Incorrect severity & facility

[ERecker]

Moderator Edit: This thread has been split from another - https://support.nagios.com/forum/viewto ... 38&t=42206
In the future, please create a new thread and link to the old one instead of adding on.

Hi,

it seems that we have a similar problem.

We just started a trial Installation with nagios log server. We’re an existing nagios XI customer. I've got about 40 host reporting to nagios log server and a few (cisco switches, bintec routers, ...) are showing something like <134> at the beginning of the message field. From my understanding, this is the severity and facility. Those entries have a 0 at field priority, severity and facility. It seems that a (hidden) syslog input filter was not able to identify this information.

Logs from ESXi host do work fine.
_______________________________________________________________________________
{
"_index": "logstash-2017.01.31",
"_type": "syslog-514",
"_id": "AVn0rLTsxIMbWB-yQ-LN",
"_score": null,
"_source": {
"message": "<134>IPSEC: Destroy Bundle 64203 (Peer 34 Traffic -10)\n",
"@version": "1",
"@timestamp": "2017-01-31T13:17:55.872Z",
"type": "syslog-514",
"host": "10.192.1.50",
"tags": [
"_grokparsefailure_sysloginput"
],
"priority": 0,
"severity": 0,
"facility": 0,
"facility_label": "kernel",
"severity_label": "Emergency"
},
"sort": [
1485868675872,
1485868675872
]
}

_______________________________________________________________________________
Nagios Log Server 1.4.4
Elasticsearch 1.6.0
Logstash 1.5.1
Kibana 3.1.1-nagios3
_______________________________________________________________________________
Inputs are modified
syslog {
type => 'syslog-514'
port => 514
}
________________________________________________________________________________

Thanx in advance

regards

Enno Recker

[rkennedy]

The issue here is your input, as the syslog input automatically applies a grok filter.

Code: Select all

syslog {
type => 'syslog-514'
port => 514
}

You'll want to change it to -

Code: Select all

tcp {
    port => 514
    type => syslog-514
  }
udp {
    port => 514
    type => syslog-514
  }

Then, create a filter for syslog-514 -

Code: Select all

  if [type] == "syslog" {
    grok {
      match => { "message" => "<%{POSINT:pri}>%{GREEDYDATA:type}: %{GREEDYDATA:message}" }
    }
  }

You may need to modify the above slightly as it's pretty general, but it'll allow you to begin parsing the information into fields. This page is pretty helpful for writing out your filters - https://grokdebug.herokuapp.com/

[ERecker]

Thanx, Points me to the right direction.

regards

[rkennedy]

Awesome - I'll leave this open should you have further questions. One other link I forgot to mention is the logstash grok patterns page, which helps to explain what POSTINT / GREEDYDATA represent - https://github.com/elastic/logstash/blo ... k-patterns

[tmcdonald]

Just checking in since we have not heard from you in a while. Did @rkennedy's post clear things up?