Syslog Parsing Issue

[pmisur]

Hello,

I'm having issue with a specific syslog type being sent from an external application (Cylance Antivirus) to Log server.

any message sent results in a _grokparsefailure tag being added.
a sample message is:
<118>1 2018-05-25T15:01:26.0901161Z sysloghost CylancePROTECT - - - Test Connection Message.

I haven't setup any filters for this, I am just using a syslog input on a specific port with a specific type so I can identify this type more easily.

syslog {
type => 'Cylance_syslog'
port => 5555
}

Thanks,

[mcapra]

That is not an RFC-3164 compliant message in which the PRI value is immediately followed by the timestamp portion of the HEADER. The '1' following the PRI is the RFC-5424 VERSION. The syslog input plugin for Logstash (and consequently Nagios Log Server) only supports RFC-3164 if you want formatted events. Even for the latest versions of the syslog input plugin.

So the Grok parse is failing because it is expecting RFC-3164 and receiving something else. It's purely cosmetic at this point, but if you want richer parsing of the messages you'll likely need to change the input rule to a standard UDP input like so:

Code: Select all

udp {
type => 'Cylance_syslog'
port => 5555
}

And add a filter rule to handle the Cylance message format:

Code: Select all

if [type] == 'Cylance_syslog' {
    # filter me messages into fields!
}

This github issue also has some discussion and potential solutions depending on how comfortable you are with Logstash filters:
https://github.com/logstash-plugins/log ... /issues/15

[scottwilkerson]

@mcapra is correct, if the syslog message isn't compliant you will need to setup tcp and udp inputs instead of the syslog input