Page 1 of 1

Standard syslog input does not use the timestamp

Posted: Mon Oct 14, 2024 12:31 pm
by saber
Hi,

When we use the non-SSL (5044), timestamp does not seem to be considered.

If we use the SSL/TLS, it works fine:
if [type] == 'syslog_tls' {
grok {
match => { "message" => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
overwrite => [ 'message' ]
}
syslog_pri { }
mutate {
replace => [ 'type', 'syslog' ]
}
}


Is there a way to ensure the standard syslog (5044) gets the good timestamp?

NLS is on UTC time (latest version + ubuntu 24.04 LTS).

Some servers have EDT/GMT etc..

Thanks!

Re: Standard syslog input does not use the timestamp

Posted: Mon Oct 14, 2024 2:54 pm
by jsimon
Hi @saber,

If that filter works for you for TLS, but you'd prefer not to use that for every connection, can you try updating that Logstash filter so that it doesn't include the line that checks for 'syslog_tls'? If you do this, make sure to remove the final closing } character as well. Please let us know how this goes, or if it doesn't fully address your needs for this.

Re: Standard syslog input does not use the timestamp

Posted: Tue Oct 15, 2024 12:50 pm
by jmichaelson
I'm curious what you mean by the timestamp not getting considered. Is it that the timestamp isn't being correctly parsed from the log entry?

You may want to add a single filter for when type is syslog. e.g.,

Code: Select all

if [type] == 'syslog' {
  grok {
    match => { "message" => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
    overwrite => [ 'message' ]
  }
  syslog_pri { }
}