I'm a new user to logstash.
I'm on a red hat linux system using logstash 5.4.0 and logstash-out-syslog 3.0.1 plugin.
What must I do for the plugin to output a syslog with the RFC 3164 format that has the PRI prefix, such as described in a linux /etc/rsyslog.conf template:
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
I've tried setting priority, facility, and severity, but I must be missing something.
No matter what I try it doesn't prefix the output with <%priority>.
I have gotten data to flow properly from red hat linux syslog -> logstash(port 6514) running on the same box,
then successfully add a field, and modify the msg part of the syslog data.
Then have 2 outputs.
output to both a local file in /tmp (for debugging), and
use the logstash-output-syslog plugin to output the data to a second box(port 514), where I see the changed data.
I have also used tcpdump on the first box to see the output from logstash being sent to port 514 on the second box.
I have gotten everything to work properly, except prefixing the data with "PRI"
", as described in rfc3164.
The point of trying to use logstash was to make a change to the msg part and also conform it to rfc3164.
Are you saying that logstash wont prefix the output without changing rsyslog?
Check the syslog files in the /var/log folder of Red hat box . If you have configured rsyslog correctly (rfc part) then the log files should contain the "PRI" at the beginning. If it is missing then you need to configure rsyslog (I guess) in red hat box.
Originally I was not putting the PRI in the prefix of the message.
It seems to me that logstash-output-syslog should allow me to do that.
However, I changed the rsyslog.conf on the first box to include what gets pumped into logstash, as per your info.
I used tcpdump to verify the the proper prefix was included in what gets sent to logstash.
I used tcpdump to verify that the prefix was NOT included in what logstash pumps out.
I still go back to my original question.
Are you saying that logstash wont prefix the output unless it has it in the input?
Anyway, Now it is in the input and it still does not do it.
It seems to me that the logstash-output-syslog should allow a user to define the format of the output
and if you try to disect the source code, it implies that it does output data in rfc3164 format.
I'm just not knowledgable about the syntax of what it's really doing.
(PS this blog seems to screw up my typing when i try to put LESS-THAN-SIGN PRI GREATER-THAN-SIGN)