Delete syslog fields from logstream

Gegi_K · November 22, 2018, 1:45pm

Hi there,

Sorry if this question is being stupid, but I'm trying to get something weitrd working... the deal is I have some Firewalls which send some data to ElasticSearch via LogStash. all works fine, except the only format I can stream is Syslog format that shows up like tis on Elasticsearch:

{"host":"IP","message":"LOG-CONTENT","@timestamp":"2018-11-22T11:36:08.150Z","port":4954,"@version":"1"}

What I try to achieve is that I only get the LOG-CONTENT out of the whole string, and then use grok to parse the log content and make custom indexes via regex.

The latter I managed to get running, but I have a lot of exttra data with the Syslog format's fields like timestamp, host, port and so on. I have all this, but was not able to filter out just the message.

Any tipps are highly appreciated!

Thanks in advance!

Magnus_Kessler · November 22, 2018, 2:01pm

As part of your Logstash pipeline, you can remove unwanted fields, e.g. using the mutate plugin.

Gegi_K · November 23, 2018, 7:27am

Oh man... I was so focused on the removing of stuff, that I forgot about the actual plugin doing it... the mutate was missing... sorry for being derp... and many thanks for pointing to the right direction!

system · December 21, 2018, 7:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.