Hello,
I am new in using logstash.
I would just like to change the sender.
My conf file is very basic :
input {
file {
path => "/srv/log//"
start_position => "beginning"
}
}
output {
gelf {
host => ["localhost"]
port => "5514"
}
}
I would like to send either the name of the parent folder (the first star) that hosts the file or the hostname that is in the message sent (which are centos system logs).
I have try different filter but i dont find solution.
Thank you for your help.
The path of the input file will be stored in the path field of each event. You can use a grok filter to extract whatever part of the filepath that you're interested in.
You'd typically also use a grok filter to parse the logs and extract interesting pieces of information, like the hostname. If "CentOS system logs" means syslog files there are examples of how to parse those in the Logstash documentation.
Ok, thanks for this idea.
It's better but my source = the host server (where there is the file), good hostname
how to delete the host server name ?
I test with mutate but it did not work, my fault i suppose.
My code :
input {
file {
type => "syslog"
path => "/srv/log//"
start_position => "beginning"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:host} "
}
}
}
}
output {
gelf {
host => ["localhost"]
port => "5514"
sender => "%{host}"
}
}
Ok i found
my code :
input {
file {
type => "syslog"
path => "/srv/log//"
start_position => "beginning"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:hostname}"
}
}
}
}
output {
gelf {
host => ["localhost"]
port => "5514"
sender => "%{hostname}"
}
}
"host" was bad variable
thank you for guiding me
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.