Hello,
I am attempting to use Telegraf to collect syslog messages from various network devices (firewalls and switches). Unfortunately, several of these device vendors do not send log messages in a RFC compatible format that the “syslog” input can understand.
So I have setup a socket listener that is parsing raw syslog messages using the grok parser. This is working well.
However, I have one device type that is not sending its hostname or ip address as part of the log message. I need either of these so I can tag the log accordingly.
Is there a way to add an ip address tag to the socket input that corresponds to the source IP that sent the log message?
If needed, the relevant config looks roughly like this (note the example below is Cisco Nexus which can optionally include the hostname but the problem is for a different vendor who doesn’t):
[[inputs.socket_listener]]
## URL to listen on
service_address = "udp://:6514"
## Data format to consume.
## Each data format has its own unique set of configuration options, read
## more about them here:
## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md
data_format = "grok"
## Grok patterns
grok_patterns = ["%{CISCO_NEXUS}"]
grok_custom_pattern_files = ["/etc/telegraf/grok_patterns/cisco"]
## Route to device_logs output
[inputs.socket_listener.tags]
device_log_type = "syslog"
The patterns:
CISCO_TIMESTAMP %{YEAR} %{SYSLOGTIMESTAMP} %{TZ}
CISCO_NEXUS <%{NONNEGINT}>%{HOSTNAME:hostname:tag}: %{CISCO_TIMESTAMP:timestamp:ts-"2006 Jan 2 15:04:05 MST"}: %{GREEDYDATA:message}
Thanks,
Jeremy