Hello,
I'm having issue with a specific syslog type being sent from an external application (Cylance Antivirus) to Log server.
any message sent results in a _grokparsefailure tag being added.
a sample message is:
<118>1 2018-05-25T15:01:26.0901161Z sysloghost CylancePROTECT - - - Test Connection Message.
I haven't setup any filters for this, I am just using a syslog input on a specific port with a specific type so I can identify this type more easily.
syslog {
type => 'Cylance_syslog'
port => 5555
}
Thanks,
Syslog Parsing Issue
Re: Syslog Parsing Issue
That is not an RFC-3164 compliant message in which the PRI value is immediately followed by the timestamp portion of the HEADER. The '1' following the PRI is the RFC-5424 VERSION. The syslog input plugin for Logstash (and consequently Nagios Log Server) only supports RFC-3164 if you want formatted events. Even for the latest versions of the syslog input plugin.
So the Grok parse is failing because it is expecting RFC-3164 and receiving something else. It's purely cosmetic at this point, but if you want richer parsing of the messages you'll likely need to change the input rule to a standard UDP input like so:
And add a filter rule to handle the Cylance message format:
This github issue also has some discussion and potential solutions depending on how comfortable you are with Logstash filters:
https://github.com/logstash-plugins/log ... /issues/15
So the Grok parse is failing because it is expecting RFC-3164 and receiving something else. It's purely cosmetic at this point, but if you want richer parsing of the messages you'll likely need to change the input rule to a standard UDP input like so:
Code: Select all
udp {
type => 'Cylance_syslog'
port => 5555
}
Code: Select all
if [type] == 'Cylance_syslog' {
# filter me messages into fields!
}
https://github.com/logstash-plugins/log ... /issues/15
Last edited by mcapra on Fri May 25, 2018 1:26 pm, edited 1 time in total.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Syslog Parsing Issue
@mcapra is correct, if the syslog message isn't compliant you will need to setup tcp and udp inputs instead of the syslog input