CODEWITHSUNDEEP
logstashelastic-stacklogstash-groklogstash-configurationelk
TheCube
TheCube

Reputation: 17

How to parse syslog message using logstash

Hi I have a syslog made up of two events

Jul  6 13:24:27 NODE1 zeus.eventd[14176]: pools/POOL nodes/IP:3000 nodefail Node NODE2 has failed - A monitor has detected a failure

Jul  6 13:24:34 NODE1 zeus.eventd[14176]: pools/POOL nodes/IP:3000 nodeworking Node NODE2 is working again

I would like to pull NODE2 from the syslog and add it as a field in the index along with nodefail/nodeworking

Currently my input/grok is

   syslog {
       grok_pattern => "%{SYSLOGLINE}"
   }

with no filter however all of the info I need is populated in a "message" field so I am unable to use it in elastic

I know the position what I want in the syslog line I just need to pull it out and add it as a field

Is anyone able show me the input/filter config I need in order to achieve this?

Thanks,

TheCube

Edit: The message fields look like this:

zeus.eventd 14176 - - SERIOUS   pools/POOL  nodes/IP:3000   nodefail    Node NODENAME has failed - A monitor has detected a failure
zeus.eventd 14176 - - INFO  pools/POOL  nodes/IP:3000   nodeworking Node NODENAME is working again

Upvotes: 0

Views: 3946

Answers (1)

baudsp
baudsp

Reputation: 4100

You can use the dissect filter plugin on the message field created while parsing with %{SYSLOGLINE}:

dissect {
  mapping => {
    "message" => "%{} %{} %{status} %{} %{node_name} %{}"
  }
}

Or a second grok filter, applied on the message field created while parsing with %{SYSLOGLINE}, with this pattern:

^pools/POOL nodes/IP:\d+ %{WORD:status} Node %{WORD:node_name}

In both cases, with the logs given in your question, you get those results:

"status":"nodefail"
"node_name":"NODE2"

"status":"nodeworking"
"node_name":"OFSVDBM101"

Upvotes: 2

Related Questions