Standard syslog input does not use the timestamp

[saber]

Hi,

When we use the non-SSL (5044), timestamp does not seem to be considered.

If we use the SSL/TLS, it works fine:
if [type] == 'syslog_tls' {
grok {
match => { "message" => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
overwrite => [ 'message' ]
}
syslog_pri { }
mutate {
replace => [ 'type', 'syslog' ]
}
}

Is there a way to ensure the standard syslog (5044) gets the good timestamp?

NLS is on UTC time (latest version + ubuntu 24.04 LTS).

Some servers have EDT/GMT etc..

Thanks!

[jsimon]

Hi @saber,

If that filter works for you for TLS, but you'd prefer not to use that for every connection, can you try updating that Logstash filter so that it doesn't include the line that checks for 'syslog_tls'? If you do this, make sure to remove the final closing } character as well. Please let us know how this goes, or if it doesn't fully address your needs for this.

[jmichaelson]

I'm curious what you mean by the timestamp not getting considered. Is it that the timestamp isn't being correctly parsed from the log entry?

You may want to add a single filter for when type is syslog. e.g.,

Code: Select all

if [type] == 'syslog' {
  grok {
    match => { "message" => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
    overwrite => [ 'message' ]
  }
  syslog_pri { }
}