How to do output filter

(khettal) #1

Hi,

Here is my output logstash.conf

output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "logs-%{[@metadata][index]}-v6-%{+YYYY.MM.dd}"
manage_template => false
}

    if [@type]== "x" {
    file {
    path => "/home/x.log"}
    }

}

The already existing filter give me this logs on output :

{"syslog_procid":"-","@message":"IdentityProviderAuthenticationSuccess ('test')","@index_type":"platform","geoip":{},"syslog_sd_id":"instance@47450","syslog_sd_params":{"director":"brmc-prod","group":"uaa","az":"z2","id":"id","deployment":"cf"},"@raw":*"<14>1 2019-05-16T14:55:48.156790+00:00 172.17.8.25 vcap.uaa - - [instance@47450 director=\"director \" deployment=\"cf\" group=\"uaa\" az=\"z2\" id=\"id\"] [2019-05-16 14:55:48.156] uaa - 1 [http-nio-8080-exec-3] .... INFO --- Audit: IdentityProviderAuthenticationSuccess ('test'): principal=principal, origin=[remoteAddress=172.17.0.11, clientId=cf], identityZoneId=[uaa], authenticationType=[ldap]"*,"@src":{"az":"z2","deployment":"cf","job":"uaa","id":"id","host":"172.17.8.25","component":"uaa","type":"cf"},"syslog_msgid":"-","syslog5424_ver":1,"@input":"syslog","tags":["syslog_standard","platform","cf","uaa","audit","_geoip_lookup_failure"],"@shipper":{"priority":"14","name":"vcap.uaa_syslog"},"uaa":{"log_category":"Audit","pid":1,"thread":"http-nio-8080-exec-3","audit":{"origin":["remoteAddress=172.17.0.11","clientId=cf"],"identity_zone_id":"uaa","principal":"principal","data":"test","remote_address":"172.17.0.11","type":"IdentityProviderAuthenticationSuccess"},"timestamp":"2019-05-16 14:55:48.156"},"@timestamp":"2019-05-16T14:55:48.156Z","@level":"INFO","@type":"uaa-audit"}

Do you know how can i cut the italic part of this log in the file ouput conf?
Maybe with a codec?

Thanks