Logstash Custom Parsing

You can setup Logstash to do custom parsing of your logs and then send the output to Loggly. Logstash is able to parse logs using grok filters. This can be useful if your log format is not one of our automatically parsed formats. Parsing allows you to use advance features like statistical analysis on value fields, faceted search, filters and more.

1. Setup Logstash

If you haven’t already, configure Logstash to output to Loggly.

2. Configure A Grok Filter

Grok is library of expressions that make it easy to extract data from your logs. You can select from hundreds of available grok patterns.

In this example, we have taken an example of the kern.log file and created a custom log format for the kernel logs and added in the Grok Filter.

Sample log line from kern.log file

Sep 24 08:12:51 ubuntu kernel: [ 0.000000] Calgary: Unable to locate Rio Grande table in EBDA - bailing!

Custom format used

%{CISCOTIMESTAMP:timestamp} %{HOST:host} %{WORD:program}%{NOTSPACE} %{NOTSPACE}%{NUMBER:duration}%{NOTSPACE} %{GREEDYDATA:kernel_logs}

Paste this into your logstash configuration file, replacing your own customer token.

input{
  file{
    path => "/var/log/kern.log"
    start_position => beginning
  }
}
filter{
  grok{
    add_field => {"source" => "logstash"}
    match => {"message" => "%{CISCOTIMESTAMP:timestamp} %{HOST:host} %{WORD:program}%{NOTSPACE} %{NOTSPACE}%{NUMBER:duration}%{NOTSPACE} %{GREEDYDATA:kernel_logs}"}
  }
}
output{
  loggly{
    host => "logs-01.loggly.com"
    key => "TOKEN"
    proto => "http"
  }
}

Replace:

TOKEN: your customer token from the source setup page

3. Verify Events

See the output below for the above mentioned custom format.

Logstash Custom Parsing Example

Advanced Logstash Custom Parsing Options

Grok pattern library – See a list of all the patterns supported
Logstash output to Loggly – Configure Logstash to send to Loggly
Fluentd – An alternative that also allows custom parsing with Grok and other methods — and read about Fluentd logs here.
Search or post your own Logstash custom parser or Logstash logs questions in the community forum.

Troubleshooting Logstash Custom Parser

If you don’t see any data show up in the verification step, then check for these common problems.

Check logstash configuration:

Wait a few minutes in case indexing needs to catch up
Debug grok formats using their interactive tool
See our Troubleshooting Logstash if the events are not being sent to Loggly

Still Not Working?

Search or post your own question in the community forum.

When the APM Integrated Experience is enabled, Loggly shares a common navigation and enhanced feature set with the other integrated experiences' products. How you navigate the product and access its features may vary from these instructions. For more information, go to the APM Integrated Experience documentation.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.