Class: LogStash::Inputs::Syslog

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/inputs/syslog.rb

Overview

Read syslog messages as events over the network.

This input is a good choice if you already use syslog today. It is also a good choice if you want to receive logs from appliances and network devices where you cannot run your own log collector.

Of course, ‘syslog’ is a very muddy term. This input only supports ‘RFC3164` syslog with some small modifications. The date format is allowed to be `RFC3164` style or `ISO8601`. Otherwise the rest of `RFC3164` must be obeyed. If you do not use `RFC3164`, do not use this input.

For more information see the www.ietf.org/rfc/rfc3164.txt[RFC3164 page].

Note: This input will start listeners on both TCP and UDP.

Instance Method Summary collapse

Constructor Details

#initialize(params) ⇒ Syslog

Returns a new instance of Syslog.



71
72
73
74
 
# File 'lib/logstash/inputs/syslog.rb', line 71

def initialize(params)
  super
  BasicSocket.do_not_reverse_lookup = true
end

Instance Method Details

#registerObject 



77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
# File 'lib/logstash/inputs/syslog.rb', line 77

def register
  @metric_errors = metric.namespace(:errors)
  require "thread_safe"
  @grok_filter = LogStash::Filters::Grok.new(
    "overwrite" => "message",
    "match" => { "message" => "<%{POSINT:priority}>%{SYSLOGLINE}" },
    "tag_on_failure" => ["_grokparsefailure_sysloginput"],
  )

  @date_filter = LogStash::Filters::Date.new(
    "match" => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"],
    "locale" => @locale,
    "timezone" => @timezone,
  )

  @grok_filter.register
  @date_filter.register

  @tcp_sockets = ThreadSafe::Array.new
  @tcp = @udp = nil
end

#run(output_queue) ⇒ Object 



100
101
102
103
104
105
106
107
108
109
110
111
112
113
 
# File 'lib/logstash/inputs/syslog.rb', line 100

def run(output_queue)
  udp_thr = Thread.new(output_queue) do |output_queue|
    server(:udp, output_queue)
  end

  tcp_thr = Thread.new(output_queue) do |output_queue|
    server(:tcp, output_queue)
  end

  # If we exit and we're the only input, the agent will think no inputs
  # are running and initiate a shutdown.
  udp_thr.join
  tcp_thr.join
end

#stopObject 



223
224
225
226
 
# File 'lib/logstash/inputs/syslog.rb', line 223

def stop
  close_udp
  close_tcp
end

#syslog_relay(event) ⇒ Object 



253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
 
# File 'lib/logstash/inputs/syslog.rb', line 253

def syslog_relay(event)
  @grok_filter.filter(event)

  if event.get("tags").nil? || !event.get("tags").include?(@grok_filter.tag_on_failure)
    # Per RFC3164, priority = (facility * 8) + severity
    #                       = (facility << 3) & (severity)
    priority = event.get("priority").to_i rescue 13
    severity = priority & 7   # 7 is 111 (3 bits)
    facility = priority >> 3
    event.set("priority", priority)
    event.set("severity", severity)
    event.set("facility", facility)

    event.set("timestamp", event.get("timestamp8601")) if event.include?("timestamp8601")
    @date_filter.filter(event)
  else
    @logger.debug? && @logger.debug("NOT SYSLOG", :message => event.get("message"))

    # RFC3164 says unknown messages get pri=13
    priority = 13
    event.set("priority", 13)
    event.set("severity", 5)   # 13 & 7 == 5
    event.set("facility", 1)   # 13 >> 3 == 1
    metric.increment(:unknown_messages)
  end

  # Apply severity and facility metadata if
  # use_labels => true
  if @use_labels
    facility_number = event.get("facility")
    severity_number = event.get("severity")

    if @facility_labels[facility_number]
      event.set("facility_label", @facility_labels[facility_number])
    end

    if @severity_labels[severity_number]
      event.set("severity_label", @severity_labels[severity_number])
    end
  end
end