Class: LogStash::Inputs::Syslog

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/inputs/syslog.rb

Overview

Read syslog messages as events over the network.

This input is a good choice if you already use syslog today. It is also a good choice if you want to receive logs from appliances and network devices where you cannot run your own log collector.

Of course, ‘syslog’ is a very muddy term. This input only supports RFC3164 syslog with some small modifications. The date format is allowed to be RFC3164 style or ISO8601. Otherwise the rest of RFC3164 must be obeyed. If you do not use RFC3164, do not use this input.

For more information see the www.ietf.org/rfc/rfc3164.txt[RFC3164 page].

Note: This input will start listeners on both TCP and UDP.

Constant Summary collapse

GROK_FAILURE_TAG = 
"_grokparsefailure_sysloginput"

Instance Method Summary collapse

Constructor Details

#initialize(*params) ⇒ Syslog

Returns a new instance of Syslog.



88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
 
# File 'lib/logstash/inputs/syslog.rb', line 88

def initialize(*params)
  super

  @priority_key = ecs_select[disabled:'priority', v1:'[log][syslog][priority]']
  @facility_key = ecs_select[disabled:'facility', v1:'[log][syslog][facility][code]']
  @severity_key = ecs_select[disabled:'severity', v1:'[log][syslog][severity][code]']

  @facility_label_key = ecs_select[disabled:'facility_label', v1:'[log][syslog][facility][name]']
  @severity_label_key = ecs_select[disabled:'severity_label', v1:'[log][syslog][severity][name]']

  @host_key = ecs_select[disabled:'host', v1:'[host][ip]']

  @grok_pattern ||= ecs_select[
      disabled:"<%{POSINT:#{@priority_key}}>%{SYSLOGLINE}",
      v1:"<%{POSINT:#{@priority_key}:int}>%{SYSLOGLINE}"
  ]

  @grok_filter = LogStash::Filters::Grok.new(
      "overwrite" => @syslog_field,
      "match" => { @syslog_field => @grok_pattern },
      "tag_on_failure" => [GROK_FAILURE_TAG],
      "ecs_compatibility" => ecs_compatibility # use ecs-compliant patterns
  )

  @grok_filter_exec = ecs_select[
      disabled: -> (event) { @grok_filter.filter(event) },
      v1: -> (event) {
        event.set('[event][original]', event.get(@syslog_field))
        @grok_filter.filter(event)
        set_service_fields(event)
      }
  ]

  @date_filter = LogStash::Filters::Date.new(
      "match" => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss", "MMM d HH:mm:ss", "ISO8601"],
      "locale" => @locale,
      "timezone" => @timezone,
  )

  @date_filter_exec = ecs_select[
      disabled: -> (event) {
        # in legacy (non-ecs) mode we used to match (SYSLOGBASE2) timestamp into two fields
        event.set("timestamp", event.get("timestamp8601")) if event.include?("timestamp8601")
        @date_filter.filter(event)
      },
      v1: -> (event) {
        @date_filter.filter(event)
        event.remove('timestamp')
      }
  ]
end

Instance Method Details

#registerObject 



140
141
142
143
144
145
146
147
148
 
# File 'lib/logstash/inputs/syslog.rb', line 140

def register
  @metric_errors = metric.namespace(:errors)

  @grok_filter.register
  @date_filter.register

  @tcp_sockets = Concurrent::Array.new
  @tcp = @udp = nil
end

#run(output_queue) ⇒ Object 



152
153
154
155
156
157
158
159
160
161
162
163
164
165
 
# File 'lib/logstash/inputs/syslog.rb', line 152

def run(output_queue)
  udp_thr = Thread.new(output_queue) do |output_queue|
    server(:udp, output_queue)
  end

  tcp_thr = Thread.new(output_queue) do |output_queue|
    server(:tcp, output_queue)
  end

  # If we exit and we're the only input, the agent will think no inputs
  # are running and initiate a shutdown.
  udp_thr.join
  tcp_thr.join
end

#stopObject

See Also:

  • Plugin#close


300
301
302
303
 
# File 'lib/logstash/inputs/syslog.rb', line 300

def stop
  close_udp
  close_tcp
end

#syslog_relay(event) ⇒ Object

Following RFC3164 where sane, we’ll try to parse a received message as if you were relaying a syslog message to it. If the message cannot be recognized (see @grok_filter), we’ll treat it like the whole event is correct and try to fill the missing pieces (host, priority, etc)



343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
 
# File 'lib/logstash/inputs/syslog.rb', line 343

def syslog_relay(event)
  @grok_filter_exec.(event)

  if event.get("tags").nil? || !event.get("tags").include?(GROK_FAILURE_TAG)
    # Per RFC3164, priority = (facility * 8) + severity
    #                       = (facility << 3) & (severity)
    priority = if event.include?(@priority_key)
                 event.get(@priority_key).to_i rescue 13
               else
                 13
               end
    set_priority event, priority

    @date_filter_exec.(event)

  else
    @logger.debug? && @logger.debug("un-matched syslog message", :message => event.get("message"))

    # RFC3164 says unknown messages get pri=13
    set_priority event, 13
    metric.increment(:unknown_messages)
  end

  # Apply severity and facility metadata if use_labels => true
  set_labels(event) if @use_labels
end