diff --git a/lib/logstash/inputs/syslog.rb b/lib/logstash/inputs/syslog.rb
index dddf08b7f..6491f6892 100644
--- a/lib/logstash/inputs/syslog.rb
+++ b/lib/logstash/inputs/syslog.rb
@@ -56,6 +56,7 @@ class LogStash::Inputs::Syslog < LogStash::Inputs::Base
     @grok_filter = LogStash::Filters::Grok.new(
       "overwrite" => "message",
       "match" => { "message" => "<%{POSINT:priority}>%{SYSLOGLINE}" },
+      "tag_on_failure" => ["_grokparsefailure_sysloginputplugin"],
     )
 
     @date_filter = LogStash::Filters::Date.new(
diff --git a/spec/inputs/syslog.rb b/spec/inputs/syslog.rb
index 37fa3efcf..58275bd0e 100644
--- a/spec/inputs/syslog.rb
+++ b/spec/inputs/syslog.rb
@@ -29,6 +29,8 @@ describe "inputs/syslog", :socket => true do
       socket.close
 
       events = event_count.times.collect { queue.pop }
+
+      insist { events.length } == event_count
       event_count.times do |i|
         insist { events[i]["priority"] } == 164
         insist { events[i]["severity"] } == 4
@@ -36,5 +38,36 @@ describe "inputs/syslog", :socket => true do
       end
     end
   end
-end
 
+  describe "adds unique tag when grok parsing fails" do
+    port = 5511
+    event_count = 10
+
+    config <<-CONFIG
+      input {
+        syslog {
+          type => "blah"
+          port => #{port}
+        }
+      }
+    CONFIG
+
+    input do |pipeline, queue|
+      Thread.new { pipeline.run }
+      sleep 0.1 while !pipeline.ready?
+
+      socket = Stud.try(5.times) { TCPSocket.new("127.0.0.1", port) }
+      event_count.times do |i|
+        socket.puts("message which causes the a grok parse failure")
+      end
+      socket.close
+
+      events = event_count.times.collect { queue.pop }
+
+      insist { events.length } == event_count
+      event_count.times do |i|
+        insist { events[i]["tags"] } == ["_grokparsefailure_sysloginputplugin"]
+      end
+    end
+  end
+end