Syslog input configuratration

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Post Reply
denn12344
Posts: 1
Joined: Mon Jan 13, 2025 9:11 am

Syslog input configuratration

Post by denn12344 »

Hey, i am new into nagios lg, logstash and got badly confused.
i use allied telesis switches that are sending syslogs to our new server.
This looks like this:

Code: Select all

<date> <time> <facility>.<severity> <program[<pid>]>: <message>
-------------------------------------------------------------------------
2025 Jan 13 09:52:25 daemon.err alliedtelesys snmpd[2511]: snmp_build: unknown failure
2025 Jan 13 09:52:36 user.warning alliedtelesys: RECV: Unrecognised ethernet type
in nagios ls i use this as input:

Code: Select all

syslog {
    type => 'syslog'
    port => 514
}
later in the log at nagios the messages look like this. I am missing severity as example. it is alwas showing 0. Also the field message is missing the part "<facility>.<severity>" after timestamp. i think that makes it impossible to manipulate with grok in filter section right?

Code: Select all

{
  "_index": "logstash-2025.01.13",
  "_type": "syslog",
  "_id": "AZRf_rzsflG_-1v0Jou-",
  "_score": null,
  "_source": {
    "message": "<12>2025 Jan 13 15:08:37 alliedtelesys LLDP[1155]: RECV: Unrecognised ethernet type\n",
    "@version": "1",
    "@timestamp": "2025-01-13T14:08:37.222Z",
    "type": "syslog",
    "host": "192.168.1.123",
    "tags": [
      "_grokparsefailure_sysloginput"
    ],
    "priority": 0,
    "severity": 0,
    "facility": 0,
    "facility_label": "kernel",
    "severity_label": "Emergency"
  },
  "highlight": {
    "host.raw": [
      "@start-highlight@192.168.1.123@end-highlight@"
    ],
    "host": [
      "@start-highlight@192.168.1.123@end-highlight@"
    ]
  },
  "sort": [
    1736777317222,
    1736777317222
  ]
}
can you help me out with this?
I think this would be the right grok...

Code: Select all

%{TIMESTAMP_ISO8601:timestamp} %{WORD:facility}\.%{WORD:severity} %{DATA:program}\[%{INT:pid}\]: %{GREEDYDATA:message}
Top
User avatar
jmichaelson
Posts: 282
Joined: Wed Aug 23, 2023 1:02 pm

Re: Syslog input configuratration

Post by jmichaelson »

Assuming that the syslog format is correct, that seems like it should be working. But first, I'd like to look and make sure that the syslog entry is correct.

Install the ncat package for your distribution and as root issue the following command:

Code: Select all

ncat -k -l -p 514
You'll have to stop logstash or at least disable the input on port 514 in Nagios Log Server while performing this test.

After you get a few lines of data you'll want to stop it and re-enable your input in Log Server or restart the logstash service depending on what you did there.

From there we canlook to see if what you're groking is correct for the logs coming from your devices.
Please let us know if you have any other questions or concerns.

-Jason
Top
Post Reply

Return to “Nagios Log Server”