Why can't the logstash syslog_pri filter see the priority in syslog messages

syslog rsyslog logstash

I'm running LS 2.0.0, and I've noticed an issue where the syslog_pri filter doesn't detect the priority at the start of my syslogs. My filter config is as follows:

filter {
  if [type] == "relp" {
    syslog_pri { }
    grok {
      match => { "message" => "%{SYSLOG5424PRI}(?:%{POSINT} |-)+(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +%{GREEDYDATA:syslog5424_msg}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{syslog5424_host}" ]
      tag_on_failure => "gpf_relp"
    }
    date {
      match => [ "syslog5424_ts", "ISO8601" ]
    }
  }
}

This should be able to pull the PRI from the following logs, but it fails, and reverts to the default (13) priority for all messages:

{
  "_index": "logstash-2015.11.10",
  "_type": "relp",
  "_id": "AVDxXHq4lzuNTbjDHPbE",
  "_score": null,
  "_source": {
    "message": "<86>1 2015-11-10T12:26:20.429088+00:00 integration-gw3 sshd 2587 - -  pam_unix(sshd:session): session closed for user sftpuser\n",
    "@version": "1",
    "@timestamp": "2015-11-10T12:26:20.429Z",
    "type": "relp",
    "host": "10.10.11.23:39532",
    "syslog_severity_code": 5,
    "syslog_facility_code": 1,
    "syslog_facility": "user-level",
    "syslog_severity": "notice",
    "syslog5424_pri": "86",
    "syslog5424_ts": "2015-11-10T12:26:20.429088+00:00",
    "syslog5424_host": "integration-gw3",
    "syslog5424_app": "sshd",
    "syslog5424_msg": "2587 - -  pam_unix(sshd:session): session closed for user sftpuser\n",
    "received_at": "2015-11-10T12:26:20.430Z",
    "received_from": "integration-gw3"
  },
  "fields": {
    "@timestamp": [
      1447158380429
    ]
  },
  "sort": [
    1447158380429
  ]
}

As you can see the PRI is set to 86, and my grok filter picks this up, but the syslog_pri doesn't change these values from default:

    "syslog_facility": "user-level",
    "syslog_severity": "notice",

Can anyone suggest what I am doing wrong?


In looking at the docs for the syslog_pri filter, it seems it's looking for the priority in a field called syslog_pri, as opposed to the raw message.

Given that you're running that filter before groking the line, it doesn't have anything in that field and as such is returning priority 13 (user.notice), as outlined in the docs above.

For it to work the way you want, you'll need to move the syslog_pri filter after the grok and change it to this:

syslog_pri { 
  syslog_pri_field_name => "syslog5424_pri"
}

Related

Server infected by recent cryptojacking malware but different (?) entry point
firwalld on VPS without nf_conntrack kernel module
Allowing FTP access to a local user without allowing SSH/command line access
Fisheye + Nginx Reverse Proxy
What permissions are needed to run a system() command within a php script that writes to a folder?
How to tell domain controllers to not enroll a "Kerberos Authentication" certificate?
HP DL585 G1 with VMware ESXi 5 - SATA solution, need more storage
Does DHCP protocol allow a server to offer multiple addresses to clients instead of just one? [closed]
Local user accounts have disappeared after installing Active Directory and running dcpromo
Can NFS be forced to refresh stale files/directories when not using noac on the mount?
Server's power supply always on even if it is turned off
Configuring Apache on CentOS