Nagios Support Forum

Posted: **Fri May 25, 2018 10:13 am**

Hello,

I'm having issue with a specific syslog type being sent from an external application (Cylance Antivirus) to Log server.

any message sent results in a _grokparsefailure tag being added.
a sample message is:
<118>1 2018-05-25T15:01:26.0901161Z sysloghost CylancePROTECT - - - Test Connection Message.

I haven't setup any filters for this, I am just using a syslog input on a specific port with a specific type so I can identify this type more easily.

syslog {
type => 'Cylance_syslog'
port => 5555
}

Thanks,

Posted: **Fri May 25, 2018 11:21 am**

That is not an RFC-3164 compliant message in which the PRI value is immediately followed by the timestamp portion of the HEADER. The '1' following the PRI is the RFC-5424 VERSION. The syslog input plugin for Logstash (and consequently Nagios Log Server) only supports RFC-3164 if you want formatted events. Even for the latest versions of the syslog input plugin.

So the Grok parse is failing because it is expecting RFC-3164 and receiving something else. It's purely cosmetic at this point, but if you want richer parsing of the messages you'll likely need to change the input rule to a standard UDP input like so:

Code: Select all

udp {
type => 'Cylance_syslog'
port => 5555
}

And add a filter rule to handle the Cylance message format:

Code: Select all

if [type] == 'Cylance_syslog' {
    # filter me messages into fields!
}

This github issue also has some discussion and potential solutions depending on how comfortable you are with Logstash filters:
https://github.com/logstash-plugins/log ... /issues/15

Posted: **Fri May 25, 2018 12:54 pm**

@mcapra is correct, if the syslog message isn't compliant you will need to setup tcp and udp inputs instead of the syslog input

Nagios Support Forum

Syslog Parsing Issue

Syslog Parsing Issue

Re: Syslog Parsing Issue

Re: Syslog Parsing Issue