We are receiving syslogs from NetApp Controllers and looks like there's something non-standard with the logs. We are getting _grokparsefailures in the tags. We don't have any filters and other syslogs from Linux machines are fine. Is there something we could do to find out what is causing the failures?
(Server info blanked out)
NetApp Syslog Parse Error
-
CFT6Server
- Posts: 506
- Joined: Wed Apr 15, 2015 4:21 pm
NetApp Syslog Parse Error
You do not have the required permissions to view the files attached to this post.
Re: NetApp Syslog Parse Error
A good place to start is understanding the whole flow. I would like to request the following from you:
1. A few solid logs from the program - feel free to pull these logs out of the 'message' field since grok is failing to parse anyway.
2. The input type that you're using. I am under the assumption that you're using the 'syslog' input. You can find this information under 'Administration -> Global Configuration'.
My guess is that the logs coming from your NetApp Controllers are not in proper syslog format according to RFC 5424.
I recommend reading through the following document if you'd like a deeper understanding of things: http://kartar.net/2014/09/when-logstash ... -go-wrong/
1. A few solid logs from the program - feel free to pull these logs out of the 'message' field since grok is failing to parse anyway.
2. The input type that you're using. I am under the assumption that you're using the 'syslog' input. You can find this information under 'Administration -> Global Configuration'.
My guess is that the logs coming from your NetApp Controllers are not in proper syslog format according to RFC 5424.
I recommend reading through the following document if you'd like a deeper understanding of things: http://kartar.net/2014/09/when-logstash ... -go-wrong/