Grok

Configuration

For syslog:

filter {
  if [type] == "syslog" {
    # Dec 25 2020 00:00:00 glados init[1]: oops
    grok {
      match => {
        "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
      }
    }

    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM, dd, HH:mm:ss" ]
      ]
    }
  }
}

Backlinks