash configuration with:

input {
  tcp {
    port => 514
    type => syslog
  }
  udp {
    port => 514
    type => syslog
  }
}

Next, replace the parsing element of our syslog input plugin using a grok filter plugin.

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
  }
}

You can edit the filter matching ("grok") syntax now, to match your desired format. It's also possible to support multiple different syntaxes with creative use of if, else if, and else.


Coming here after 4 years, now the logstash syslog input supports setting the grok pattern to use, as detailed in the documentation.

In order to keep the syslog input functionalities, one can as such insert the nonstandard pattern to parse in the grok_pattern setting, e.g.:

input {
  syslog {
    port => 514
    type => "syslog"
    grok_pattern => "(?:<%{POSINT:priority}>%{SYSLOGLINE}|YOUR NONSTANDARD PATTERN HERE)"
   }
}

or likewise amend the default <%{POSINT:priority}>%{SYSLOGLINE} pattern to make it match also the nonstandard input lines.

Related

How to disable update notification in gcloud command?
Can't use ctrl+c to kill process in VM
How Does DNSWL work? How can I gain better trust? [closed]
Cloudflare integration with Azure websites
Postfix: disable "sender non-delivery notification" from MAILER-DAEMON
Postfix connected to Load Balancer, how to turn down connect/disconnect messages in mail.log
How to get color output from SSH command
Debian 8 resolv.conf overwritten by IPv6 autoconfiguration/DHCP when DHCP disabled
What's the top normal S.M.A.R.T. temperature for HGST Helium Ultrastar 8TB 7200 RPM SAS 12Gb/s enterprise drives?
How can I combine two commands to tally data from compressed and uncompressed log files?
How to delete stuck mail in active/incoming queue - postfix
Can't send email to myself via gmail and postfix forwarding