I do not think you understood my suggestion. I am saying that you convert the entire event to JSON, and insert that as an additional field on the event using
ruby { code => ' event.set("everything!", event.to_json) ' }
Then instead of sending %{message} to the syslog output, send the %{everything!} field. So instead of using
message => "%{[@metadata][beat]}-%{[@metadata][version]}%"
use this which inserts the entire event as a JSON string
message => "%{everything!}"
I wrote that incorrectly in the first posting. Left out the %{}. Sorry about that.
BTW, what is full_log? Is that a field you parsed out of the original message field?
Also, this will result in your events in elasticsearch having a field called everything!, which doubles the volume of data going into es. I am saying that to avoid that you could try
ruby { code => ' event.set("[@metadata][everything]", event.to_json) ' }
and this for the syslog output
message => "%{[@metadata][everything]}"
but I am not in a position to test that that works. But I would expect that you would get the normal syslog format (see the source here) with the message part being the JSON string.