class LogStash::Filters::Syslog_pri

Filter plugin for logstash to parse the PRI field from the front of a Syslog (RFC3164) message. If no priority is set, it will default to 13 (per RFC).

This filter is based on the original syslog.rb code shipped with logstash.

Public Instance Methods

filter(event) click to toggle source
# File lib/logstash/filters/syslog_pri.rb, line 69
def filter(event)
  return unless filter?(event)
  parse_pri(event)
  filter_matched(event)
end
register() click to toggle source
# File lib/logstash/filters/syslog_pri.rb, line 64
def register
  # Nothing
end

Private Instance Methods

parse_pri(event) click to toggle source
# File lib/logstash/filters/syslog_pri.rb, line 76
def parse_pri(event)
  # Per RFC3164, priority = (facility * 8) + severity
  # = (facility << 3) & (severity)
  if event[@syslog_pri_field_name]
    if event[@syslog_pri_field_name].is_a?(Array)
      priority = event[@syslog_pri_field_name].first.to_i
    else
      priority = event[@syslog_pri_field_name].to_i
    end
  else
    priority = 13  # default
  end
  severity = priority & 7 # 7 is 111 (3 bits)
  facility = priority >> 3
  event["syslog_severity_code"] = severity
  event["syslog_facility_code"] = facility

  # Add human-readable names after parsing severity and facility from PRI
  if @use_labels
    facility_number = event["syslog_facility_code"]
    severity_number = event["syslog_severity_code"]

    if @facility_labels[facility_number]
      event["syslog_facility"] = @facility_labels[facility_number]
    end

    if @severity_labels[severity_number]
      event["syslog_severity"] = @severity_labels[severity_number]
    end
  end
end