Hi ,
While analysing the log in Nagios Log I have found many logs which have not been parsed correctly by log stash which is causing further delays in our investigation. We have added ESXI host ,Solaris server and Aix servers and receiving so many _grokparsefailure logs.
For example :
"2017-05-12T00:23:13.700Z","1","0","kernel","","10.56.44.23","","<166>Section for VMware ESX usplvb024u12s01.astrazeneca.net hostd-probe: id=71632724 version=5.5.0 build=3116895 option=Release\n","","0","","0","Emergency","_grokparsefailure_sysloginput","","","esxi"
Please help us in fixing the issue.
grokparsefailure_sysloginput
Re: grokparsefailure_sysloginput
grokparse failure means that the line of output did not specifically match a given grok pattern. Without knowing what your patterns are, it's impossible to diagnose. Go to Administration -> Global Configuration and post a screenshot from that. More requests for information will be based on the output from that screen.
Eric Loyd • http://everwatch.global • 844.240.EVER • @EricLoyd
I'm a Nagios Fanatic! • Join our public Nagios Discord Server!
Re: grokparsefailure_sysloginput
Hi ,
Please find the screen shot of global configuration
Please find the screen shot of global configuration
You do not have the required permissions to view the files attached to this post.
Re: grokparsefailure_sysloginput
Can you close the Apache filter and list the remainder of your filters? Is there a filter specifically for your esxi input source? If not, then there is no grokking occurring at all, and that will be the source of your grokparsefailure.
Eric Loyd • http://everwatch.global • 844.240.EVER • @EricLoyd
I'm a Nagios Fanatic! • Join our public Nagios Discord Server!
Re: grokparsefailure_sysloginput
Yes we do have a filter for ESXI host .
syslog {
type => 'ESXi'
port => 1514
}
Please find the attachment . Do you want us to remove the ESXI host filter ?
syslog {
type => 'ESXi'
port => 1514
}
Please find the attachment . Do you want us to remove the ESXI host filter ?
You do not have the required permissions to view the files attached to this post.
Re: grokparsefailure_sysloginput
No, that is an input. The filters are on the next column over to the right.
Eric Loyd • http://everwatch.global • 844.240.EVER • @EricLoyd
I'm a Nagios Fanatic! • Join our public Nagios Discord Server!
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: grokparsefailure_sysloginput
The syslog input only supports RFC3164 syslog with some small modifications. The date format is allowed to be RFC3164 style or ISO8601. Otherwise the rest of RFC3164 must be obeyed. If you do not use RFC3164, do not use this input.
I would suggest creating a different input and use the tcp input for your ESXi logs, then you can add a GROK filter to break them apart.
You can find example on the bottom 1/2 of this page using the Grok Debugger
https://support.nagios.com/kb/article/n ... rview.html
I would suggest creating a different input and use the tcp input for your ESXi logs, then you can add a GROK filter to break them apart.
You can find example on the bottom 1/2 of this page using the Grok Debugger
https://support.nagios.com/kb/article/n ... rview.html