I am new to ELK stack . Currently working on syslogs which are of the form :
Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...
The grok pattern using is as below:
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_date}\s+%{DATA:node}\s+%{DATA:component_name}\[%{NUMBER:pid}\]\:\s+%{GREEDYDATA:log_message}"]
I need to parse these logs kibana in format below with syslog_date having the current year append to it .
Current Format:
"log_message" => "Starting system activity accounting tool...",
"@timestamp" => August 28th 2019, 23:49:53.014,
"node" => "localhost",
"@version" => "1",
"host" => "localhost.localdomain",
"pid" => "1",
"message" => "Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...",
"type" => "stdin",
"component_name" => "systemd",
"SYSLOGTIMESTAMP:syslog_date" => "Apr 26 12:20:02"
}
Required format :
"log_message" => "Starting system activity accounting tool...",
"@timestamp" => August 28th 2019, 23:49:53.014,
"node" => "localhost",
"@version" => "1",
"host" => "localhost.localdomain",
"pid" => "1",
"message" => "Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...",
"type" => "stdin",
"component_name" => "systemd",
"SYSLOGTIMESTAMP:syslog_date" => "Apr 26 2019 12:20:02"
}
Can anyone help on it? Or any other way which can fulfill this scenario
You can add the "current" year according to the the @timestamp field in logstash using
mutate { add_field => { "dateWithYear" => "%{[syslog_date]} %{+YYYY}" } }
However, there are going to be times (just after midnight on December 31st) when that is the wrong year. The date filter has some handling for this, and there has been discussion about changing that.