Json vs plaintext output

I am confused by the exact role of output codec plugins.

In particular I have been struggling to understand why the syslog output plugin appears to output json.

When running the following config:

input { file { path => "/path/to/test/log" } }
output {
syslog {
host => "127.0.0.1"
port => 514
}
}

I expect plaintext to be sent (codec is plain by default) and in a way it does...

But when I listen to port 514 on localhost using nc:
nc -lk -p 514 -u

The contents of the log file are received wrapped in an object with a message key. The value is exactly the message I want to send.

{ "message": "<13>Sep 15 11:27:45 elk LOGSTASH[-]: I am a test"}

Why does logstash insist on wrapping output in an object?

Do 'real' syslog servers somehow understand the json?

What can I do to output plaintext without wrapping in an object?

Similar experience with outputting to file.

I am running logstash 5.2.0 (I know it's old, I'm stuck with it)

TL;DR use line codec

Found the answer thanks to this old stackoverflow: https://stackoverflow.com/questions/29782888/logstash-output-to-file-and-ignores-codec

It seems then that the "plain" codec actually intends to output a "logstash event" with a plaintext message field.
A more appropriate codec for my use case is line - note that I will be using the 5.2 version.

I would like this to be a little more transparent, perhaps the syslog output plugin should even default to the line codec.

Anyway, hoping this helps somebody else who gets as stumped as me when logstash insists on outputting json-wrapped plaintext.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.