Custom TimeStamp for SYSLOGTIMESTAMP and Telegraf

Wolfyxzvf · October 19, 2017, 9:40am

Hello everyone,

I’ve tried to configure the logparser plugin in order to parse my existing postfix mail.log.
Using Grok pattern I manage successfully to integrate the logs into influxdb but I have a problem for the timestamp.
I’m catching the log timestamp by using the %{SYSLOGTIMESTAMP} Grok pattern; which is actually working, but when converting it in order to replace the time into influxdb Telegraf doesn’t manage to convert it.
I think it’s do to the lack of year as the SYSLOGTIMESTAMP is the following format :
Sep 25 08:27:29

As per the documentation, I’ve tried several combination of custom timestamp modifiers without success.

Does anyone has already fall into this ?

daniel · October 19, 2017, 5:43pm

Can you post the grok section of your config?

Wolfyxzvf · October 19, 2017, 7:05pm

Yes sure, forgot about it; my bad

Here you go :

Stream and parse log file(s).

[[inputs.logparser]]
files = ["/root/samples/*mail.log"]
from_beginning = true

[inputs.logparser.grok]
patterns = ["%{SYSLOGTIMESTAMP:timestamp:ts-“Sep 25 09:01:55”} %{SYSLOGHOST:hostname} mta-in/milter\[%{MILTER_PROCESSID}\]: %{POSTFIX_QUEUEID:postfix_queue_id}: from=<%{DATA:postfix_from}>, firstto=<%{DATA:postfix_firstto}>, nrcpt=%{DATA:postfix_nrcpt}, size=%{DATA:postfix_msg_size}, score=%{DATA:score}, state=%{DATA:state:int}, status=%{DATA:status:tag}, level=%{DATA:level}, actions=%{DATA:actions}, subject="%{DATA:subject}", cause="%{DATA:cause}""]
## Name of the outputted measurement name.
measurement = “test”
…
custom_patterns = ‘’‘
POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{15,})
MILTER_PROCESSID ([0-9]{5,})
’’’

I’ve tried several custom timestamp like :
%{SYSLOGTIMESTAMP:timestamp:ts-“Sep 25 09:01:55 2017”}
%{SYSLOGTIMESTAMP:timestamp:ts-“Sep 25 09:01:55”}

daniel · October 19, 2017, 9:06pm

The first problem I notice is that you need to use the exact magic “reference time”: Mon Jan 2 15:04:05 MST 2006 when using a custom timestamp string:
%{SYSLOGTIMESTAMP:timestamp:ts-“Jan 02 15:04:05”

I tried this and ran into another problem, since there is no year in this pattern the timestamp is set to year 0. The Go standard library puts it like this:

Elements omitted from the value are assumed to be zero or, when zero is impossible, one, so parsing “3:04pm” returns the time corresponding to Jan 1, year 0, 15:04:00 UTC (note that because the year is 0, this time is before the zero Time). Years must be in the range 0000…9999. The day of the week is checked for syntax but it is otherwise ignored.

Perhaps we could have Telegraf fill in the current year if it is not set, or add a way to manually specify missing parts like we have for timezone. Could you open a new issue about this?

Wolfyxzvf · October 23, 2017, 9:43pm

@daniel finally made it :

github.com/influxdata/telegraf

Logparser : Epoch convertion impossible with SYSLOGTIMESTAMP Grok pattern

opened 09:42PM - 23 Oct 17 UTC

closed 11:37PM - 23 May 18 UTC

wolfyzvf

feature request area/tail

## Bug report ### Relevant telegraf.conf: [[inputs.logparser]] files = ["…/root/samples/*mail.log"] from_beginning = true [inputs.logparser.grok] patterns = ["%{SYSLOGTIMESTAMP:timestamp:ts-“Mon Jan 2 15:04:05”} %{SYSLOGHOST:hostname} mta-in/milter\[%{MILTER_PROCESSID}\]: %{POSTFIX_QUEUEID:postfix_queue_id}: from=<%{DATA:postfix_from}>, firstto=<%{DATA:postfix_firstto}>, nrcpt=%{DATA:postfix_nrcpt}, size=%{DATA:postfix_msg_size}, score=%{DATA:score}, state=%{DATA:state:int}, status=%{DATA:status:tag}, level=%{DATA:level}, actions=%{DATA:actions}, subject="%{DATA:subject}", cause="%{DATA:cause}""] ## Name of the outputted measurement name. measurement = “test” … custom_patterns = ‘’‘ POSTFIX_QUEUEID ([0-9A-F]{6,}|[0-9a-zA-Z]{15,}) MILTER_PROCESSID ([0-9]{5,}) ’’’ ### System info: - Telegraf v1.4.2 (git: release-1.4 0cc5fc0ce40b09467012fffddcea6985b2763a97) - InfluxDB 1.3.6-1 - Docker official image ### Steps to reproduce: 1. Deploy Telegraf using docker with the 2. Inject an existing log in SYSLOGTIMESTAMP format For ex. Sep 25 08:27:29 mailhost postfix/cleanup[17659]: ABFF15C.. 3. The time is not correctly calculated. ### Expected behavior: The syslog_timestamp should be converted into time in Influxdb ### Actual behavior: As the year is missing, As Telegraf can't find the year he set it to 0 which generate a wrong time in influxdb ### Additional info: [Include gist of relevant config, logs, etc.] ## Feature Request Opening a feature request kicks off a discussion. ### Proposal: Like the timezone option we should be able to set manually the year. Assuming automatically the year could cause some trouble when we change of it. if a person has more than 2-3 years of logs to inject into influxdb he should pass this option in each logparser. ### Current behavior: Telegraf assume automatically 0 has year if it's not provided ### Desired behavior: By setting manually the date, Telegraf will be able to build the correct time in influxdb. ### Use case: [Why is this important (helps with prioritizing requests)] This is a standard output for the syslog, this pattern should be recognize per default as many solution use it. ### Forum Discussion https://community.influxdata.com/t/custom-timestamp-for-syslogtimestamp-and-telegraf/2798/

Topic		Replies	Views
Parse a custom log using telegraf logparser input Telegraf telegraf	6	13119	February 18, 2022
Modify timestamp parsed from logfile Telegraf telegraf	2	436	April 25, 2020
Grok-parsing application logs and outputting to a syslog measurement loses timestamp Telegraf	0	426	April 30, 2020
Configure timezone grok parser telegraf	0	435	April 16, 2020
Telegraf file-input custom grok pattern timestamp and line breaks Telegraf telegraf , grok	8	2029	October 29, 2021

Custom TimeStamp for SYSLOGTIMESTAMP and Telegraf

Stream and parse log file(s).

Related Topics