Haproxy syslog message facility bad parsing

[jordansissel]

(This issue was originally filed by @marianschmotzer at elastic/logstash#2802)

---

Hi
After connecting haproxy to logstash with UDP syslog message shipping, all messages have facilty 1, regardless what I put into haproxy configuration. Obviously syslog plugin isn't parsing messages correctly, because message after it leaves logstash looks like this:
"<168>Mar 10 10:02:57 haproxy[2329]: backend 01-sc-backend has no server available!"
Please notice priority fiels is not being parsed is <168> which is 168/8 = 21 and facility 21 equals to local5 facility level (as i have it in haproxy set up, pls see bellow).
Logstash version: 1.4.2

Haproxy config (only relevant part):
global
group haproxy
log syslog:1514 len 1024 local7
log /var/lib/haproxy/dev/log local5
log-tag haproxy
maxconn 8000
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
user haproxy
defaults
log global
option redispatch
retries 3
stats enable

Logstash config:
input {
syslog {
port => '1514'
}
}
output {
if [facility] < 16 {
elasticsearch_http {
host => 'localhost'
index => "syslog-%{+YYYY.MM.dd}"
template_name => "logstash_denza"
template => "/etc/logstash/logstash_template.json"
manage_template => true
}

[marianschmotzer]

Hi i was looking at this a bit - maybe it is enought to alter grook parsing pattern in syslog module. What do you think ?