Answer the question
In order to leave comments, you need to log in
M
M
Maxim2018-10-21 23:18:38
Maxim, 2018-10-21 23:18:38
I don't understand what's wrong, logstash doesn't work with grok?
assembled a simple filter
filter {
if [type] == "rsyslog"{
grok {
add_tag => "TEST"
}
}
}Logstash in debug mode produces the following
[2018-10-21T23:12:58,284][DEBUG][logstash.pipeline ] output received {"event"=>{"tags"=>["<b>_grokparsefailure</b>"], "facility"=>"user", "sysloghost"=>"gateway", "type"=>"rsyslog", "procid"=>"-", "severity"=>"notice", "@timestamp"=>2018-10-21T20:12:58.178Z, "programname"=>"dns,packet", "host"=>"127.0.0.1", "message"=>" question: ftp.local:A:IN", "@version"=>"1"}}correctly I understand that with the tag "_grokparsefailure" grok does not process?
PS: the logs themselves go to the cluster.
{
"_index": "logstash-2018.10.21",
"_type": "doc",
"_id": "TOtFmGYBF3439qZqD331",
"_version": 1,
"_score": null,
"_source": {
"tags": [
"_grokparsefailure"
],
"facility": "daemon",
"sysloghost": "shtirliz",
"type": "rsyslog",
"procid": "-",
"severity": "notice",
"@timestamp": "2018-10-21T20:15:54.565Z",
"programname": "systemd",
"host": "127.0.0.1",
"message": "Unit auditbeat.service entered failed state.",
"@version": "1"
},
"fields": {
"@timestamp": [
"2018-10-21T20:15:54.565Z"
]
},
"highlight": {
"tags": [
"_grokparsefailure"
]
},
"sort": [
1540152954565
]
}
Similar questions
L
T
K
S
K
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question