Hi everyone,

We are using Logstash to collect Syslog messages from our network gear. Here is a way to send the collected messages to Observium:

* Define a IOS filter in Logstash

filter {

### IOS Grok grok { type => "syslog" pattern => [ "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:cisco_dummyvalue}: %{DATA:cisco_timestamp}: %%{DATA:cisco_eventcode}: %{GREEDYDATA:syslog_message}" ] add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{@source_host}" ] }

}

* Add the following output to logstash:

output {

pipe { command => "/usr/bin/php /opt/observium/syslog.php" message_format => "%{@source_host}||%{syslog_facility}||%{syslog_severity_code}||%{syslog_severity}||00||%{@timestamp}||%{cisco_dummyvalue}: &{cisco_timestamp}: %%{cisco_eventcode}: %{@message}||cisco" }

}

As I did not find a way to convert the @timestamp field of Logstash to the needed format, there is one additional line in syslog.php needed:

--- syslog.php.orig 2012-12-21 11:28:41.741696532 +0100 +++ syslog.php 2012-12-29 11:58:59.790246786 +0100 @@ -28,6 +28,8 @@ { #logfile($line); list($entry['host'],$entry['facility'],$entry['priority'], $entry['level'], $entry['tag'], $entry['timestamp'], $entry['msg'], $entry['program']) = explode("||", trim($line)); + ## reformat timestamp + $entry['timestamp'] = date("Y-m-d H:i:s",strtotime($entry['timestamp'])); process_syslog($entry, 1); unset($entry); unset($line); $i++;

And I was also not able to find a value for the fields "TAG" and "PROGRAM" for the message_format. So I hardcoded them as "OO" and "cisco". This works for me.

Cheers, Tobias