Add field to the message in logstash

stecino · May 6, 2016, 10:36pm

Hello,

I have the following config:

input {
udp {
host => "0.0.0.0"
port => 5544
type => "f5-logs"

udp {
host => "0.0.0.0"
port => 514
type => "firewall-logs"
}

I want to be able to add firewall IP that sends the messages to message body

Here is the json

{
"message" => "<188>May 06 2016 15:34:30: %ASA-4-106023: Deny tcp src Outside:xxxxxxxx/20126 dst DMZ:xxxxxxxx.183/80 by access-group "110" [0xe28ed867, 0xad5a89d]\n",
"@version" => "1",
"@timestamp" => "2016-05-06T22:34:30.894Z",
"type" => "firewall-logs",
"host" => "10.1.x.x"
}

How should filter look like

warkolm · May 7, 2016, 7:07am

If that IP is not in the original message, there's no way to add it. The UDP input doesn't track that sort of thing.

stecino · May 9, 2016, 9:32pm

in my output section, i append the host in the beginning of the message to add to kafka

      codec => plain {
        format => "%{host}%{message}"
        charset => "CP1252"
      }

So then I updated my grok filter to properly address it, when reading from kafka input. It's working for me

Topic		Replies	Views
No host field when using Kafka input plugin Logstash	6	605	September 12, 2018
Troubling with add_field in filter. Please advice Logstash	2	959	July 6, 2017
How to add aggrigate map field to the original message as a additional field Logstash	5	338	May 13, 2020
Not able to create separate fields all log data in message field Logstash	3	284	July 29, 2019
Logstash - Add fields from the log fields property - Grok Logstash	3	2516	January 31, 2017

Add field to the message in logstash

Related topics