Page 1 of 1
NetApp Syslog Parse Error
Posted: Tue Jun 30, 2015 12:14 pm
by CFT6Server
We are receiving syslogs from NetApp Controllers and looks like there's something non-standard with the logs. We are getting _grokparsefailures in the tags. We don't have any filters and other syslogs from Linux machines are fine. Is there something we could do to find out what is causing the failures?
(Server info blanked out)
grok.JPG
Re: NetApp Syslog Parse Error
Posted: Tue Jun 30, 2015 12:58 pm
by jolson
A good place to start is understanding the whole flow. I would like to request the following from you:
1. A few solid logs from the program - feel free to pull these logs out of the 'message' field since grok is failing to parse anyway.
2. The input type that you're using. I am under the assumption that you're using the 'syslog' input. You can find this information under 'Administration -> Global Configuration'.
My guess is that the logs coming from your NetApp Controllers are not in proper syslog format according to
RFC 5424.
I recommend reading through the following document if you'd like a deeper understanding of things:
http://kartar.net/2014/09/when-logstash ... -go-wrong/