Class: LogStash::Inputs::Syslog

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/inputs/syslog.rb

Overview

Read syslog messages as events over the network.

This input is a good choice if you already use syslog today. It is also a good choice if you want to receive logs from appliances and network devices where you cannot run your own log collector.

Of course, ‘syslog’ is a very muddy term. This input only supports ‘RFC3164` syslog with some small modifications. The date format is allowed to be `RFC3164` style or `ISO8601`. Otherwise the rest of `RFC3164` must be obeyed. If you do not use `RFC3164`, do not use this input.

For more information see the www.ietf.org/rfc/rfc3164.txt[RFC3164 page].

Note: This input will start listeners on both TCP and UDP.

Instance Method Summary collapse

Constructor Details

#initialize(params) ⇒ Syslog

Returns a new instance of Syslog.



67
68
69
70
 
# File 'lib/logstash/inputs/syslog.rb', line 67

def initialize(params)
  super
  BasicSocket.do_not_reverse_lookup = true
end

Instance Method Details

#registerObject 



73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
# File 'lib/logstash/inputs/syslog.rb', line 73

def register
  require "thread_safe"
  @grok_filter = LogStash::Filters::Grok.new(
    "overwrite" => "message",
    "match" => { "message" => "<%{POSINT:priority}>%{SYSLOGLINE}" },
    "tag_on_failure" => ["_grokparsefailure_sysloginput"],
  )

  @date_filter = LogStash::Filters::Date.new(
    "match" => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"],
    "locale" => @locale,
    "timezone" => @timezone,
  )

  @grok_filter.register
  @date_filter.register

  @tcp_sockets = ThreadSafe::Array.new
  @tcp = @udp = nil
end

#run(output_queue) ⇒ Object 



95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
# File 'lib/logstash/inputs/syslog.rb', line 95

def run(output_queue)
  udp_thr = Thread.new(output_queue) do |output_queue|
    server(:udp, output_queue)
  end

  tcp_thr = Thread.new(output_queue) do |output_queue|
    server(:tcp, output_queue)
  end

  # If we exit and we're the only input, the agent will think no inputs
  # are running and initiate a shutdown.
  udp_thr.join
  tcp_thr.join
end

#stopObject 



195
196
197
198
 
# File 'lib/logstash/inputs/syslog.rb', line 195

def stop
  close_udp
  close_tcp
end

#syslog_relay(event) ⇒ Object 



225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
 
# File 'lib/logstash/inputs/syslog.rb', line 225

def syslog_relay(event)
  @grok_filter.filter(event)

  if event["tags"].nil? || !event["tags"].include?(@grok_filter.tag_on_failure)
    # Per RFC3164, priority = (facility * 8) + severity
    #                       = (facility << 3) & (severity)
    priority = event["priority"].to_i rescue 13
    severity = priority & 7   # 7 is 111 (3 bits)
    facility = priority >> 3
    event["priority"] = priority
    event["severity"] = severity
    event["facility"] = facility

    event["timestamp"] = event["timestamp8601"] if event.include?("timestamp8601")
    @date_filter.filter(event)
  else
    @logger.info? && @logger.info("NOT SYSLOG", :message => event["message"])

    # RFC3164 says unknown messages get pri=13
    priority = 13
    event["priority"] = 13
    event["severity"] = 5   # 13 & 7 == 5
    event["facility"] = 1   # 13 >> 3 == 1
  end

  # Apply severity and facility metadata if
  # use_labels => true
  if @use_labels
    facility_number = event["facility"]
    severity_number = event["severity"]

    if @facility_labels[facility_number]
      event["facility_label"] = @facility_labels[facility_number]
    end

    if @severity_labels[severity_number]
      event["severity_label"] = @severity_labels[severity_number]
    end
  end
end