1

I'm looking through some syslog logs files in my ELK stack and noticed that all the syslog_severity fields are 'notice', when I can verify in the log files that they are not 'notice'. Seems like Logstash is defaulting syslog_severity to notice. Whenever I go to kibana to search, no matter what I put in the logstash filter configuration file, kibana always returns notice for the severity. I have this in my logstash filter configuration:

filter {
 if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOG5424LINE}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri {
      syslog_pri_field_name => "syslog5424_pri"
    }
    date {
      match => [ "syslog5424_ts", "ISO8601" ]
    }
  }
}

I've looked at the solution mentioned here but don't think that applies in my case, if you look at my filter config file. I've tried the solution mentioned here and restarted my logstash service with

sudo service logstash restart          

I've also tried restarting the rest of the services in my ELK stack, still getting notice for all of my syslog_severity fields. Any idea what needs to be changed in the filter?

My log messages are of this format:

<134>1 2015-01-01T11:12:23.180242-02:00 message

I've tested this grok with my messages in the grok debugger and it parses my messages just fine.

Celi Manu
  • 161
  • 1
  • 1
  • 5
  • Is there a reason you opened another question with essentially the same issues as your previous one? You could have just edited that one to include your changes. – GregL Feb 08 '17 at 02:44

0 Answers0