[CentOS] syslog / logstah problem with timestamp

Fri Mar 8 11:15:33 UTC 2019
Pete Biggs <pete at biggs.org.uk>

> > {"index"=>{"_index"=>"%{[@metadata][comline]}-%{[@metadata][version]}",  
> > "_type"=>"doc", "_id"=>"U1XLXGkBpfl5FoHeY4J8", "status"=>400,  
> > "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to  
> > parse field [timestamp] of type [date]",  
> > "caused_by"=>{"type"=>"illegal_argument_exception",  
> > "reason"=>"Invalid format: \"Mar  8 11:13:54\""}}}}}
> [2019-03-08T11:13:47,125][WARN ][logstash.outputs.elasticsearch] Could  
> not index event to Elasticsearch. {:status=>400, :action=>["index",  
> {:_id=>nil,  
> :_index=>"%{[@metadata][comline]}-%{[@metadata][version]}",  
> :_type=>"doc", :routing=>nil}, #<LogStash::Event:0x3af3f839>],  
> :response=>{"index"=>{"_index"=>"%{[@metadata][comline]}-%{[@metadata][version]}", "_type"=>"doc", "_id"=>"VFXLXGkBpfl5FoHeY4Ly", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [timestamp] of type [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"Mar  8  
> 11:13:54\""}}}}}
> [2019-03-08T11:13:47,202][WARN ][logstash.outputs.elasticsearch] Could  
> not index event to Elasticsearch. {:status=>400, :action=>["index",  
> {:_id=>nil,  
> :_index=>"%{[@metadata][comline]}-%{[@metadata][version]}",  
> :_type=>"doc", :routing=>nil}, #<LogStash::Event:0x4fedebdc>],  
> :response=>{"index"=>{"_index"=>"%{[@metadata][comline]}-%{[@metadata][version]}", "_type"=>"doc", "_id"=>"VVXLXGkBpfl5FoHeZII_", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [timestamp] of type [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"Mar  8  
> 11:13:54\""}}}}}


To be pedantic that's not a logstash error, it's an elasticsearch
error.

What logstash filters do you have for syslog messages? Make sure you
have a filter in place that does something like:

   filter {
     if [type] == "syslog" {
       grok {
         match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
         add_field => [ "received_at", "%{@timestamp}" ]
         add_field => [ "received_from", "%{host}" ]
       }
       date {
         match => [ "syslog_timestamp", "MMM  d HH:mm:ss.SSS", "MMM dd HH:mm:ss.SSS" ]
         timezone => "UTC"
       }
     }
   }

That will break apart the message into fields and set the correct date
format. But you will probably have to play with it to get it exactly
how you want it - the actual content of the syslog message as seen by
logstash often depends on its source (syslog, filebeat, redi etc.) -
pay particular attention to the format of the timestamps.

P.