I have set up a ELK stack on a server. I configured logstash and and the other things and send syslog test messages to logstash. Everything works fine.
Now i try to send syslog messages from a Cisco WLC and Cisco Switch to logstash and it seems that the message encoding is wrong.
In the logstash logfile i see the following entry (i removed the message)
[2018-01-09T16:04:24,603][WARN ][logstash.codecs.plain ] Received an event that has a different character encoding than you configured. {:text=>"0\x82\u0002B\u0002\u0001\u0001\u000...[REMOVED BECAUSE OF SECURITY PURPOSES], :expected_charset=>"UTF-8"}
The input of my logstash config file is the following:
input {
udp {
port => 514
type => syslog
codec => plain {
charset => "ISO-8859-1"
}
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
}
I already tried to experiment with the codec in the input but with no success. What i am doing wrong?
Logstash only supports RFC3164 syslog messages, and Cisco only supports RFC5424. so you need to find a way to convert RFC5424 to RFC3164