Nagios Support Forum

Hi ,
While analysing the log in Nagios Log I have found many logs which have not been parsed correctly by log stash which is causing further delays in our investigation. We have added ESXI host ,Solaris server and Aix servers and receiving so many _grokparsefailure logs.

For example :
"2017-05-12T00:23:13.700Z","1","0","kernel","","10.56.44.23","","<166>Section for VMware ESX usplvb024u12s01.astrazeneca.net hostd-probe: id=71632724 version=5.5.0 build=3116895 option=Release\n","","0","","0","Emergency","_grokparsefailure_sysloginput","","","esxi"



Please help us in fixing the issue.

grokparse failure means that the line of output did not specifically match a given grok pattern. Without knowing what your patterns are, it's impossible to diagnose. Go to Administration -> Global Configuration and post a screenshot from that. More requests for information will be based on the output from that screen.

Thanks for the assist, @eloyd!

Hi ,

Please find the screen shot of global configuration

Can you close the Apache filter and list the remainder of your filters? Is there a filter specifically for your esxi input source? If not, then there is no grokking occurring at all, and that will be the source of your grokparsefailure.

Thanks for the assist, @eloyd!

Yes we do have a filter for ESXI host .

syslog {
type => 'ESXi'
port => 1514
}


Please find the attachment . Do you want us to remove the ESXI host filter ?

No, that is an input. The filters are on the next column over to the right.

The syslog input only supports RFC3164 syslog with some small modifications. The date format is allowed to be RFC3164 style or ISO8601. Otherwise the rest of RFC3164 must be obeyed. If you do not use RFC3164, do not use this input.

I would suggest creating a different input and use the tcp input for your ESXi logs, then you can add a GROK filter to break them apart.

You can find example on the bottom 1/2 of this page using the Grok Debugger
https://support.nagios.com/kb/article/n ... rview.html