syslog - Logstash input Filebeat -
first of apologize english.
i'm intern in company , put solution elk filebeat send logs.
the problem once recover syslog_pri displays notice , severity_code 5
here configuration :
logstash input :
input { beats { port => 5044 type => "logs" #ssl => true #ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" #ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" } } my filter :
filter { if [type] == "syslog" { grok { match => { "message" => "%{syslogtimestamp:syslog_timestamp} %{sysloghost:syslog_hostname} %{data:syslog_program}(?:\[%{posint:syslog_pid}\])?: %{greedydata:syslog_message}" } add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] } syslog_pri { syslog_pri_field_name => "syslog_pri" } geoip { source => "ip" } date { match => [ "syslog_timestamp", "mmm d hh:mm:ss", "mmm dd hh:mm:ss" ] } } } and receive logs :
{ "_index": "logstash-2016.01.27", "_type": "log", "_id": "avkdkbeio9fumglwsx1l", "_score": null, "_source": { "message": "2016-01-27t15:52:20.979+0100 warn [heartbeatservice running] collector.heartbeat.heartbeatservice - unable send heartbeat graylog server: connectexception: connection refused", "@version": "1", "@timestamp": "2016-01-27t14:52:21.896z", "beat": { "hostname": "labsrvitt003", "name": "labsrvitt003" }, "count": 1, "fields": null, "input_type": "log", "offset": 28494893, "source": "/var/log/graylog-collector/collector.log", "type": "log", "host": "labsrvitt003", "tags": [ "gpf_relp" ], "syslog_severity_code": 5, "syslog_facility_code": 1, "syslog_facility": "user-level", "syslog_severity": "notice" }, "fields": { "@timestamp": [ 1453906341896 ] }, "sort": [ 1453906341896 ] } i'm posting because short of ideas toured documentation find nothing .
this link :
[https://serverfault.com/questions/735230/why-cant-the-logstash-syslog-pri-filter-see-the-priority-in-syslog-messages] person have same problem , succeeded.
so if have idea share it.
thanks
Comments
Post a Comment