Logstash grok filter custom date

Question

Im working on writing a logstash grok filter for syslog messages coming from my Synology box. An example message looks like this.

Jun  3 09:39:29 diskstation Connection user:\tUser [user] logged in from [192.168.1.121] via [DSM].

Im having a hard time filtering out the weirdly formatted timestamp. Could anyone give me a helping hand here? This is what I have so far.

if [type] == "syslog" and [message] =~ "diskstation" {
    grok {
      match => [ "message", "%{HOSTNAME:hostname} %{WORD:program} %{GREEDYDATA:syslog_message}" ]
    }
  }

As you can probably tell I havent dealt with the timestamp yet at all. Some help would be appreciated.

score 0 · Answer 1 · answered Jun 03 '15 at 08:11

0

The following config can help you to parse the log.

grok {
    match => [ "message", "%{SYSLOGTIMESTAMP:date} %{HOSTNAME:hostname} %{WORD:program} %{GREEDYDATA:syslog_message}" ]
}

You can try your log and pattern at here and refer all the provided pattern at here.

answered Jun 03 '15 at 08:11

Ban-Chuan Lim

7,840
4
35
52

Those links will surely be of tremendous help! Thank you! – ardevd Jun 03 '15 at 08:14

Logstash grok filter custom date

1 Answers1