Hi I have a syslog made up of two events
Jul 6 13:24:27 NODE1 zeus.eventd[14176]: pools/POOL nodes/IP:3000 nodefail Node NODE2 has failed - A monitor has detected a failure
Jul 6 13:24:34 NODE1 zeus.eventd[14176]: pools/POOL nodes/IP:3000 nodeworking Node NODE2 is working again
I would like to pull NODE2 from the syslog and add it as a field in the index along with nodefail/nodeworking
Currently my input/grok is
syslog {
grok_pattern => "%{SYSLOGLINE}"
}
with no filter however all of the info I need is populated in a "message" field so I am unable to use it in elastic
I know the position what I want in the syslog line I just need to pull it out and add it as a field
Is anyone able show me the input/filter config I need in order to achieve this?
Thanks,
TheCube
Edit: The message fields look like this:
zeus.eventd 14176 - - SERIOUS pools/POOL nodes/IP:3000 nodefail Node NODENAME has failed - A monitor has detected a failure
zeus.eventd 14176 - - INFO pools/POOL nodes/IP:3000 nodeworking Node NODENAME is working again
You can use the dissect filter plugin on the message field created while parsing with %{SYSLOGLINE}:
dissect {
mapping => {
"message" => "%{} %{} %{status} %{} %{node_name} %{}"
}
}
Or a second grok filter, applied on the message field created while parsing with %{SYSLOGLINE}, with this pattern:
^pools/POOL nodes/IP:\d+ %{WORD:status} Node %{WORD:node_name}
In both cases, with the logs given in your question, you get those results:
"status":"nodefail"
"node_name":"NODE2"
"status":"nodeworking"
"node_name":"OFSVDBM101"