search

elastic / logstash

Logstash - transport and process your logs, events, or other data
https://www.elastic.co/products/logstash
Other
14.21k stars 3.5k forks source link

_grokparsefailure on syslog input #1497

Closed ghost closed 9 years ago

ghost commented 10 years ago

Not sure if this is a bug with Logstash or a problem on my end, but I have a logstash instance running receiving input from syslog and on about 90% of my outputs I get a "_grokparsefailure". I've tried running it with Grok and even removing my grok filters and I still get a parse failure. The few syslog messages that come through without a failure tag I've also noticed have three more fields than the ones that do fail: "logsource", "timestamp" (not @timestamp), and "program". My assumption is that whatever default parsing Logstash does to syslog inputs is trying to grab fields in the syslog messages that aren't there. Has anyone else encountered this issue? Looking to confirm whether this a bug, a fault with Logstash, or a fault with my syslog.

suyograo commented 10 years ago

Can you provide a sample log line and also your logstash config?

jordansissel commented 10 years ago

Sorry for the confusion!

The syslog input uses grok internally to parse messages. So if you are receiving invalid syslog on that input, your message will be tagged _grokparsefailure.

I have a patch out that will change the tag applies to invalid syslog so it should be less confusing in the future.

-Jordan

On Thursday, July 3, 2014, Darth-Cthulhu notifications@github.com wrote:

Not sure if this is a bug with Logstash or a problem on my end, but I have a logstash instance running receiving input from syslog and on about 90% of my outputs I get a "_grokparsefailure". I've tried running it with Grok and even removing my grok filters and I still get a parse failure. The few syslog messages that come through without a failure tag I've also noticed have three more fields than the ones that do fail: "logsource", "timestamp" (not @timestamp https://github.com/timestamp), and "program". My assumption is that whatever default parsing Logstash does to syslog inputs is trying to grab fields in the syslog messages that aren't there. Has anyone else encountered this issue? Looking to confirm whether this a bug, a fault with Logstash, or a fault with my syslog.

— Reply to this email directly or view it on GitHub https://github.com/elasticsearch/logstash/issues/1497.

tudit commented 9 years ago

How to get rid of the tag?

suyograo commented 9 years ago

Fixed via #1593