How to queue ECS formatted logs through RabbitMQ

bvoros · June 2, 2023, 3:57pm

Hello all,

Our logging infrastructure is the following:

log shippers -> logstash -> rabbitmq -> logstash -> elasticsearch

I am trying to start using ECS, have the template set up. However, when the first logstash places the log document in the RabbitMQ queue, the original ecs log message gets embedded inside another json document.

Example: (incomplete)
{"@timestamp":"2023-06-02T14:56:14.094Z","message":"{"@timestamp":"2023-06-02T17:56:12.8391096+03:00","log.level":"Information","message":"Simple test log","ecs.version":"8.4.0"

Is it possible to configure logstash to simply pass through the document as received?

Thanks in advance,
BV

leandrojmp · June 4, 2023, 5:38am

You may try to change the codec in your output.

I do not use rabbitmq, but I have the following codec configuration on some Kafka outputs to send the original message that Logstash received.

codec => plain { format => "%{message}" }

bvoros · June 7, 2023, 8:24am

Thank you, this is a good tip, will try and report back here.

bvoros · June 7, 2023, 1:48pm

Thanks again for the tip, the following appears to be working when added to the rabbitmq output plugin.

codec => plain {
        format => "%{message}"
        ecs_compatibility => v8
      }

system · July 5, 2023, 1:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rabbitmq as logstash input Logstash	5	8125	August 31, 2017
Issue with logstash - rabbitmq input plugin Logstash	3	776	July 1, 2018
Filebeat -> logstash -> rabbitmq -> logstash -> elasticsearch Logstash	9	1023	September 30, 2019
Integrate APM Logs Format to ELK Elasticsearch elastic-stack-monitoring	9	324	December 4, 2023
RabbitMQ to Elasticsearch Elasticsearch	2	311	January 2, 2017

How to queue ECS formatted logs through RabbitMQ

Related topics