So I tried to use the logstash-output-syslog plugin to send information to a syslog server.
I had multiple issues with messages containing all sorts of garbage (duplicate timestamp, duplicate message ID and host field??). I wanted to follow the RFC5424 but there is no support in the plugin for structured data, and a lot of other things. So I decided to do something about it. Even though there is two pull requests wanting to do something about the structured data, it haven't been implemented, and then there is still the issue about the message. I'm not really a ruby guy, but this should do.
I have tested this in a docker setup and it works flawlessly, I'm going to be moving it to our internal testing in the near future.
For reference, setup is redhat with filebeat -> logstash -> syslog
here is the output before the fix.
<14>1 2021-09-24T08:42:21.850+00:00 redhatfilebeat tagged 43 69 69 2021-09-24T08:42:21.850Z {name=redhatfilebeat} this is a test
and after fix
<14>1 2021-09-24T09:22:23.411+00:00 redhatfilebeat tagged 58 69 [timeQuality tzKnown="1" isSynced="0"] this is a test
It would be awesome if this could be implemented into the plugin, or if anyone knows a better way to fix this I'm all ears