regex - logstash parse log field

Question

I am trying to parse the @message field from a Postfix log and extract it into multiple fields.

Message:

<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<[email protected]>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)

LogStash Output:

{
  "@source": "syslog://192.244.100.42/",
  "@tags": [
    "_grokparsefailure"
  ],
  "@fields": {
    "priority": 13,
    "severity": 5,
    "facility": 1,
    "facility_label": "user-level",
    "severity_label": "Notice"
  },
  "@timestamp": "2013-09-17T17:12:06.958Z",
  "@source_host": "192.244.100.42",
  "@source_path": "/",
  "@message": "<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<[email protected]>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)",
  "@type": "syslog"
}

I've tried to use the grok parser but the data remains in the @message field. I want to use syslog parser with regular expressions.

What steps do I follow to parse the @message field?

Answer 1

The fact that you have a _grokparsefailure in your output indicates a problem parsing you logs. WHat is the grok filter you're using in your config?