Codec line not working as expected

ddebast · March 30, 2018, 11:07am

logstash version logstash 5.4.1

I have a beat input that ships logs from a linux host.
What I'm receiving:

"message" => "Mar 30 13:01:34 host su: pam_unix(su-l:session): session closed for user user",

Since I want to forward this to a system in syslog format I mutate the field into another field

Config:

mutate {
        add_field => { "ori_message" => "<13> %{message}" }
}

Result:

"ori_message" => "<13> Mar 30 13:01:34 svlipc99 su: pam_unix(su-l:session): session closed for user infa",

I want to forward this field (only this field within output)

            udp {
                    host => "<ip>"
                    port => 514
                    codec => line { format => "%{ori_message}" }
            }

Result in the system where I receive the log:

<13>Mar 30 10:58:00 host LOGSTASH[-]: Mar 30 12:57:56 host su: pam_unix(su-l:session): session closed for user user

Why is logstash adding the part Mar 30 10:58:00 host LOGSTASH[-]: ?

yaauie · March 31, 2018, 1:15am

Unfortunately I can't replicate.

I started a netcat server listening on a local port:

nc -lvup 2115

And created a pipeline config like the following:

input {
  stdin {}
}
filter {
  mutate {
    add_field => {
      "ori_message" => "<13> %{message}"
    }
  }
}
output {
  stdout {
    codec => rubydebug
  }
  udp {
    host => "127.0.0.1"
    port => 2115
    codec => line {
      format => "%{ori_message}"
    }
  }
}

When I echo your original message into logstash, I see a message on stdout that seems to have the right shape:

╭─{ yaauie@castrovel:~/src/elastic/discuss-scratch/126219-udp-codec }
╰─○ echo 'Mar 30 13:01:34 host su: pam_unix(su-l:session): session closed for user user' | "${LOGSTASH_5_4_1}/bin/logstash" -f pipeline.conf
Sending Logstash's logs to /Users/yaauie/src/elastic/releases/logstash-5.4.1/logs which is now configured via log4j2.properties
[2018-03-31T01:11:25,770][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000}
[2018-03-31T01:11:25,784][INFO ][logstash.pipeline        ] Pipeline main started
[2018-03-31T01:11:25,819][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
{
     "@timestamp" => 2018-03-31T01:11:25.800Z,
    "ori_message" => "<13> Mar 30 13:01:34 host su: pam_unix(su-l:session): session closed for user user",
       "@version" => "1",
           "host" => "castrovel.local",
        "message" => "Mar 30 13:01:34 host su: pam_unix(su-l:session): session closed for user user"
}
[2018-03-31T01:11:28,800][WARN ][logstash.agent           ] stopping pipeline {:id=>"main"}
[success (10.000s)]

And the netcat process that had been running gets a message that also seems appropriate, without injecting any additional content to the string:

╭─{ yaauie@castrovel:~ }
╰─○ nc -lvup 2115
Received packet from 127.0.0.1:65323 -> 127.0.0.1:2115 (local)
<13> Mar 30 13:01:34 host su: pam_unix(su-l:session): session closed for user user

system · April 28, 2018, 1:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.