- Linux Debian 10.6
- Logstash 7.10.0
- OpenJDK 11.0.8+10
- rsyslogd 8.1901.0
- plugin logstash-output-syslog
- winlogbeat 7.10.0
logstash output.conf:
output {
elasticsearch {
....
}
syslog {
id => "syslog_output"
facility => "local7"
appname => "logstash_test"
host => "x.x.x.x"
port => 514
protocol => "tcp"
}
}
Syslog event:
local7.notice. "windows01","os":{"name":"Windows Server 2012 R2 Standard","family":"windows","build":"9600.19785","version":"6.3","platform":"windows","kernel":"6.3.9600.19780 (winblue_ltsb.200711-0600)"},"ip":["x.x.x.x","xxxxxxxx"],"name":"windows01","id":"xxxxxxxx","mac":["xxxxxxxx"],"architecture":"x86_64"} logstash_test[-]: 2020-11-15T20:21:09.000Z {hostname=windows01, os={name=Windows Server 2012 R2 Standard, family=windows, build=9600.19785, version=6.3, platform=windows, kernel=6.3.9600.19780 (winblue_ltsb.200711-0600)}, ip=[x.x.x.x., xxxxxx], name=windows01, id=xxxxxxxx, mac=[xxxxxxx], architecture=x86_64} Nov 15 21:21:09 xxxxx[15960] [xxxx-xxxx] Started request : /xxxxxxxxxxxxxxxxxx
How do I only extract the message field in rsyslog? $!message is empty. Adding codec json or text to the output filter does not help.
/etc/rsyslog.d/logstash.conf:
local7.notice :mmjsonparse:
template(name="logstash" type="list") {
property(name="$!message")
constant(value="\n")
}
local7.notice action(type="omfile" template="logstash" file="/data/log/example.log")
working example that writes the message value bar to the log file:
logger -p local7.notice '@cee: {"message": "bar", "foo2": "bar2"}'