blacksd
commented
7 years ago Hi, are you sure that it's really RFC5424? If I got it right, the VERSION number (the one after the PRI) isn't optional, and the timestamp is missing/out of place.
It looks like a custom format.
Hi Friends,
Trying to implement logstash to collect data from my netscreen devices (6.3.0r21), but i noticed the syslog format wasn`t parsed correctly. After some grok search I noticed the log format is RFC5424.
Sample:
`<189>SSG-SITE1175: NetScreen device_id=SSG-SITE1175 [Root]system-notification-00257(traffic): start_time="2016-07-06 05:34:27" duration=0 policy_id=320001 service=proto:112/port:0 proto=112 src zone=Null dst zone=self action=Deny sent=0 rcvd=40 src=172.30.144.251 dst=224.0.0.18 session_id=0 reason=Traffic Denied
<133>SSG-SITE0006: NetScreen device_id=SSG-SITE0006 [Root]system-notification-00257(traffic): start_time="2016-07-06 05:34:28" duration=0 policy_id=89 service=dns proto=17 src zone=ZONE-A dst zone=Untrust action=Permit sent=0 rcvd=0 src=172.23.110.3 dst=192.31.1192.60 src_port=51435 dst_port=53 src-xlated ip=172.23.110.3 port=51435 dst-xlated ip=192.31.1192.60 port=53 session_id=7004 reason=Creation ` My conf: `input { tcp { host => "10.114.243.55" port => 2514 type => syslog tags => "traffic" } udp { host => "10.114.243.55" port => 2514 type => syslog tags => "traffic" } } # Input Block END filter { if [type] == "syslog" { grok { match => ["message", "%{NETSCREENSESSIONLOG}"] } } } # Filter Block END output { if "traffic" in [tags] { elasticsearch { hosts => ["localhost:9200"] index => "firewall-traffic-%{+YYYY.MM}" ` - Version: www-apps/kibana-bin-4.5.1::gentoo app-admin/logstash-bin-2.3.3::gentoo app-misc/elasticsearch-2.3.3::gentoo - Operating System: Funtoo x64 I Think this can be related to this [enchancement](https://github.com/logstash-plugins/logstash-input-syslog/issues/15). Now I`m trying to make a new grok pattern