Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

_grokparsefailure_sysloginput tag

https://support.nagios.com/forum/viewtopic.php?t=49905

Page 1 of 1

_grokparsefailure_sysloginput tag

Posted: Thu Aug 16, 2018 1:21 pm
by mgarrity10
Hello,

I am trying to feed in a linux server from our DMZ to our local Nagios Log Server and after setting everything up with the Curl command I only get 1 log that shows up with the following message: "\xFF\xF4\xFF\xFD\u0006^]\r\n" in NLS. It has a _grokparsefailure_sysloginput tag attached to it, and I'm not sure if I need to do anything extra so that logs come into NLS normally.

Re: _grokparsefailure_sysloginput tag

Posted: Thu Aug 16, 2018 1:37 pm
by scottwilkerson
By default, the syslog input only supports RFC3164 syslog messages.

If your sending server isn't sending a compliant message you will get a _grokparsefailure_sysloginput

For this, you may want to create a new tcp or udp input on a different port in the configuration and send your logs to that port

Code: Select all

tcp {
    type => 'alt_syslog'
    port => 2099
}

udp {
    type => 'alt_syslog'
    port => 2099
}

Re: _grokparsefailure_sysloginput tag

Posted: Fri Aug 17, 2018 10:53 am
by mgarrity10
Thanks for the quick response. I am actually using a DMZ relay Nagios Log Server to send all logs from DMZ clients to our local level NAgios Log Server. Could this setup be messing up the syslog format?

Re: _grokparsefailure_sysloginput tag

Posted: Fri Aug 17, 2018 12:02 pm
by scottwilkerson
mgarrity10 wrote:Thanks for the quick response. I am actually using a DMZ relay Nagios Log Server to send all logs from DMZ clients to our local level NAgios Log Server. Could this setup be messing up the syslog format?
Could be, could you elaborate on this setup and configuration on both servers?
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited