Logstash & NSSM Windows - Variable for FQDN

Elastic Stack Logstash
1

Has anyone managed to get the host FQDN ingested into Logstash when running it as a Windows Service via NSSM?

filter {
mutate { 
	add_field =>  {
                "HostFQDN" => "${COMPUTERNAME}.${USERDNSDOMAIN}"

So this works running \bin\logstash.bat from the command line as both %COMPUTERNAME% and %USERDNSDOMAIN% are env variables accessible from Command Line.

However when \bin\logstash.bat is run as a Service via NSSM it only reads in the ${COMPUTERNAME} variable and not ${USERDNSDOMAIN}. In fact bizarrely it reads in quite a lot of the Windows Env Variables but not all of them, even a couple of 'Standard' Windows variables are not read in e.g. ${LOGONSERVER}.

I tried a work around by creating a separate runme batch file to launch \bin\logstash.bat, but again it only adds both variables when run by itself and if runme.bat is called by the NSSM Windows Service then it can't read the %USERDNSDOMAIN% variable.

Anyone with a cunning idea on how to ingest the host FQDN into Logstash when run as a Service via NSSM?

Seems strange that Logstash itself doesn't read in the FQDN as its own internal variable like it does for "host" which is just the server name.

Thanks

2

Are you mass deploying this out? If not, have you tried manually setting the env variable on the target machine?

3

Hi ideally it would be part of a mass-deploy and servers are on different domains so was hoping to just use the env variable to grab that information.

The env variables %COMPUTERNAME% and %USERDNSDOMAIN% are already set in Windows and echo correctly from the command line.

If I run logstash.bat from the Command Line it picks them up ok but if logstash.bat is called by the nssm Windows Service wrapper it fails to pick up the %USERDNSDOMAIN% variable but strangely still picks up a lot of the other Standard Windows Variables like %COMPUTERNAME%.

I've seen people talk about using jruby plugin to import variables so may look at that.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.