logstash filter

Here's the filter itself. You'll note one difference between it and standalone: the field 'tz'. This is because that field is added in along with 'type' with the logstash-fowarder config:

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
#      add_field => [ "tz", "EST"]
    }
    syslog_pri { }
    ruby {
      code => "require 'date'; event['fred'] = event['syslog_timestamp'].class;  stz = event['tz']; dtz = stz; dtz[1] = 'D'; tz = Time.new.dst? ? stz: dtz; new_time  = event['syslog_timestamp'] + tz; event['syslog_timestamp'] = DateTime.parse(new_time).to_time.strftime('%b %d %H:%M:%S %z')"
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss Z", "MMM dd HH:mm:ss Z" ]
    }
  }
}

And the error message from the log:

{:timestamp=>"2015-07-29T15:01:43.024000-0500", :message=>"Failed parsing date from field", :field=>"syslog_timestamp", :value=>"Jul 29 15:00:01 -0500", :exception=>"Invalid format: \"Jul 29 15:00:01 -0500\" is malformed at \" -0500\"", :config_parsers=>"MMM  d HH:mm:ss,MMM dd HH:mm:ss", :config_locale=>"default=en_US", :level=>:warn}

Here it is as a standalone:

input {
  stdin { }
}

filter {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      add_field => [ "tz", "EST"]
    }
    syslog_pri { }
    ruby {
      code => "require 'date'; event['fred'] = event['syslog_timestamp'].class;  stz = event['tz']; dtz = stz; dtz[1] = 'D'; tz = Time.new.dst? ? stz: dtz; new_time  = event['syslog_timestamp'] + tz; event['syslog_timestamp'] = DateTime.parse(new_time).to_time.strftime('%b %d %H:%M:%S %z')"
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss Z", "MMM dd HH:mm:ss Z" ]
    }
}

output {
  stdout { codec => rubydebug }
}

And the result from running it standalone:

Logstash startup completed
Jul 29 13:36:01 daylin-ftp01 systemd: Starting Session 33866 of user root.
{
                 "message" => "Jul 29 13:36:01 daylin-ftp01 systemd: Starting Session 33866 of user root.",
                "@version" => "1",
              "@timestamp" => "2015-07-29T17:36:01.000Z",
                    "host" => "bunyan",
        "syslog_timestamp" => "Jul 29 12:36:01 -0500",
         "syslog_hostname" => "daylin-ftp01",
          "syslog_program" => "systemd",
          "syslog_message" => "Starting Session 33866 of user root.",
             "received_at" => "2015-07-29T17:42:58.174Z",
           "received_from" => "bunyan",
                      "tz" => "EDT",
    "syslog_severity_code" => 5,
    "syslog_facility_code" => 1,
         "syslog_facility" => "user-level",
         "syslog_severity" => "notice",
                    "fred" => String < Object
}

ps -efww | grep logstash
logstash 15407     1  3 15:01 ?        00:00:47 /bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xmx500m -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib/logstash -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstash/conf.d -l /var/log/logstas/logstash.log