Hi everyone,
We are using Logstash to collect Syslog messages from our network gear.
Here is a way to send the collected messages to Observium:
* Define a IOS filter in Logstash
filter {
### IOS Grok
grok {
type => "syslog"
pattern => [
"<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp}
%{SYSLOGHOST:syslog_hostname} %{DATA:cisco_dummyvalue}:
%{DATA:cisco_timestamp}: \%%{DATA:cisco_eventcode}:
%{GREEDYDATA:syslog_message}" ]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{@source_host}" ]
}
}
* Add the following output to logstash:
output {
pipe {
command => "/usr/bin/php /opt/observium/syslog.php"
message_format =>
"%{@source_host}||%{syslog_facility}||%{syslog_severity_code}||%{syslog_severity}||00||%{@timestamp}||%{cisco_dummyvalue}:
&{cisco_timestamp}: %%{cisco_eventcode}: %{@message}||cisco"
}
}
As I did not find a way to convert the @timestamp field of Logstash to
the needed format, there is one additional line in syslog.php needed:
--- syslog.php.orig 2012-12-21 11:28:41.741696532 +0100
+++ syslog.php 2012-12-29 11:58:59.790246786 +0100
@@ -28,6 +28,8 @@
{
#logfile($line);
list($entry['host'],$entry['facility'],$entry['priority'],
$entry['level'], $entry['tag'], $entry['timestamp'], $entry['msg'],
$entry['program']) = explode("||", trim($line));
+ ## reformat timestamp
+ $entry['timestamp'] = date("Y-m-d
H:i:s",strtotime($entry['timestamp']));
process_syslog($entry, 1);
unset($entry); unset($line);
$i++;
And I was also not able to find a value for the fields "TAG" and
"PROGRAM" for the message_format. So I hardcoded them as "OO" and
"cisco". This works for me.
Cheers,
Tobias
--
Nine Internet Solutions AG, Albisriederstr. 243a, CH-8047 Zuerich
Support +41 44 637 40 40 | Tel +41 44 637 40 00 | Direct +41 44 637 40
13
Skype nine.ch_support