If not, you would have to tell Logstash what to look for in the filter section. Here is an example. My sample config is first and then the result. This is reading the input as line (not json).
# cat ls-json.conf
input { stdin { } }
filter {
json {
source => "message"
}
}
output {
stdout { codec => rubydebug }
}
# logstash-6.3.1/bin/logstash -f ls-json.conf
Sending Logstash's logs to /root/tmp/logstash-6.3.1/logs which is now configured via log4j2.properties
[2019-03-26T10:53:48,547][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-03-26T10:53:48,653][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.3.1"}
[2019-03-26T10:53:48,923][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>12, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2019-03-26T10:53:48,945][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x52c5a4b@/root/tmp/logstash-6.3.1/logstash-core/lib/logstash/pipeline.rb:245 sleep>"}
The stdin plugin is now waiting for input:
[2019-03-26T10:53:48,954][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2019-03-26T10:53:49,001][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9601}
{"message":"<41>Testmeddelande: jhkhuhuihuhukhukjhkjhkjhnÄÄÄ\u0000","@version":"1","@timestamp":"2019-03-25T10:47:07.173Z","host":"192.168.248.50","type":"syslog"}
{
"host" => "192.168.248.50",
"type" => "syslog",
"@version" => "1",
"@timestamp" => 2019-03-25T10:47:07.173Z,
"message" => "<41>Testmeddelande: jhkhuhuihuhukhukjhkjhkjhnÄÄÄ\u0000"
}
...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.