Hi Friends,

Trying to implement logstash to collect data from my netscreen devices (6.3.0r21), but i noticed the syslog format wasn`t parsed correctly. After some grok search I noticed the log format is RFC5424.

Sample:

`<189>SSG-SITE1175: NetScreen device_id=SSG-SITE1175 [Root]system-notification-00257(traffic): start_time="2016-07-06 05:34:27" duration=0 policy_id=320001 service=proto:112/port:0 proto=112 src zone=Null dst zone=self action=Deny sent=0 rcvd=40 src=172.30.144.251 dst=224.0.0.18 session_id=0 reason=Traffic Denied

<133>SSG-SITE0006: NetScreen device_id=SSG-SITE0006 [Root]system-notification-00257(traffic): start_time="2016-07-06 05:34:28" duration=0 policy_id=89 service=dns proto=17 src zone=ZONE-A dst zone=Untrust action=Permit sent=0 rcvd=0 src=172.23.110.3 dst=192.31.1192.60 src_port=51435 dst_port=53 src-xlated ip=172.23.110.3 port=51435 dst-xlated ip=192.31.1192.60 port=53 session_id=7004 reason=Creation
`

My conf:

`input {
tcp {
host => "10.114.243.55"
port => 2514
type => syslog
tags => "traffic"
}
udp {
host => "10.114.243.55"
port => 2514
type => syslog
tags => "traffic"
}
} # Input Block END

filter {
if [type] == "syslog" {
grok {
match => ["message", "%{NETSCREENSESSIONLOG}"]
}
}

} # Filter Block END

output {
if "traffic" in [tags] {
elasticsearch {
hosts => ["localhost:9200"]
index => "firewall-traffic-%{+YYYY.MM}"
`

• Version:
  www-apps/kibana-bin-4.5.1::gentoo
  app-admin/logstash-bin-2.3.3::gentoo
  app-misc/elasticsearch-2.3.3::gentoo
• Operating System: Funtoo x64

I Think this can be related to this enchancement.

Now I`m trying to make a new grok pattern

Hi,
are you sure that it's really RFC5424? If I got it right, the VERSION number (the one after the PRI) isn't optional, and the timestamp is missing/out of place.

It looks like a custom format.