Grok
Configuration
For syslog:
filter {
if [type] == "syslog" {
# Dec 25 2020 00:00:00 glados init[1]: oops
grok {
match => {
"message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
}
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM, dd, HH:mm:ss" ]
]
}
}
}
Backlinks