As reported here -> Logstash syslog output ignores message it looks like there is like a bug and the workaround is to add the field "host" in filter to be taken into account by the plugin
So, for my needs I use this :
#keep only message of log and add empty host field
filter
{
prune {
whitelist_names => ["^message$"]
}
mutate {
add_field => {"host" => ""}
}
}
This way, received log by syslog relay is :
<13> Jan 5 16:42:29 server1 misc-centreon(misc_centreon)[61665]: INFO: running
Unfortunately, as you can see, there i still a space after <13> but it's already that !
I don't understand why it is so hard to find where does comes from this %{host} field. If someone has a better comprehension... 