Add host name field

ahiyaz · May 24, 2020, 1:51pm

hi

im shipping sflow data to Logz.io using logstash.
due to multi-sites architecture im trying to add hostname (agent hostname) filed to my data that
sent from my logstash but with no success. ive tried to add it to different segments and ive tried to add tag as well.
Does anyone have any suggestions?

thanks

attached my config and messege layout from Logzio
/
input {
udp {
port => 6343
codec => sflow {
}
}
}
filter {

...

ruby {
init => "require 'socket'"
code => "event.set('agent.hostname', Socket.gethostname)"
}
mutate {
add_field => { "token" => "token" }
}
}

output {
lumberjack {
add_tag => {"hostname" => "tutor"}
hosts => ["listener"]
port => 5006
ssl_certificate => "/usr/share/logstash/keys/TrustExternalCARoot.crt"
codec => "json_lines"
}

ruby {

code => "event.set('agent.hostname', Socket.gethostname)"

}

#output {

file {

path => "/home/logstashadmin/logstash1.json"

codec => line { format => "json"}

}

}/

ahiyaz · May 24, 2020, 1:51pm

sflow data layout (json) from my logz.io

/{
"_index": "logzioCustomerIndex200524_v2",
"_type": "doc",
"id": "AXJG7UKMEfqP4kg_P7H.account-123804",
"_version": 1,
"_score": null,
"_source": {
"stripped": "4",
"source_id_type": "0",
"type": "lumberjack-json_line",
"uptime_in_ms": "3750559116",
"dst_ip": "192.168.22.34",
"sflow_type": "flow_sample",
"eth_src": "00:09:0f:09:64:12",
"src_ip": "192.168.21.201",
"protocol": "1",
"drops": "0",
"frame_length": "1518",
"sub_agent_id": "0",
"ip_version": "4",
"@version": "1",
"host": "172.16.0.1",
"output_interface": "56",
"frame_length_times_sampling_rate": 4554000,
"input_interface": "45",
"ip_protocol": "6",
"tags": [
"lumberjack-json_line-5006"
],
"agent_ip": "172.16.0.1",
"src_port": "8001",
"sampling_rate": "3000",
"sample_pool": "430725000",
"eth_dst": "6c:4b:90:ac:b3:cf",
"eth_type": "2048",
"@timestamp": "2020-05-24T13:44:12.109Z",
"source_id_index": "56",
"dst_port": "64364"
},
"fields": {
"@timestamp": [
"2020-05-24T13:44:12.109Z"
]
},
"sort": [
1590327852109
]
}/

pastechecker · May 25, 2020, 11:23am

Usually the ""host": "172.16.0.1"," represents the machine which runs your logstash.
Is this what you mean?

ahiyaz · May 25, 2020, 1:42pm

hi
no, this address represent the network device that produce the sflow data (aka firewall)
Im trying to add to the messages the host-name of that machine that collect the data (aka logstash)

ahiyaz · May 26, 2020, 8:12am

the issue was that when loading logstash using systemctl the demon didn't pull the the configuration from the *.conf file under /etc/logstash/conf.d/
only when loading via cli this configuration pulls.

ive added a new filed under my input
/ add_field => {
"agent.hostname" => "sflow_agent"
/

and it shown now in my kibana dashboard.

regarding the *.conf issue.
ive verified that my pipeline.yml is pointing to this config directory
/

pipeline.id: main
path.config: "/etc/logstash/conf.d/*.conf"
/

and that my logstash.yml the main pipeline is enabled
/
pipeline.id: main
/

permission wise all files owned by root
but i installed my logstash as root (sudo bash)
ive tried to execute "chmod 644 *" in my directories but it didn't help

any idea how to solved it?
thanks

system · June 23, 2020, 8:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.