Logstash-output-syslog plugin sends incorrect facility

Elastic Stack Logstash
1
  • Linux Debian 10.6
  • Logstash 7.10.0
  • OpenJDK 11.0.8+10
  • rsyslogd 8.1901.0
  • plugin logstash-output-syslog

example.conf:

input {
  stdin {}
}

output {
  stdout {}
  syslog {
    id => "syslog_output"
    appname => "logstash_test"
    facility => "local7"
    host => "x.x.x.x"
    port => 514
    protocol => "tcp"
  }
}

$echo 'Nov 17 17:14:49 testmessage' | sudo /usr/share/logstash/bin/logstash -f example.conf --path.data /var/tmp

{
  "host" => "server01",
  "message" => "Nov 17 17:14:49 testmessage",
  "@version" => "1",
  "@timestamp" => 2020-11-17T16:25:05.943Z
}

This indeed also sends the syslog message, but the facility does not match with the config (local5).

$tail -0f /data/log/example.log
local5.notice  2020-11-17T16:15:41.252Z server01 Nov 17 17:14:49 testmessage
2

confirmed bug: https://github.com/logstash-plugins/logstash-output-syslog/issues/39

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.