Understanding Logstash Parsing Configurations and options

input {
# input config options
}
filter{
# parsing options
}
output {
# output options
}
filter{
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
}
}

Analysis on Config:

syslog event: May 18 11:24:30 User-PC /usr/lib/gdm3/gdm-x-session[8693]: Successfully activated service ‘org.gnome.Terminal’

syslog_timestamp ===>  May 18 11:24:30
syslog_hostname ===> User-PC
syslog_program ===> usr/lib/gdm3/gdm-x-session
syslog_pid ===> 8693
syslog_message ===> Successfully activated service 'org.gnome.Terminal
grok {
match => { "message" => "%{SYSLOGBASE} %{DATA:message}" }
overwrite => [ "message" ]
}

The article was originally published at MicroPyramid blog

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
MicroPyramid

MicroPyramid

1K Followers

Python, Django, Android and IOS, reactjs, react-native, AWS, Salesforce consulting & development company