Ship IOS Syslog to Observium with Logstash

To send Syslog messages to Observium with Logstash, you can do it like described on this article (it's not perfect, but it works).

The first thing you have to do is to define an IOS filter in Logstash.

This is how it looks like:

filter {

   ### IOS Grok
   grok {
       type => "syslog"
       pattern => [ "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:cisco_dummyvalue}: %{DATA:cisco_timestamp}: \%%{DATA:cisco_eventcode}: %{GREEDYDATA:syslog_message}" ]
       add_field => [ "received_at", "%{@timestamp}" ]
       add_field => [ "received_from", "%{@source_host}" ]
   }

}

Add the following output to logstash:

output {

   pipe {
     command  => "/usr/bin/php /opt/observium/syslog.php"
     message_format => "%{@source_host}||%{syslog_facility}||%{syslog_severity_code}||%{syslog_severity}||00||%{@timestamp}||%{cisco_dummyvalue}: &{cisco_timestamp}: %%{cisco_eventcode}: %{@message}||cisco"
   }

}

As I did not find a way to convert the @timestamp field of Logstash to the needed format, there is one additional line in syslog.php needed:

--- syslog.php.orig     2012-12-21 11:28:41.741696532 +0100
+++ syslog.php  2012-12-29 11:58:59.790246786 +0100
@@ -28,6 +28,8 @@
  {
    #logfile($line);
    list($entry['host'],$entry['facility'],$entry['priority'], $entry['level'], $entry['tag'], $entry['timestamp'], $entry['msg'], $entry['program']) = explode("||", trim($line));
+   ## reformat timestamp
+   $entry['timestamp'] = date("Y-m-d H:i:s",strtotime($entry['timestamp']));
    process_syslog($entry, 1);
    unset($entry); unset($line);
    $i++;

And I was also not able to find a value for the fields TAG and PROGRAM for the message_format. So I hardcoded them as OO and cisco.