Paladin · August 29, 2015 14:26
diff --git a/logstash filter b/logstash filter
 Here's the filter itself. You'll note one difference between it and standalone: the field 'tz'. This is because that field is added in along with 'type' with the logstash-fowarder config:

 filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
 #      add_field => [ "tz", "EST"]
    }
    syslog_pri { }
    ruby {
      code => "require 'date'; event['fred'] = event['syslog_timestamp'].class;  stz = event['tz']; dtz = stz; dtz[1] = 'D'; tz = Time.new.dst? ? stz: dtz; new_time  = event['syslog_timestamp'] + tz; event['syslog_timestamp'] = DateTime.parse(new_time).to_time.strftime('%b %d %H:%M:%S %z')"
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss Z", "MMM dd HH:mm:ss Z" ]
    }
  }
 }

 And the error message from the log:

 {:timestamp=>"2015-07-29T15:01:43.024000-0500", :message=>"Failed parsing date from field", :field=>"syslog_timestamp", :value=>"Jul 29 15:00:01 -0500", :exception=>"Invalid format: \"Jul 29 15:00:01 -0500\" is malformed at \" -0500\"", :config_parsers=>"MMM  d HH:mm:ss,MMM dd HH:mm:ss", :config_locale=>"default=en_US", :level=>:warn}

 Here it is as a standalone:

 input {
  stdin { }
 }

 filter {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      add_field => [ "tz", "EST"]
    }
    syslog_pri { }
    ruby {
      code => "require 'date'; event['fred'] = event['syslog_timestamp'].class;  stz = event['tz']; dtz = stz; dtz[1] = 'D'; tz = Time.new.dst? ? stz: dtz; new_time  = event['syslog_timestamp'] + tz; event['syslog_timestamp'] = DateTime.parse(new_time).to_time.strftime('%b %d %H:%M:%S %z')"
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss Z", "MMM dd HH:mm:ss Z" ]
    }
 }

 output {
  stdout { codec => rubydebug }
 }

 And the result from running it standalone:

 Logstash startup completed
 Jul 29 13:36:01 daylin-ftp01 systemd: Starting Session 33866 of user root.
 {
                 "message" => "Jul 29 13:36:01 daylin-ftp01 systemd: Starting Session 33866 of user root.",
                "@version" => "1",
              "@timestamp" => "2015-07-29T17:36:01.000Z",
                    "host" => "bunyan",
        "syslog_timestamp" => "Jul 29 12:36:01 -0500",
         "syslog_hostname" => "daylin-ftp01",
          "syslog_program" => "systemd",
          "syslog_message" => "Starting Session 33866 of user root.",
             "received_at" => "2015-07-29T17:42:58.174Z",
           "received_from" => "bunyan",
                      "tz" => "EDT",
    "syslog_severity_code" => 5,
    "syslog_facility_code" => 1,
         "syslog_facility" => "user-level",
         "syslog_severity" => "notice",
                    "fred" => String < Object
 }

 ps -efww | grep logstash
 logstash 15407     1  3 15:01 ?        00:00:47 /bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xmx500m -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstash/conf.d -l /var/log/logstas/logstash.log
	Here's the filter itself. You'll note one difference between it and standalone: the field 'tz'. This is because that field is added in along with 'type' with the logstash-fowarder config:

	filter {
	if [type] == "syslog" {
	grok {
	match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
	add_field => [ "received_at", "%{@timestamp}" ]
	add_field => [ "received_from", "%{host}" ]
	# add_field => [ "tz", "EST"]
	}
	syslog_pri { }
	ruby {
	code => "require 'date'; event['fred'] = event['syslog_timestamp'].class; stz = event['tz']; dtz = stz; dtz[1] = 'D'; tz = Time.new.dst? ? stz: dtz; new_time = event['syslog_timestamp'] + tz; event['syslog_timestamp'] = DateTime.parse(new_time).to_time.strftime('%b %d %H:%M:%S %z')"
	}
	date {
	match => [ "syslog_timestamp", "MMM d HH:mm:ss Z", "MMM dd HH:mm:ss Z" ]
	}
	}
	}

	And the error message from the log:

	{:timestamp=>"2015-07-29T15:01:43.024000-0500", :message=>"Failed parsing date from field", :field=>"syslog_timestamp", :value=>"Jul 29 15:00:01 -0500", :exception=>"Invalid format: \"Jul 29 15:00:01 -0500\" is malformed at \" -0500\"", :config_parsers=>"MMM d HH:mm:ss,MMM dd HH:mm:ss", :config_locale=>"default=en_US", :level=>:warn}

	Here it is as a standalone:

	input {
	stdin { }
	}

	filter {
	grok {
	match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
	add_field => [ "received_at", "%{@timestamp}" ]
	add_field => [ "received_from", "%{host}" ]
	add_field => [ "tz", "EST"]
	}
	syslog_pri { }
	ruby {
	code => "require 'date'; event['fred'] = event['syslog_timestamp'].class; stz = event['tz']; dtz = stz; dtz[1] = 'D'; tz = Time.new.dst? ? stz: dtz; new_time = event['syslog_timestamp'] + tz; event['syslog_timestamp'] = DateTime.parse(new_time).to_time.strftime('%b %d %H:%M:%S %z')"
	}
	date {
	match => [ "syslog_timestamp", "MMM d HH:mm:ss Z", "MMM dd HH:mm:ss Z" ]
	}
	}

	output {
	stdout { codec => rubydebug }
	}

	And the result from running it standalone:

	Logstash startup completed
	Jul 29 13:36:01 daylin-ftp01 systemd: Starting Session 33866 of user root.
	{
	"message" => "Jul 29 13:36:01 daylin-ftp01 systemd: Starting Session 33866 of user root.",
	"@version" => "1",
	"@timestamp" => "2015-07-29T17:36:01.000Z",
	"host" => "bunyan",
	"syslog_timestamp" => "Jul 29 12:36:01 -0500",
	"syslog_hostname" => "daylin-ftp01",
	"syslog_program" => "systemd",
	"syslog_message" => "Starting Session 33866 of user root.",
	"received_at" => "2015-07-29T17:42:58.174Z",
	"received_from" => "bunyan",
	"tz" => "EDT",
	"syslog_severity_code" => 5,
	"syslog_facility_code" => 1,
	"syslog_facility" => "user-level",
	"syslog_severity" => "notice",
	"fred" => String < Object
	}

	ps -efww \| grep logstash
	logstash 15407 1 3 15:01 ? 00:00:47 /bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xmx500m -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstash/conf.d -l /var/log/logstas/logstash.log