Incorrect severity & facility
Posted: Tue Jan 31, 2017 8:23 am
Moderator Edit: This thread has been split from another - https://support.nagios.com/forum/viewto ... 38&t=42206
In the future, please create a new thread and link to the old one instead of adding on.
Hi,
it seems that we have a similar problem.
We just started a trial Installation with nagios log server. We’re an existing nagios XI customer. I've got about 40 host reporting to nagios log server and a few (cisco switches, bintec routers, ...) are showing something like <134> at the beginning of the message field. From my understanding, this is the severity and facility. Those entries have a 0 at field priority, severity and facility. It seems that a (hidden) syslog input filter was not able to identify this information.
Logs from ESXi host do work fine.
_______________________________________________________________________________
{
"_index": "logstash-2017.01.31",
"_type": "syslog-514",
"_id": "AVn0rLTsxIMbWB-yQ-LN",
"_score": null,
"_source": {
"message": "<134>IPSEC: Destroy Bundle 64203 (Peer 34 Traffic -10)\n",
"@version": "1",
"@timestamp": "2017-01-31T13:17:55.872Z",
"type": "syslog-514",
"host": "10.192.1.50",
"tags": [
"_grokparsefailure_sysloginput"
],
"priority": 0,
"severity": 0,
"facility": 0,
"facility_label": "kernel",
"severity_label": "Emergency"
},
"sort": [
1485868675872,
1485868675872
]
}
_______________________________________________________________________________
Nagios Log Server 1.4.4
Elasticsearch 1.6.0
Logstash 1.5.1
Kibana 3.1.1-nagios3
_______________________________________________________________________________
Inputs are modified
syslog {
type => 'syslog-514'
port => 514
}
________________________________________________________________________________
Thanx in advance
regards
Enno Recker
In the future, please create a new thread and link to the old one instead of adding on.
Hi,
it seems that we have a similar problem.
We just started a trial Installation with nagios log server. We’re an existing nagios XI customer. I've got about 40 host reporting to nagios log server and a few (cisco switches, bintec routers, ...) are showing something like <134> at the beginning of the message field. From my understanding, this is the severity and facility. Those entries have a 0 at field priority, severity and facility. It seems that a (hidden) syslog input filter was not able to identify this information.
Logs from ESXi host do work fine.
_______________________________________________________________________________
{
"_index": "logstash-2017.01.31",
"_type": "syslog-514",
"_id": "AVn0rLTsxIMbWB-yQ-LN",
"_score": null,
"_source": {
"message": "<134>IPSEC: Destroy Bundle 64203 (Peer 34 Traffic -10)\n",
"@version": "1",
"@timestamp": "2017-01-31T13:17:55.872Z",
"type": "syslog-514",
"host": "10.192.1.50",
"tags": [
"_grokparsefailure_sysloginput"
],
"priority": 0,
"severity": 0,
"facility": 0,
"facility_label": "kernel",
"severity_label": "Emergency"
},
"sort": [
1485868675872,
1485868675872
]
}
_______________________________________________________________________________
Nagios Log Server 1.4.4
Elasticsearch 1.6.0
Logstash 1.5.1
Kibana 3.1.1-nagios3
_______________________________________________________________________________
Inputs are modified
syslog {
type => 'syslog-514'
port => 514
}
________________________________________________________________________________
Thanx in advance
regards
Enno Recker