Page MenuHomePhabricator
Create Task
Maniphest T217032

Logstash syslog input grok parse failure on some network devices lines
Closed, ResolvedPublic
Actions

Description

While investigating T213899: Migrate at least 3 existing Logstash inputs and associated producers to the new Kafka-logging pipeline, and remove the associated non-Kafka Logstash inputs I ran into some syslog lines that had a _grokparsefailure_sysloginput tag, e.g.:

{
  "_index": "logstash-syslog-2019.02.25",
  "_type": "syslog",
  "_id": "AWkk2uwsZ9NltGfJqQ1p",
  "_version": 1,
  "_score": null,
  "_source": {
    "severity": 0,
    "level": "EMERGENCY",
    "message": "<158>Feb 25 13:32:00 /usr/sbin/cron[86116]: (root) CMD (newsyslog)",
    "type": "syslog",
    "priority": 0,
    "normalized_message": "<158>Feb 25 13:32:00 /usr/sbin/cron[86116]: (root) CMD (newsyslog)",
    "tags": [
      "input-syslog-10514",
      "_grokparsefailure_sysloginput",
      "syslog",
      "es",
      "normalized_message_untrimmed"
    ],
    "@timestamp": "2019-02-25T13:32:00.716Z",
    "@version": "1",
    "host": "%{logsource}",
    "facility": 0,
    "severity_label": "Emergency",
    "facility_label": "kernel"
  },
  "fields": {
    "@timestamp": [
      1551101520716
    ]
  },
  "sort": [
    1551101520716
  ]
}

And on the wire I think these messages look something like this:

<158>Feb 25 13:45:00 asw2-a5-eqiad /usr/sbin/cron[12760]: %-: (root) CMD (newsyslog)

Details

SubjectRepoBranchLines +/-
profile: remove deprecated syslog inputoperations/puppetproduction+3 -79
hiera: prepare logstash-syslog lvs service for removaloperations/puppetproduction+2 -2
hiera: prepare logstash syslog lvs config for removaloperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

fgiunchedi created this task.Feb 25 2019, 1:51 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 25 2019, 1:51 PM
fgiunchedi added a project: observability.Aug 19 2019, 2:26 PM
fgiunchedi moved this task from Inbox to Backlog on the observability board.Jul 20 2020, 1:14 PM
colewhite subscribed.Feb 5 2021, 9:42 PM

As of the last 90 days, something does periodically try to send malformed input to the deprecated syslog input, but there does not appear to be any valid traffic being handled by this input. It seems safe to remove.

query: tags:input-syslog-10514 AND NOT tags:_grokparsefailure_sysloginput

gerritbot added a comment.Feb 5 2021, 9:48 PM

Change 662009 had a related patch set uploaded (by Cwhite; owner: Cwhite):
[operations/puppet@production] profile: remove deprecated syslog input

https://gerrit.wikimedia.org/r/662009

gerritbot added a project: Patch-For-Review.Feb 5 2021, 9:48 PM
colewhite added a subtask: T199785: Some logstash syslog entries fail to parse.Feb 6 2021, 12:08 AM
colewhite closed subtask T199785: Some logstash syslog entries fail to parse as Invalid.
gerritbot added a comment.Feb 10 2021, 3:00 PM

Change 663214 had a related patch set uploaded (by Cwhite; owner: Cwhite):
[operations/puppet@production] hiera: prepare logstash syslog lvs config for removal

https://gerrit.wikimedia.org/r/663214

gerritbot added a comment.Feb 10 2021, 4:46 PM

Change 663214 merged by Cwhite:
[operations/puppet@production] hiera: prepare logstash syslog lvs config for removal

https://gerrit.wikimedia.org/r/663214

gerritbot added a comment.Feb 10 2021, 4:56 PM

Change 663242 had a related patch set uploaded (by Cwhite; owner: Cwhite):
[operations/puppet@production] hiera: prepare logstash-syslog lvs service for removal

https://gerrit.wikimedia.org/r/663242

gerritbot added a comment.Feb 10 2021, 5:08 PM

Change 663242 merged by Cwhite:
[operations/puppet@production] hiera: prepare logstash-syslog lvs service for removal

https://gerrit.wikimedia.org/r/663242

colewhite claimed this task.Feb 10 2021, 5:34 PM
colewhite moved this task from Backlog to In progress on the observability board.
gerritbot added a comment.Feb 16 2021, 8:31 PM

Change 662009 merged by Cwhite:
[operations/puppet@production] profile: remove deprecated syslog input

https://gerrit.wikimedia.org/r/662009

colewhite closed this task as Resolved.Feb 16 2021, 8:50 PM

logstash-syslog removed from production

Maintenance_bot removed a project: Patch-For-Review.Feb 16 2021, 9:21 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits