marianschmotzer
commented
9 years ago Hi i was looking at this a bit - maybe it is enought to alter grook parsing pattern in syslog module. What do you think ?
Open jordansissel opened 9 years ago
marianschmotzer
commented
9 years ago Hi i was looking at this a bit - maybe it is enought to alter grook parsing pattern in syslog module. What do you think ?
(This issue was originally filed by @marianschmotzer at https://github.com/elastic/logstash/issues/2802)
Hi After connecting haproxy to logstash with UDP syslog message shipping, all messages have facilty 1, regardless what I put into haproxy configuration. Obviously syslog plugin isn't parsing messages correctly, because message after it leaves logstash looks like this: "<168>Mar 10 10:02:57 haproxy[2329]: backend 01-sc-backend has no server available!" Please notice priority fiels is not being parsed is <168> which is 168/8 = 21 and facility 21 equals to local5 facility level (as i have it in haproxy set up, pls see bellow).
Logstash version: 1.4.2
Haproxy config (only relevant part): global group haproxy log syslog:1514 len 1024 local7 log /var/lib/haproxy/dev/log local5 log-tag haproxy maxconn 8000 stats socket /var/lib/haproxy/stats tune.ssl.default-dh-param 2048 user haproxy defaults log global option redispatch retries 3 stats enable
Logstash config: input { syslog { port => '1514' } } output { if [facility] < 16 { elasticsearch_http { host => 'localhost' index => "syslog-%{+YYYY.MM.dd}" template_name => "logstash_denza" template => "/etc/logstash/logstash_template.json" manage_template => true }