Logstash Groking Syslog Events

Question

I have a logstash server sending events to an elasticsearch server that is displaying the results in Kibana. Everything is working pretty good, other than Kibana is showing 2 names in the host field. I am using the following grok filter in logstash.

^(?:<%{POSINT:syslog_pri}>)?%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:host} (?:%{PROG:program}(?:\[%{POSINT:pid}\])?: )?%{GREEDYDATA:message}

When I use the Grok debugger, everything is parsed out correctly. However when I view it in Kibana, it shows this:

"host": [
  "logstash1",
  "servername.domain.com"
],

Where logstash1 is the name of my logstash server that is doing the parsing and sending to elasticsearch. I'm not sure why it is showing both the logstash server and the actual source as the host. How can i remove the logstash1 from the host field? An example of the logs are:

Dec 18 00:00:08 servername.domain.com pam_rhosts_auth[24233]: allowed to user1@192.168.1.1 as user1

score 3 · Accepted Answer · answered Dec 18 '13 at 16:47

3

Checkout overwrite option http://logstash.net/docs/1.3.1/filters/grok#overwrite

grok{
...
    overwrite => [ "host" ]
...
}

answered Dec 18 '13 at 16:47

Manuel Sousa

496
2
2

Ahhh! Such a simple solution and works perfectly. Thank you very much! – Eric Dec 18 '13 at 17:40

Logstash Groking Syslog Events

1 Answers1