Add field to the message in logstash

stecino · May 6, 2016, 10:36pm

Hello,

I have the following config:

input {
udp {
host => "0.0.0.0"
port => 5544
type => "f5-logs"

udp {
host => "0.0.0.0"
port => 514
type => "firewall-logs"
}

I want to be able to add firewall IP that sends the messages to message body

Here is the json

{
"message" => "<188>May 06 2016 15:34:30: %ASA-4-106023: Deny tcp src Outside:xxxxxxxx/20126 dst DMZ:xxxxxxxx.183/80 by access-group "110" [0xe28ed867, 0xad5a89d]\n",
"@version" => "1",
"@timestamp" => "2016-05-06T22:34:30.894Z",
"type" => "firewall-logs",
"host" => "10.1.x.x"
}

How should filter look like

warkolm · May 7, 2016, 7:07am

If that IP is not in the original message, there's no way to add it. The UDP input doesn't track that sort of thing.

stecino · May 9, 2016, 9:32pm

in my output section, i append the host in the beginning of the message to add to kafka

      codec => plain {
        format => "%{host}%{message}"
        charset => "CP1252"
      }

So then I updated my grok filter to properly address it, when reading from kafka input. It's working for me

Topic		Replies	Views
No host field when using Kafka input plugin Logstash	6	605	September 12, 2018
How to add aggrigate map field to the original message as a additional field Logstash	5	338	May 13, 2020
Logstash filter for firewall packet drops Logstash	3	584	January 5, 2021
Having Issues With JSON Input Logstash	5	366	June 11, 2020
Problem when adding fields to logstash Logstash	6	334	January 2, 2021

Add field to the message in logstash

Related Topics