[graylog2] Graylog2 doesn't change the level.

Tue, 20 May 2014 17:55:22 -0700 

Hi,

first of all I would like to say thanks for providing us with this awesome 
peace of software. 

I have a problem with sending windows logs to graylog. We switched to 
logstash ( previosly we where sending them directly to graylog2) and now we 
cannot set the level. All the levels for the messages default to Info[6]. I 
explicitly replace the variable in logstash conf file. With debug mode on I 
can see that logstash replaces the level variable but in graylog is still 
info[6].

*This is the conf part for the windows hosts* 
    grok {
      type => "windows"
      tags => "windows"
       pattern => [ "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} 
%{HOUR:hour}:%{MINUTE:min}:%{SECOND:sec} %{HOST:source} %{DATA:level} 
%{DATA:EventID} %{GREEDYDATA:message
    }
    mutate {
      type => "windows"
      tags => "windows"
      replace => [ "@message", "%{message}"]
      replace => [ "@source_host", "%{source}"]
      replace => [ "@source", "%{source}"]
      replace => 
["@timestamp","%{year}-%{month}-%{day}T%{hour}:%{min}:%{sec}"]
      replace => [ "@level", "%{level}" ]
   }

And with this in graylog2 I get the following:

http://screencloud.net/v/aPRv

*Debug json from logstash is: *

{:timestamp=>"2014-05-20T12:11:32.989000+0000", :message=>["Skipping event 
because type doesn't match syslog", #<LogStash::Event:0x9ceecba 
@cancelled=false, @data={"@source"=>"somehostname", "@tags"=>["windows"], 
"@fields"=>{"year"=>["2014"], "month"=>["05"], "day"=>["20"], 
"hour"=>["12"], "min"=>["11"], "sec"=>["32"], "source"=>["somehostname"], 
"level"=>["ERROR"], "EventID"=>["3000"], "message"=>["was"]}, 
"@timestamp"=>"2014-05-20T12:11:32", "@source_host"=>"somehostname", 
"@source_path"=>"/", "@message"=>"was", "@type"=>"windows", 
"@level"=>"ERROR"}>], :level=>:debug, 
:file=>"/usr/local/logstash/bin/logstash-1.1.13-flatjar.jar!/logstash/logging.rb",
 
:line=>"35", :method=>"debug"}

Thanks and cheers,
Nikola.

-- 
You received this message because you are subscribed to the Google Groups 
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to