I created a config file to ingest Cisco syslog output. When I run the config via command line (/usr/share/logstash/bin/logstash -f cisco.conf -r) everything works as expected. The fields I want show up properly in both stdout{} as well as in Kibana Discover. The problem arises when I put the conf file /etc/logstash/conf.d and restart the service. In addition to the fields I want, I am also getting the syslog fields showing up:
log.syslog.facility.name
log.syslog.facility.code
log.syslog.severity.name
"log": {
"syslog": {
"severity": {
"name": "notice",
"code": 5
},
"facility": {
"name": "user-level",
"code": 1
}
}
},
I have an explicit mutate { remove_field => [ "log" ] } in the config which works on the command line, but not apparently when running as daemon. This hasn't happened with the other config that I have running for my Palo Alto firewall, so I'm rather confused as to why these fields are popping up in the index when they're seemingly being removed in the logstash config...
Anyone have any ideas why it would work differently between the CLI and daemon?
The gist link shows the config file (sanitized a bit), the referenced pattern file and the json output from the index when running in daemon mode (heavily redacted, but shows the fields)
I can live with the extra garbage if needed, but it's rather irritating not understanding why it's ignoring my remove_field entry when running in daemon mode...
Any help appreciated.
Extra bits in case it matters:
Ubuntu 22.04.1 LTS
elasticsearch/stable,now 8.6.1 amd64 [installed]
kibana/stable,now 8.6.1 amd64 [installed]
logstash/stable,now 1:8.6.1-1 amd64 [installed]