I am receiving syslog messages in Logstash with a timestamp like this:
Jan 11 17:02:09+01:00
I'd like to know which Grok pattern should I use to parse it.
I have tried with %{SYSLOGTIMESTAMP:syslog_timestamp}, but it doesn't work. I'm new to Logstash, and I don't know how to deal with the timezone part.
You can define a custom pattern that extends SYSLOGTIMESTAMP.
grok {
pattern_definitions => { "TIMESTAMPWITHTZ" => "%{SYSLOGTIMESTAMP}[-+]\d{2}:\d{2}" }
match => { "message" => "%{TIMESTAMPWITHTZ:[@metadata][timestamp]}" }
}
date { match => [ "[@metadata][timestamp]", "MMM dd HH:mm:ssZZ", "MMM d HH:mm:ssZZ" ] }
Note that syslog timestamps do not include the year. logstash has heuristics to work around this (e.g. if the current date is in January and the log entry is from December then assume it is from the prior year). The heuristics are not perfect and sometimes will assign the wrong year.