[Logstash 7.2] Syslog Output message

stestaz · August 2, 2019, 8:43am

Hi All,
syslog output is making me crazy.
I have a logstash input with multiple line concatenation, the concatenated message has the field "message" containing only the last line and the field "conn_mess" containing the complete message.
I'm trying to send through Syslog Output Plugin "conn_mess" to a syslog server but only the field "message" arrives to the syslog server

This is my output configuration

elasticsearch {
index => "exchange-smtpreceive-%{+YYYY.MM.dd}"
hosts => ["192.168.7.224:9200"]
}
syslog{
host => "192.168.7.25"
port => "514"
message => "%{[conn_mess]}"
msgid => "%{[sessionID]}"
appname => "SMTPRECEIVE-LOGSTASH"
sourcehost => "192.168.7.231"
}

And this is my last statement on the input aggregation

if [event] == "-" {
aggregate {
task_id => "%{sessionID}"
code => "event.set('conn_user',map['conn_user'])
event.set('conn_mess', map['conn_mess'])"
push_previous_map_as_event => true
end_of_task => true
timeout => 120
add_tag => ['fine']
}

I've tried many different output configuration but I cannot find the right one, of course the elasticsearch output is fine.

thx!

Badger · August 2, 2019, 1:46pm

Looking through the code, message is used to set the format option on the output codec. The codec sprintfs the format and calls the publish method of the output. The publish then joins that up with the other parts of the message.

Instead of specifying the message option on the syslog output, specify the codec

 codec => plain { format => "%{[conn_mess]}" }

If that works then there is something wrong with that first piece of code I linked to.

system · August 30, 2019, 1:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.