Syslog / dell idrac format

Hi there,

I’m looking at using fluentd to ingest syslog entries from my idracs but I’m running into some issues trying to parse the format of the log entries the dracs are pushing.

Using the following config -

<source>
  @type syslog
  port 42186
  tag idrac
  source_hostname_key source
  time_format "%Y-%m-%dT%H:%M:%S%z"

  message_format rfc5424
</source>

I’m getting an error -

2021-05-13 13:19:47 +0100 [warn]: #0 failed to parse message data="<174>Severity: Informational, Category: Audit, MessageID: USR0032, Message: The session for root from xxx.xxx.xxx.xxx using GUI is logged off."

Do I understand correctly that this isn’t a standard log format and that I need to parse this myself?

Only issue I have here is that the log entries from the drac differ each time. I can’t guarantee that, for example, I’ll always have the same fields each time.

For example

2021-05-13 13:00:05 +0100 [warn]: #0 failed to parse message data="<182>os[20173]: 2021 RAC:root login  from xxx.xxx.xxx.xxx"

What is the recommended course of action here?

I tried to do this in order to just grab the whole syslog entry as ‘message’ to get it ingested but I just got the same failed to parse message data message.

expression /^\<(?<pri>[0-9]{1,3})\>(?<message>.*)$/

Thanks.

Do I understand correctly that this isn’t a standard log format and that I need to parse this myself?

Yes, Fluentd @type syslog assumes that RFC 3164 or RFC 5424 compliant log format, but it doesn’t match neither of them

See syslog - Fluentd for actual example.

It can be better to use GitHub - repeatedly/fluent-plugin-multi-format-parser: Multi format parser for Fluentd.
with multiple regex patterns.

Thanks for your reply!

In the end I went for something like this -

<source>
  @type syslog
  port 42186
  tag idrac
  format none
  source_address_key source_address
  source_hostname_key source_hostname
</source>

Which at least gets my logs injected into the db. Going to try some text extractions to pick out values that sometimes appear and see how it goes from there.